As CEO, Chris Schueler drives the overall vision and strategy for Cyderes - a global Cyber Defense and Response services provider.

getty
I estimate that 80% to 90% of the breaches I see begin with so-called simple identity weaknesses, not a zero-day or sophisticated attack. Whether log-in credentials someone bought on the dark web, a dormant account nobody deprovisioned, or an access privilege granted for a project that ended two years ago and never got revoked, identity weaknesses are the common thread in nearly every engagement.
One reason threat actors find identity the easiest entry point is that so many identities are unguarded. Ninety-nine percent of the 680,000 cloud identities Palo Alto Networks analyzed in 2025 had excessive permissions, access nobody needed, but were there to be exploited. Attackers don't pass up that kind of opportunity. We saw this in 2024, when over seven in 10 organizations experienced data breaches due to improper access or overprivileged users.
The Privilege Creep Nobody Cleaned Up
When we assess client systems at Cyderes, privilege creep is always one of the first weaknesses we discover. I'm always curious to know why. More often than not, I've noticed it's because organizations simply can't keep up with the sheer number of identities and access they need to manage.
CyberArk's 2025 research found that machine identities already outnumber human identities by more than 80-to-1, and 79% of organizations expect that number to continue to grow. On top of that, more than 50% of companies use at least 25 different tools to manage access rights. An exponential increase in identities managed across multiple, unconnected tools is how privilege creep becomes structural. This is the perfect recipe for an identity management disaster.
Now layer in agentic AI. Organizations are doubling down on agentic AI tools without extending their identity security plans to cover them. The rationale for using them isn't the issue. They're autonomous, they accelerate decision-making, and they help you get ahead of attackers. But if your permission controls and access policies don't extend to those tools, you've widened the attack surface, not reduced it.
An over-permissioned AI tool is one prompt away from leaking everything it has access to. I've watched this happen more than once. The Reprompt vulnerability, disclosed in January this year, is a clear example. Varonis Threat Labs demonstrated that a single click on a legitimate Microsoft link could hijack a Copilot Personal session and silently exfiltrate user data, bypassing Copilot’s built-in safeguards. Microsoft patched it, and enterprise M365 Copilot wasn't affected. But the underlying vulnerability class, AI assistants that auto-execute external input without persistent safeguards, isn't specific to one product version.
In 2025, IBM revealed that 97% of organizations experiencing AI-related incidents lacked proper AI access controls. You cannot afford to exclude agentic AI from your identity and access management plans.
29 Minutes Is All They Need
Attackers are finding and exploiting privilege gaps in record time. The average eCrime breakout, the interval between initial compromise and the first lateral movement, dropped to 29 minutes, according to the 2026 CrowdStrike Global Threat Report. In one instance, data exfiltration began after four minutes.
Speed isn't the only problem. Attackers are increasingly deploying malware-free techniques using legitimate credentials. There's no malicious signature for your SOC tools to catch because the activity looks like normal, authenticated access. In this case, the attacker is using the front door.
When breakouts were measured in hours, you had a window to catch privilege abuse. At 29 minutes, a dormant account with overprivileged access gives an attacker a straight line from credential abuse to account takeover. By the time someone looks, the attacker has already moved. That's why identity telemetry has to live in the SOC, informing real-time detection and response, not sitting in a separate system feeding a weekly report. The gap between "we see it" and "we act" is where trust is won or lost.
What I'd Do First Thing On Monday Morning
If I were a CISO reading this, I'd start with one audit that almost nobody is running yet: a privilege creep review focused on AI-adjacent systems and automation pipelines.
I would review the users and service accounts that have access to the AI tools. Then I'd check when that access was last reviewed, and whether the original scope still matches what the tool is actually doing today.
The Bottom Line
The attackers keep telling us the same thing: They aren't breaking in; they're logging in.
The teams that treat identity as their security strategy will close the loophole that allows attackers to walk in with legitimate credentials and move laterally before anyone notices. The rest will keep explaining to their boards why the breach started with a credential that should have been revoked two years ago.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

1 day ago
3













English (US)