"Identity itself, and every permission it carries, has become the attack path," writes Alex Gardner, Director of Product Marketing at XM Cyber.
One cached key, 98% of the cloud at risk
The article opens with a concrete incident: a cached AWS access key on a single Windows machine that, under ordinary, automatic credential-caching behavior, could have given an attacker access to roughly 98% of entities in that company's cloud environment. The exposure was discovered before exploitation, but the lesson is stark: a single legitimate credential — placed there by normal user activity, not misconfiguration or policy violation — can be the start of an attack path leading to nearly every critical workload a business relies on.
How identity links endpoints, Active Directory, and cloud workloads
Gardner lays out multiple short chains that, when connected, form long, traversable routes from low-level footholds to production controls. Examples in the article include an unreviewed Active Directory group membership that gives an attacker on a retail endpoint a direct path to the corporate domain, and a developer SSO role that retains permissions after a migration project ends, enabling a four-step escalation from developer access to production admin. The cached credential on the retail endpoint is not isolated — it connected to an overprivileged AD role, which in turn was tied to a cloud workload carrying an admin policy. Those links together created a single attack path.
Why existing identity tools fail to show the full path
The piece critiques the core tooling many organizations rely on. Identity governance and administration (IGA) platforms manage lifecycle tasks such as provisioning and access reviews. Privileged access management (PAM) solutions store credentials and monitor sessions. Each class of tool performs its narrowly defined function, but none maps how exposures chain across endpoints, Active Directory, and cloud environments into a single exploitable route. That gap helps explain rising incident rates: Palo Alto found identity weaknesses played a serious role in nearly 90% of its 2025 incident response investigations, and IBM X-Force's 2026 Threat Intelligence Index showed stolen or misused credentials accounted for 32% of incidents — the second most common initial access vector.
The non-human identity problem and AI agents
Gardner warns that non-human identities — AI agents, machine identities, and service accounts — are rapidly becoming a major component of the risk picture. SpyCloud's 2026 Identity Exposure Report identified non-human identity theft as one of the fastest-growing categories in criminal markets, noting that a third of recovered non-human credentials were tied to AI tools. The article gives a concrete scenario: a development team grants high-level permissions to an MCP server so an AI tool can operate across systems. The AI agent adopts those privileges as its identity; a vulnerability in the underlying open-source tooling can hand an attacker those same permissions, sending a direct route into cloud resources, databases, and production infrastructure. Gardner emphasizes that the credentials enabling this are the kind found "circulating in criminal marketplaces by the millions."
What this means for technologists and security teams, enterprises, and adversaries
- Technologists and security teams: Map identity, permissions, and environment context together. The article argues that until teams can connect those elements into a unified view, identity will remain the easiest route to critical assets.
- Affected enterprises and procurement leaders: Existing investments in IGA and PAM may not be sufficient if those tools operate in isolation. Palo Alto concluded that over 90% of the breaches its teams investigated in 2025 were enabled by exposures that existing tools should have caught — a gap of visibility rather than capability.
- Adversaries and threat actors: The piece makes clear the opportunity for attackers. With stolen credentials a common commodity and AI-linked non-human identities growing, the "highway" of identity across environments offers low-effort, high-reward paths that require little to no custom exploit development.
A pointed conclusion
Gardner's central claim is simple and specific: identity is not a perimeter control to be locked at the entrance; it is the connective tissue that runs through every layer of a hybrid environment. The practical implication is equally clear — security programs must stop treating authentication and isolated access controls as sufficient and instead build visibility that shows how a credential, a forgotten role, or an overprivileged account can chain into a full attack path. If organizations cannot map those chains, the article warns, attackers already know the routes and will continue to use them.




