Let’s start with the history of information security. Information/data used to be stored in storage systems in our datacenters. To access/hack the data or bring down the systems to cause harm, bad actors had two entry points.
One is the network which connected the storage systems internally and externally to branch offices, and second is the endpoint which are compute systems used to access and manipulate data through applications. As we moved from mainframe to client-server, we had multiple clients accessing the storage and compute servers.
On the endpoint side, hackers exploited weakness in the operating systems of the clients, and the endpoint security industry was born with antivirus as its first solution. Fast forward it has become a comprehensive endpoint protection, real time detection and response solution.
On the network side, hackers used “worms” to traverse the network from an entry point which could be endpoint or network device
Fast forward with the growth of internet and distributed offices, we are accessing the data over corporate or public networks. We are also using less of our homegrown applications and more of 3rd party applications (SaaS) hosted in public cloud or their own data centers.
Innovations like SASE has converged all networks (data center, branch office, public cloud, SaaS into one logical entity.
Architectures like Zero-Trust (ZT) has combined network access and application/data access into one effectively eliminating an “open” network in which once a hacker access the network, she could access all data/applications on the network. Now every entity requires its own authentication. When you are running applications in a public cloud environment, cloud architecture has similar ZT architecture requiring authentication for every network or data or compute access.
That means identity is the new perimeter. Hackers don’t need to break into your network or exploit endpoints anymore—they just need your credentials.
So, it’s not a surprise that 2025 Verizon Data Breach Investigations Report (DBIR) shows threat actors are less likely to probe for backend vulnerabilities and more likely to phish, guess, scrape, or simply buy credentials from a darknet broker. And, for yet another year in a row, credential compromise remains the number one initial access vector for breaches.
The DBIR’s credential-focused facts tell a story deeply relevant to identity:
- A staggering 88% of attacks against basic web applications involved the use of stolen credentials
- 60% of all breaches involved the human element (where users interact through actions like clicking phishing links or responding to social engineering)
- Brute force attacks against basic web apps rose exponentially, nearly tripling over the last year (from roughly 20% to 60%)
Yet we are underinvested in identity. Gartner’s 2029 security spending forecast predicts only 15% of the total dollars going to core identity products.
We are seeing identity extensions being sold along with other products like ITDR (Identity threat detection and response) with EDR (endpoint detection and response) or ZTNA (zero trust network access) with SASE (secure access secure edge) or CIEM (cloud identity and entitlement management) with cloud security or data access governance with data security.
Traditional IAM covers three pillars:
- Access Management – who gets in.
- Authorization – what they can do.
- Governance – compliance checkboxes.
“Identity Security” is becoming popular as a consolidation of the above 3 pillars. But this is not enough. Identity security requires a platform approach:
- Dedicated identity platforms with unified data lakes and real-time pipelines.
- Managed Identity Detection & Response (MIDR) to detect and contain threats in motion.
- LLM-powered analytics to catch subtle anomalies (like an MFA reset before a breach).
- Unified authentication records that eliminate blind spots and bind high-value accounts to devices or networks.
Here’s the reality: security operations remain reactive and alert-driven, but identity threats unfold slowly. An unusual login or access mistake can look harmless today—and become tomorrow’s breach. MFA change can seem benign but lead to a breach several days later. 3rd party accessing an account they are not managing can seem like a mistake but can lead to loss of data later.
This is what makes identity security challenging and luckily LLMs can help trace and track suspicious or anomalous activity. You can feed all the raw activity to LLMs and get meaningful alerts which security personnel can triage and resolve. You can also create automation like following up with employee if they meant to change their MFA or notifying the 3rd party on anomalous activity.
On the access management side, force a single system of record. Authenticating 3rd party apps through other apps creates blind spots on access and authorization. Bind credentials to devices or networks as much as possible for critical admin or production/data accounts.