Identity, AI benefits/risks

ID Dataweb outlines the need for continuous identity threat detection  

(Adobe Stock)

ID Dataweb on April 7 released a report that explains how traditional identity and access management (IAM) approaches no longer suffice against adversaries armed with stolen data and increasingly- sophisticated social engineering techniques.

The new report presents an identity verification maturity model that progresses from “credential-only” authentication to “step-up authentication,” then “point-in-time” identity verification (IDV), and finally “continuous” identity threat detection and risk mitigation.

ID Dataweb's report outlines four features modern identity products should offer today to fulfill the goals of continuous identity systems:

  • Flexible risk detection and orchestration.
  • Broad access to authoritative identity data sources and risk signals.
  • Resilience across infrastructure, data, and identity verification services.
  • Privacy preservation.

"Identity risk is no longer confined to a single login, transaction, or device," said Dave Coxe, co-founder and CEO at ID Dataweb. "Organizations need a unified approach that can continuously verify the person behind the credential across the full identity lifecycle without adding friction for legitimate users." 

Morey Haber, chief security advisor at BeyondTrust, said while these four features are obvious to security pros, most enterprises are still ignorant of identity attack vectors.

Haber said identity security no longer functions as a control point within a log, nor simply a compliance checkmark to validate authentication and joiner, mover and leaver processes: it’s now the preferred attack vector for threat actors.

“Credentials are being weaponized through deepfakes, social engineering, watering hole attacks, SIM jacking, and automation at a scale that traditional IAM products were never designed to handle,” said Haber. “The report reinforces that identity risk is not a workflow problem: it’s a business continuity problem and the cybersecurity controls of yesterday must evolve to solve the identity security challenges present today.”

Jacob Krell, senior director of secure AI solutions and cybersecurity at Suzu Labs, pointed out that traditional identity and access management products are in the same position endpoint security was before EDR: static credentials and point-in-time verification check once, at the gate, and assume everything after that is legitimate.

“The paper describes the necessary evolution, and the four capabilities map directly to lessons the endpoint security world learned the hard way,” said Krell. “Flexible risk detection and orchestration is the foundation. We need to make identity decisions contextual and adaptive, not static. A login from a recognized device during business hours is not the same as a login from an unfamiliar device in a foreign geography requesting privileged access at 2 a.m. The system needs to weigh those signals in real time and adjust accordingly.”

Roy Katmor, co-founder and CEO of Orchid Security, added that that the four principles outlined make sense, except for when the identity isn’t human.

“AI agents authenticate differently,” said Katmor. “They inherit credentials, tokens, service accounts, and dormant admin access that were never revoked. There's no fake to catch, no anomaly to flag at login. The agent just acts. Because it's optimizing for efficiency, it takes the fastest path through an environment, not the safest.”

Katmor said even with strong identity detection, visibility into how delegated access actually gets used remains limited.

“It points to a next step beyond verification, which is continuous evaluation of delegated authority, not just whether access gets granted, but whether execution should be allowed, in context, and with what scope,” said Katmor. “It’s less a gap in the framework, more an evolution required for an Agent-AI world."

Kevin Surace, chair at TokenCore added that with AI agents in the mix the standard has become proving we are the authorized human, physically present, on the real device, at the real domain, right now.

“AI can already clone voices and increasingly simulate faces, so high assurance identity has to move toward hardware bound fingerprint-based authentication with live biometric proof that cannot be replayed, relayed, or synthesized,” said Surace. “The companies that win in the next three years will replace hope-based MFA with biometric assured identity and make stolen credentials useless.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds