Too many accounts have excessive permissions; this was the case for 99% of the 680,000 cloud users, roles, and services analyzed by Unit 42, including some that had been unused for 60 days or more. It’s an identity attack surface that keeps expanding faster than the underlying issues can be addressed, as organizations add ever more cloud, SaaS, and AI applications.
Increasingly, these identities relate to machine identities (service accounts, automation roles, API keys, AI agents), shadow identities (unsanctioned accounts, developer environments, and third parties), and identity “silos” (on-premises AD plus multiple cloud identity providers).
“Rarely does an attack stay in one environment. Instead, we see coordinated activity across endpoints, networks, cloud, SaaS, and identity, forcing defenders to monitor across all of them at once,” said Unit 42.