For decades, attackers have favored one intrusion method over all others: compromise the identity. Long before ransomware crews industrialized extortion and modern malware ecosystems matured, adversaries understood a simple truth. If you can access a legitimate account, you can bypass most security controls and operate inside a network with the same privileges as the user who owns it. That strategy has not changed. What has changed is the scale and complexity of the identity surface attackers can exploit.
Modern enterprises no longer operate around a single directory and a handful of user accounts. Instead, organizations rely on sprawling webs of identities that span SaaS platforms, cloud infrastructure, APIs, service accounts, and increasingly autonomous AI agents. A single employee account may now provide access to dozens of interconnected services, while non-human identities quietly power automation behind the scenes.
This evolution has created a fundamental security dilemma: organizations now collect more identity telemetry than ever before, yet identity-based intrusions remain some of the hardest attacks to detect. Security teams are facing what can only be described as the “Identity Paradox”.
More Identity Data, Less Clarity
The Identity Paradox reflects a growing imbalance in modern security operations. Enterprises have unprecedented visibility into authentication events, login attempts, and access logs, yet attackers continue to breach organizations using legitimate credentials. The reason is simple: an attacker using a valid identity does not look like an attacker. They look like an employee doing their job.
SentinelOne’s Steve Stone, Warwick Webb, and Matt Berry break down some of the key aspects of the “Identity Paradox”.
Under this guise, threat actors increasingly rely on techniques that inherit trusted sessions or legitimate credentials. These include stolen authentication tokens, adversary-in-the-middle (AiTM) phishing campaigns, compromised developer accounts, and even state-sponsored insiders. In each case, the attacker bypasses security by leveraging an identity that the system already trusts.
When authentication appears legitimate, traditional defenses struggle to distinguish between normal activity and malicious intent. The problem is further compounded by the wide spectrum of identity abuse methods now being observed in the wild.
When the Attacker Is an “Employee”
At one extreme of the identity threat landscape are traditional credential theft campaigns powered by phishing, infostealers, and session hijacking tools. At the other extreme are state-sponsored actors who continue to put significant effort into infiltrating organizations by applying for open roles directly.
In recent years, investigators have documented coordinated efforts by North Korean IT workers to obtain remote employment at Western technology firms. These individuals create elaborate fake personas using stolen identities and fabricated work histories to pass background checks.
In 2025 alone, SentinelLABS tracked over 1,000 job applications and roughly 360 fake personas linked to these operations. Once hired, these individuals operate as legitimate insiders with authorized access to corporate infrastructure. From a telemetry perspective, the account is valid. HR has approved the employee and login activity appears normal, yet the identity itself has been subverted.
This highlights the core challenge of identity defense: the system may validate who the user is, but it cannot easily validate their intent.
Supply Chains & Trusted Developers
The Identity Paradox also extends deeply into the software supply chain. Developers and maintainers of open-source packages often hold privileged access to repositories that are widely trusted by downstream users. When these accounts are compromised, attackers can inject malicious code into legitimate projects while appearing to operate as the original maintainer.
One example observed in late 2025 involved the “GhostAction” campaign, where attackers compromised a GitHub maintainer account and pushed malicious workflows designed to extract secrets from development pipelines. Similarly, a phishing attack against a maintainer of popular NPM packages led to the deployment of malicious code capable of intercepting cryptocurrency transactions.
In both cases, the malicious commits originated from accounts with legitimate write access. Access controls were functioning exactly as designed. While the identity was verified, the intent behind the activity had changed.
The Expanding Identity Surface
As the definition of identity expands, employees are no longer the only actors operating within enterprise environments. Service accounts, APIs, workload identities, and AI agents are now executing actions across cloud platforms and SaaS environments at machine speed.
These non-human identities (NHIs) often operate with persistent privileges and broad access to critical resources. However, they are frequently overlooked in traditional identity governance frameworks. As organizations adopt automation and agent-driven workflows, non-human identities are rapidly becoming one of the fastest-growing attack surfaces in cybersecurity.
Traditional identity security models were built around human users and authentication events. That model does not translate well to NHIs, which can be ephemeral, programmatic, and massively scaled. In many environments, these automated identities vastly outnumber human users.
The Authorization Gap
The shift toward automation exposes another structural weakness in traditional identity security: the “Authorization Gap”. Security frameworks have historically focused on the moment of authentication as a gate that determines whether a user is allowed to enter. To follow this, organizations have in turn invested heavily in stronger authentication mechanisms, granular permissions, and zero trust access models. These controls remain essential, but authentication alone cannot determine what happens after access is granted.
A fully authenticated user may still perform reconnaissance, exfiltrate sensitive data through a browser, or upload proprietary code into generative AI tools. Likewise, a correctly provisioned service account could be abused for lateral movement across cloud infrastructure. Once inside, traditional identity systems often assume legitimacy. This assumption creates a dangerous blind spot between who is allowed into the system and what they actually do once inside it.
Shifting the Focus to Behavior
Defeating the Identity Paradox requires a fundamental shift in how organizations think about identity security. Moving away from a narrow focus on authentication, defenders can broaden the scope by monitoring the behavior that occurs after login. Post-authentication behavioral monitoring allows security teams to identify deviations from expected activity patterns such as:
- Access to sensitive repositories outside a developer’s normal workflow
- Unexpected privilege changes or administrative actions
- Bulk data exports from SaaS platforms
- Identity-driven lateral movement across systems
These behavioral signals often reveal malicious activity long before traditional alerts trigger. Organizations should treat events such as new MFA device enrollments, OAuth permission grants, and service account privilege changes as high-risk signals that require close scrutiny. Restricting long-lived sessions, monitoring concurrent authentication activity, and auditing machine-to-machine trust relationships can significantly reduce an attacker’s ability to convert a single compromised credential into persistent access.
Conclusion | Defeating the Identity Paradox
Identity is both the attacker’s preferred entry point and the defender’s most valuable signal. Organizations that succeed in defending against identity-driven threats will be those that treat identity not as a static credential, but as a continuously monitored security boundary.
That means validating not only who is acting within the system, but also how that identity behaves over time, whether it belongs to a human employee, a service account, or an autonomous AI agent. As automation accelerates and machine-driven activity expands across enterprise environments, identity security must evolve accordingly.
SentinelOne’s® Autonomous Security Intelligence architecture is designed to support this expansion. It delivers comprehensive visibility and response across both human and non-human activity where Singularity Identity delivers essential context around who (or what) is taking action, Prompt Security detects misuse within browsers and AI-driven workflows, and Singularity Endpoint verifies behavior directly at the system level.
Together, all three capabilities create a continuous execution layer that correlates activity across identities, applications, and devices. SentinelOne uniquely provides immediate, end-to-end visibility into GenAI usage along with data protection at every point of employee interaction on managed devices – all without requiring SASE redesigns or API-level integrations.
As advanced threats increasingly operate behind legitimate access and automation drives more machine-led activity, enterprise resilience hinges on securing execution itself in real time. SentinelOne is evolving identity from a static checkpoint into an ongoing system of behavioral validation, ensuring the integrity of every action across the enterprise, whether performed by a user, service account, or AI agent.
SentinelOne's Annual Threat Report
A defender’s guide to the real-world tactics adversaries are using today to abuse identity, exploit infrastructure gaps, and weaponize automation.
Third-Party Trademark Disclaimer
All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.
Entrar
