Read the 2026 State of Identity Security Report

[GET REPORT]
Hamburger
Close Icon
Sign In
Button Arrow
 Request a Demo
Button Arrow
Linkedin
Linkedin

© Permiso Security 2025

|Privacy Policy|Terms
GUIDE

CISO guide to securing identity

how to secure human, non-human, and ai identities
DOWNLOAD THE GUIDE
CISO Guide - LinkedIn (1200x628)

Identity-based attacks now account for 90% of breaches — and the environments those attacks cross have outpaced the tools most security teams have in place. A SIEM ingests logs. An IAM manages human provisioning. A CASB monitors sanctioned SaaS usage. None of them was designed to follow a stolen OAuth token as it moves across an authentication boundary from a SaaS IdP into IaaS infrastructure and back into another SaaS application. That architectural gap is the story behind Salesloft, Snowflake, and Okta. This guide covers how to close it — across every identity type and every environment your organization runs.

Why traditional identity tools create blind spots, not coverage

The challenge with identity security in 2025 isn't a shortage of tools — it's the gaps between them. Most organizations run a SIEM for event logging, an IAM for human provisioning, a CASB for sanctioned SaaS monitoring, and a CSPM for cloud resource misconfiguration detection. Each tool was designed for a specific layer, and identity attacks consistently exploit the space between those layers.

The Snowflake breach — 165 customer environments compromised through infostealer-harvested credentials — succeeded because accounts lacked MFA and had not rotated credentials in years. The monitoring in place didn't flag credential reuse at the scale it was being exploited. The Salesloft/Drift attack was more complex: attackers compromised Salesloft's GitHub, extracted Drift OAuth tokens, and pivoted into Salesforce instances across 700+ organizations. Each step crossed an authentication boundary. Each boundary was managed by a different tool. No single system had the context to connect them.

The root cause is architectural. Identity behavior doesn't stay within tool boundaries. Attackers know this. Effective identity security programs need to know it too.

img-09

The non-human identity challenge security programs consistently underweigh

Most identity security programs were designed around human users: provisioning, deprovisioning, access reviews, MFA enforcement. The problem is that human identities are no longer the majority of the attack surface.

Organizations now manage 50 times more non-human identities — service accounts, API keys, OAuth tokens, and secrets — than human employees. These identities were built for automation and speed, not for the security controls designed around human behavior. They rarely have MFA enforced, they accumulate permissions over time without scheduled review, and they span multiple environments without a single owner accountable for their lifecycle. 67% of organizations have more than 10,000 zombie accounts, and stale service accounts are involved in 35% of insider threat incidents.

The assessment gap compounds the exposure. Traditional IAM systems were built for point-in-time access reviews of human users. Dynamic, cloud-native non-human identities that spin up, acquire permissions, and persist across environment boundaries require continuous discovery and behavioral monitoring — not annual access reviews conducted in a spreadsheet. 

AI Visibility Banner (970x250)

Securing AI identities before the attack surface expands again

The 2026 Permiso Security State of Identity Security Report found that 91% of organizations expect AI-generated identities to increase, with one in four predicting they will double or triple. Most security teams still cannot account for the AI-created identities already active in their environments.

AI identities break into three categories with distinct risk profiles. AI users are employees accessing tools like ChatGPT, Copilot, or Claude — often through personal accounts that bypass corporate authentication controls and data governance policies entirely. AI builders are developers creating and deploying AI applications, where API key exposure in code repositories and ungoverned model access create both credential and data leakage risk. AI agents are the most complex: autonomous systems that frequently inherit excessive permissions from their human creators and operate at machine speed — faster than traditional monitoring pipelines can track.

The practical response requires extending the same runtime intelligence applied to human and non-human identities to this new category: discovering which AI services are connected to corporate systems, mapping AI agent permissions and data access patterns, and establishing behavioral baselines that make anomalous AI agent activity detectable before it produces an incident. 

 

Related Resources
Featured
Permiso Security Wins 2026 SC Award for Best Threat Detection Technology
Research Featured
CO-PILOT, DISENGAGE AUTOPHISH: The New Phishing Surface Hiding Inside AI Email Summaries
Permiso Expands AI Agent Security Coverage with 35+ Exposures Mapped to Both OWASP Top 10 Frameworks

Frequently Asked Questions

1. Why do SIEMs, IAMs, and CASBs fail to prevent identity-based breaches?

Each tool monitors a single layer. SIEMs ingest logs but don't correlate identity sessions across environments. IAMs manage human provisioning but ignore non-human and AI identities. CASBs track sanctioned SaaS but can't follow a stolen credential across authentication boundaries. The Snowflake breach (165 environments compromised through unrotated, MFA-less credentials) and the SalesLoft breach (OAuth tokens stolen from GitHub, pivoted into Salesforce across 700+ organizations) both exploited gaps between tools, not within them. Effective identity security requires following identity activity across boundaries, not monitoring each layer independently.

2. How should CISOs approach non-human identity security?

Non-human identities (service accounts, API keys, OAuth tokens, secrets) outnumber human identities by 50:1 or more, yet most security programs were built around human access reviews and MFA. NHIs rarely have MFA, accumulate permissions without review, span multiple environments, and persist long after the humans who created them move on. 67% of organizations have more than 10,000 zombie accounts, and stale service accounts are involved in 35% of insider threat incidents. CISOs should prioritize continuous NHI discovery, creation chain mapping, behavioral monitoring, and credential rotation over point-in-time reviews.

3. What are AI identity risks and how should security teams address them?

AI identities fall into three categories. AI users access services like ChatGPT or Copilot, often through personal accounts that bypass corporate authentication entirely. AI builders create AI applications where API key exposure and ungoverned model access create credential leakage risk. AI agents inherit permissions from their human creators and operate faster than traditional monitoring can track. 91% of organizations expect AI identities to increase in 2026, yet most cannot account for the ones already active. Security teams need runtime discovery, permission mapping, and behavioral baselining across all three categories.

4. What does the CISO Guide to Identity Security cover?

The guide provides a practical framework for securing human, non-human, and AI identities across cloud, SaaS, and on-premises environments. It covers why traditional tools like SIEMs, IAMs, and CASBs create blind spots that identity attacks exploit, how to build a non-human identity security program for the 50:1 NHI-to-human ratio, how to extend identity controls to AI users, builders, and autonomous agents, and what unified identity security looks like when it follows credentials across authentication boundaries instead of monitoring each layer independently.

5. How does Permiso help CISOs secure identities across all environments?

Permiso unifies identity visibility, posture management, and threat detection on a Universal Identity Graph that maps all human, non-human, and AI identities across identity providers, cloud infrastructure, SaaS, and CI/CD. Unlike single-layer tools, Permiso correlates identity sessions across authentication boundaries in real time. Its 1,500+ detection signals are built by P0 Labs from real-world breach response data against threat actors like LUCR-3 (Scattered Spider), giving CISOs one dashboard for identity risk and threat detection across every environment.