Identity Attack Surface Management (IASM)
What is Identity Attack Surface Management (IASM)?
Identity attack surface management (IASM) is the practice of identifying and mitigating identity-based risks across an enterprise. Managing the identity attack surface also entails discovering, assessing, and mitigating potential entry and pivot points related to the systems that manage authentication, authorization, and access control.
An essential component of modern identity security, identity attack surface management typically involves three steps:
Identity attack surface analysis - gaining visibility of the entire identity landscape, including all human and non-human identities and their associated accounts, entitlements, and permissions.
Proactively enforcing identity hygiene and hardening best practices to mitigate identity vulnerabilities. This discipline is sometimes called identity security posture management (ISPM).
Monitoring and responding to identity threats as they occur in real time. Organizations may leverage identity threat detection and response (ITDR) solutions, compromised of multiple technology disciplines and capabilities, to do so.
IASM is occasionally referred to as identity vulnerability management (IVM). While traditional vulnerability management focuses on vulnerabilities in systems and software, identity vulnerability management aims to mitigate the weaknesses/errors in how identities are granted access, how entitlements are managed, and how authentication controls are enforced.
What is the Identity Attack Surface?
The identity attack surface refers to all ways enterprise identities and identity infrastructure are exposed to potential compromise. The identity attack surface is broad, especially within a large enterprise environment.
At a high level, here are the most common classes of digital identities:
Human identities, which can include employees, partners, vendors, and customers. Each of these personas uses human identities to interact with enterprise resources.
Non-human identities (NHIs), also known as machine identities, which allow entities such as applications, software robots, or endpoints to be authenticated. Increasingly, these identities also include AI agents, used to perform actions autonomously on behalf of humans.
Cloud identities, which allow both human and non-human entities to access resources within the cloud.
The identity attack surface also encompasses the identity and access management (IAM) controls that facilitate the authentication and authorization of identities across the enterprise. This includes identity stores as well as identity providers (IdPs), such as Microsoft Active Directory, Microsoft Entra, Okta, PingOne, etc.
Many organizations aim to manage their IAM controls as an identity fabric: a consistent view of all digital identities and a unified approach to managing, authenticating, and authorizing these identities. However, in practice, the identity fabric is fractured and siloed. An organization's various assets, including multicloud or hybrid environments, on-premises, DevOps and backend infrastructure, operational technology (OT)/Internet of Things (IoT), etc., are often poorly or partially integrated.
This sprawl of identities poses significant security risks to modern, cloud-based organizations. According to the Cloud Security Alliance (CSA), the #1 ranked threat to cloud computing is misconfigurations, many of which are identity-based, such as a lack of secrets management, too many cloud access permissions, overly permissive access to virtual machines, containers, and hosts, and insufficient validation controls. The #2 threat is Identity and Access Management (IAM), including challenges such as replay attacks, impersonation, and excessive permissions.
Why is Identity Attack Surface Management Important?
Identity Attack Surface Management is important because today, “identity” is frequently recognized as the “new perimeter”. IDSA’s 2025 Trends in Identity Security report found that 86% of organizations experienced at least one identity-related security incident in the past year, underscoring the importance of defending identities as part of an organization’s overall security strategy.
The typical enterprise’s number of identities and associated IAM controls continues to expand, due to cloud adoption, the rise of remote working, increased mobile device usage, and increasingly, AI agents and other machine identities.
Many of these identities also have high levels of privilege—often higher than is needed to perform their roles. To put this in perspective, Microsoft’s 2024 State of Multicloud Security Report found that of the 51,000 permissions granted to identities, only 2% are actually used. Plus, 50% of those identities are considered high-risk.
Both human and non-human identities are increasing, especially driven by the dynamism of growing cloud environments. Machine identities in particular are a growing challenge. For instance, nearly half (46.4%) of security alerts observed in Google Cloud during H2 2024 were due to overprivileged service accounts. In addition, each of these identities will often have many accounts, each potentially with different planes of permissions, privileges, and entitlements.
Identities serve as valued prizes for today’s threat actors, who, by hijacking an account, can simply log in to a system rather than having to “hack in.” Once inside, cybercriminals can further exert damage by moving laterally, executing malicious software such as ransomware, or extracting sensitive data.
However, performing these additional actions often requires some level of privileged access. This illustrates the importance of protecting privileges and privilege escalation paths as part of an IASM approach. The 2025 Armis Cyberwarfare Report found that 42% of IT leaders are limiting user privileges within their organizations to better address the increasing sophistication of cyberattacks, particularly those using AI.
What is an Identity Attack?
Identity attacks (or, identity-based attacks) can refer to a broad array of weaponized threats that aim to hijack an identity or account and/or misuse access. Attackers might gather information (such as login credentials) from a user using social engineering tactics such as phishing, AI deepfakes, or clickbait. Alternately, they might take advantage of credentials they have stolen via a strategy such as keylogging or an Adversary-in-the-Middle (AitM) attack, or that they have obtained by purchasing stolen or leaked data from the dark web. They will then leverage other identity-based vectors such as credential stuffing, password spraying, kerberoasting, pass-the-hash, session hijacking, or others, to further move laterally within the network, escalate privileges, or perform unauthorized actions.
For instance, once a foothold is gained, an attacker might look to escalate access by hijacking more accounts or even adding themselves to groups provisioned with other levels of permissions. Some phases of identity-based attacks will take the form of exploiting identity infrastructure. For instance, an attacker might modify trust domains in Microsoft Entra ID for the purpose of adding a new federated Identity Provider (IdP) under their control, giving them a backdoor for broader access.
What are Common Identity-Based Attack Methods?
There are several common identity-based attack methods, including the following:
Identity Attack Surface Management (IASM)
Type of attack | Description |
|---|---|
Credential stuffing | Attempting several logins with automated tools. This tactic is often used if an attacker has a long list of stolen or leaked credentials. |
Credential theft | Stealing login credentials in order to use them to log into a system as a legitimate user. Attackers often use social engineering tactics such as phishing, AI deepfakes, or clickbait, to steal credentials. Other credential theft strategies include keylogging, in which an attacker tracks keystrokes on a device to view user inputs, and Adversary-in-the-Middle attacks, in which an attacker intercepts messages between two unknowing parties. |
Requesting a Kerberos ticket for a Service Principal Name, then attempting to crack the hash that is both associated with the ticket and the service account’s password. If successful, the attacker can use this hash to obtain plaintext credentials of the service account and use this info to access the systems that were granted to the account. | |
Repeatedly sending MFA authentication requests to a user’s associated device(s). The attacker will attempt to annoy or trick the user into authorizing one of the login attempts. | |
Capturing a password hash, then using this hash to bypass the authentication protocol. This technique will work as long as the password’s hash has not been changed via rotation. Pass-the-ticket attacks use a similar tactic to steal and misuse a Kerberos ticket-granting ticket (TGT). | |
Attempting logins by running common passwords through several accounts. By trying to log into a large number of accounts, the attacker avoids being locked out from a single account because of too many attempts. | |
Using a stolen or predicted session ID or session token to impersonate a legitimate user. An attacker can then gain access to the same privileges that the user has. |
These types of identity attacks pose a unique challenge to organizations because once an attacker has access to a legitimate account or session, it can be difficult to detect if they are performing illicit actions. In a 2025 report, IBM X-Force observed nearly one in three attacks used valid accounts. This data shows the increasing prevalence of attackers leveraging valid identities and performing actions within the scope of identities’ permissions to escalate privileges or access sensitive assets.
Common Identity Vulnerabilities
There are a few classes of common identity vulnerabilities that bad actors can expoit to initially enter a system or leverage as part of an attack vector for escalating privileges and gaining deeper access. They can include:
Authentication vulnerabilities such as:
Hardcoded passwords, API keys, and certificates
Reused credentials, secrets, and keys that can lead to credential re-use attacks
Stale keys, passwords, or secrets
Insecure privileged passwords, such as plain text passwords or passwords that are not rotated frequently
Weak login credentials, including accounts that use personal email addresses or weak passwords
MFA vulnerabilities, such as the use of an unreliable verification method (e.g., using an SMS number that was SIM swapped by an attacker), help desk error (e.g., falling victim to a phishing scheme in which the attacker impersonates the user and requests direct access), or user error (e.g., accidentally allowing access during an MFA fatigue attack)
Authorization vulnerabilities such as:
Identities with local admin privileges or unmanaged root access
Unhardened machine accounts, which already tend to lack the level of control enforced on human accounts (such as MFA, etc.)
Identity infrastructure misconfigurations, such as security gaps that allow lower-privilege users to redefine permissions or authentication methods
Excessive entitlements, such as non-privileged accounts that can retrieve password hashes from AD Domain Controller via a DCSync attack
Standing (always on) privileges
Vendor accounts using VPN
Orphaned accounts with unmaintained privileges and access rights
Effective identity attack surface management will systematically identify and remediate these issues, while also drastically reducing the likelihood of them occurring in the first place.
How Do Traditional Attack Surface Management (ASM) Approaches Differ From IASM?
Traditional attack surface management generally focuses on protecting the external assets within an organization’s purview. It tries to pre-empt potential exposures, especially those related to cloud and infrastructure, before they result in a breach. These tools may perform network mapping discovery of external assets. On the other side of this, attackers use toolsets to perform these same functions, trying to discover an unknown exposure that will provide them with a foothold. They will then attempt to use this discovered foothold to further advance an attack.
By contrast, identity attack surface management specifically hones in on identity security weaknesses and gaps, such as the potential for a threat actor to pose as a legitimate user or leverage authorized software (e.g., living off the land attacks).
