Threats against identities and their protections are worsening. Cybercriminals are more interested in stealing and abusing compromised credentials, organizations often can’t detect exposed credentials on the dark web, and visibility into the actions and behaviors of service accounts is lacking. Threat actors are increasingly leveraging social engineering for compromising credentials. Internally, most organizations lack the optics and processes to detect identity-led threats.

New identity security solutions are emerging to protect identities—both human and non-human—by layering additional protections on identity and access management tools. These include solutions for visibility, governance, and autonomous remediation. While the organizations in this research claim high maturity for current identity security deployments, evidence of high maturity is lacking for most. All organizations must urgently revisit their identity security protections, deploy new or advanced solutions to strengthen identity security posture, and reduce exposure to the negative implications of identity-led threats.