Non‑Human Identities Are Becoming a Prime Target in Identity Attacks

Non-human identities, service accounts, and AI agents are exploding across modern environments, and security teams aren’t keeping up. As organizations hand real access and autonomy to non‑human identities, attackers are exploiting the gaps, often by simply using trusted credentials rather than breaking in.

The SANS 2026 State of Identity Threats & Defenses survey gathered input from hundreds of cybersecurity professionals, including security leaders, identity and access management (IAM practitioners, incident responders, and engineers working across cloud, SaaS, and on‑premises environments. The purpose of the survey was to measure how identity-related attacks are evolving, how well organizations are detecting and responding to them, and where current identity defenses are falling short, with a particular focus on real-world compromise data, operational response gaps, and emerging risks such as non‑human identities and AI-driven access.

This report emphasizes that traditional network boundaries are no longer the main line of defense. With widespread cloud adoption, SaaS usage, and remote access, identity has become the central control point that attackers target. Credentials, sessions, and tokens now provide attackers with more value than exploiting infrastructure flaws.

Most organizations have implemented modern identity controls such as SSO, Multifactor Authentication (MFA), and identity monitoring. However, SANS identifies a “deployment vs. resilience” gap. Many teams can detect identity-based attacks relatively quickly, but fewer can stop them in time to prevent damage.

Detection is improving, but containment still lags

According to this survey, roughly two-thirds of organizations detect identity attacks within 24 hours, but only about half can contain those attacks in the same time window. This delay allows attackers to move laterally, escalate privileges, or establish persistence after successful authentication.

This report highlights a transition from login abuse toward using valid credentials and trusted access paths. Techniques such as token theft, MFA fatigue, compromised browsers, and consent abuse are increasingly effective because they blend in with normal user behavior and evade traditional alerts.

Non-human identities are a major weak spot

Additionally, service accounts, APIs, automation credentials, and AI agents are growing rapidly but often lack proper governance. This survey found that most organizations do not rotate or closely monitor these credentials, which makes them attractive and low-risk targets for attackers.

This report warns against assuming MFA is a complete solution. Attack methods such as MFA push abuse and session hijacking can bypass MFA without triggering suspicious login events, which reduces its effectiveness when used in isolation.

This study emphasizes the need for dedicated identity-focused detection and response capabilities. Effective defense now requires correlating identity signals across authentication, endpoints, cloud services, and user behavior and having clear ownership and processes to act quickly when identity misuse occurs.

Closing the gap between detection and containment

The SANS report recommends that organizations treat identity as a high-risk attack surface and assume credentials will be abused. Security teams are urged to move beyond deploying MFA and SSO and instead build faster, identity-focused response capabilities, including clear ownership of Identity Threat Detection and Response (ITDR), predefined containment playbooks, and stronger correlation of identity signals across endpoints, cloud platforms, and SaaS environments to close the gap between detection and action.

It also emphasizes the need to govern non‑human identities with the same rigor as human users, including regular credential rotation, least-privilege access, and monitoring for abnormal behavior. Finally, organizations must reduce overreliance on MFA alone, strengthen session and token protections, and mature Zero Trust practices by continuously evaluating identity behavior after login.