Identity Attack Surface Management (IASM)
Attack Surface Management (ASM) | Identity Attack Surface Management (IASM) | |
|---|---|---|
Security goals | Aims to monitor and protect external digital assets such as public-facing web apps, cloud resources, IP addresses / domains, and externally accessible ports / services. | Aims to monitor and protect human and machine identities, including privileged accounts, group memberships, credentials, and transitive / indirect privilege escalation paths. |
Main Focus | Focuses on blocking attacks that start outside the network and attempt to break in or move laterally. | Focuses on blocking attacks that are already inside the network and attempting to move laterally or escalate privileges. |
Limitations | Can be limited by unknown external assets, such as those caused by shadow IT and M&A. | Can be limited by complexity related to indirect or hidden privilege escalation paths such as nested group memberships, identity sprawl across disparate environments, or an overall lack of visibility into identity posture. |
Best Practices for Identity Attack Surface Management
Effective identity attack surface management focuses on a few best practices, including gaining a full picture of the identity estate via attack surface assessment and analysis, focusing on identity hardening for proactive defense, and preparing for swift and precise real-time attack response.
1. Gain a full picture of the identity estate via attack surface assessment and analysis.
Full visibility into all identities and their associated entitlements, privileges, and permissions (including hidden / shadow identities and access) is integral to understanding and reducing the identity attack surface. Otherwise, you risk leaving overprivileged or overly-permissive identities unaddressed. This is why it’s crucial to inventory all identities, accounts, systems, applications, and resources and understand what each identity can do (its True Privilege™).
Once you have a holistic, cross-domain view of the entire identity estate, map out how these different identity-related entities are connected. You can then pinpoint the potential pathways attackers could use to traverse through the system via privilege escalation or other identity-related lateral movement. By using multiple data sources and machine learning or AI, you can estimate the likelihood of an attacker taking advantage of each pathway, and the business impact if they were to do so. This complete picture of identity risk can then be used to triage identity vulnerabilities and take steps to harden the identity estate based on potential risk. When identity-based risks are known, understood, and prioritized, the key foundations are in place for effective remediation.
2. Focus on identity hardening for proactive defense.
Identity hardening should include activities such as applying the principle of least privilege to permissions and access for humans, applications, and other machines and systems. This includes eliminating standing privileges, and enacting a just-in-time (JIT) access model to minimize elevated access for the finite duration required, based on business context. As the environment dynamically changes, access and permissions should be continuously right-sized to maintain a least privilege posture.
Strong authentication controls are also crucial to minimizing identity-based risk. This includes using MFA, particularly strong, phishing-resistant forms like FIDO2 for sensitive access, and maintaining proper credential hygiene. No accounts and credentials are more important to properly harden and secure than those that are privileged or provide a privilege escalation pathway.
Orphaned and unnecessary accounts should be eliminated. Sometimes these accounts persist when an employee has left a business. Others, such as a highly-privileged service principal account, may be left behind from a completed cloud migration project or other use case. Such accounts may be unmonitored and highly privileged, making them ripe and dangerous targets for threat actors.
Passwords should never be shared or re-used and any instances identified should be rectified, such as by rotating passwords. In particular, stale privileged credentials are an unacceptable risk. These credentials should be routinely rotated, including potentially after each use for the most sensitive access. In addition, hardcoded secrets should be eliminated and replaced with API calls or another secure method.
These mentioned tactics represent just a shortlist of important areas for identity hardening and posture management.
3. Prepare for swift and precise real-time attack response.
When an attack is detected, organizations should be able to take swift, intelligent, and precise actions to isolate or disrupt the attack. For instance, an organization may want to force a password rotation or step-up authentication, such as requiring additional MFA factors. The organizations could also introduce additional approval workflows during times of heightened risk, such as when under active attack, to provide extra oversight and assurance over legitimate access. Other identity-based responses can include pausing or terminating a suspicious or known malicious session, or reducing access amount or duration even further. Effectively managing an active attack surface is crucial to mitigating damage, including downtime, legal or customer-related costs, and brand erosion.
How to Operationalize Identity Attack Surface Management
No single tool will provide the full gamut of identity attack surface management functions. An effective attack surface management approach will require streamlining and maturing various identity security toolsets and disciplines, including the following:
Privileged Access Management (PAM): Discovers and manages privileged identities, credentials, and sessions. PAM is critical for enforcing least privilege across identities and their access. Some modern PAM solutions also provide consolidated cross-domain visibility and identity-based risk intelligence that are core to both ITDR and IASM.
Cloud Infrastructure Entitlement Management (CIEM): Streamlines the right-sizing of entitlements across clouds.
Identity Threat Detection and Response (ITDR): Also known as identity security defense-in-depth, ITDR is a broad discipline concerned with protecting identity infrastructure, hardening identity posture, and responding quickly to identity-based attacks.
Identity and Access Management (IAM): Refers to the identity management discipline and framework focused on such processes as identity provisioning and de-provisioning, securing and authenticating identities, and providing authorization to access resources and perform actions.
In practice, this might involve using a PAM or other tool with ITDR capabilities to provide centralized visibility and orchestration of hardening and remediation controls across the identity estate.
Access our Identity Security Content Channel to continue learning.
Take Decisive Control Over Your Identity Attack Surface
Get a free Identity Security Risk Assessment for holistic, cross-domain visibility and risk intelligence of your entire identity estate.
