Why Identity Has Become the New Security Perimeter

The network perimeter did not disappear. It moved - to every user, every device, and every access request your organisation processes each day.

In 2020, attackers compromised SolarWinds' build pipeline and distributed malicious updates to approximately 18,000 organisations. They did not breach a firewall. They did not exploit a vulnerability in a network perimeter device. They used a legitimate software vendor's trusted update mechanism and, once inside the target environments, moved laterally using credentials that appeared entirely normal to every security tool monitoring the network. In 2022, Uber was compromised when an attacker obtained a contractor's credentials through social engineering, bypassed multi-factor authentication by fatigue-bombing the user's phone with approval requests until one was accepted, and then moved through internal systems using legitimate access. In 2024, the Change Healthcare breach - which disrupted healthcare billing and payments across the United States for weeks - originated through compromised credentials on a Citrix portal with no multi-factor authentication in place.

Three incidents. Three different organisations, sectors, and threat actor profiles. One consistent pattern: the initial access in every case was an identity, not a vulnerability. A credential, not a CVE.

This is not a coincidence. It is a structural shift in how attackers operate, and it has permanently changed what the security perimeter means.

The Perimeter That No Longer Exists

The traditional security model was built on a geography assumption: everything inside the network boundary is trusted, everything outside is not. The firewall was the gate. VPNs extended the castle walls to remote users. Network segmentation divided the interior into zones. Security investment flowed into the boundary - next-generation firewalls, intrusion detection systems, network access control - because the boundary was where the threat was expected to arrive.

That model was already weakening before 2020. Cloud migration moved workloads outside the network perimeter. SaaS adoption placed critical business data in a third-party infrastructure that no firewall controls. Remote work expanded the perimeter to include every home office, coffee shop, and hotel room where employees worked. The attack surface ceased to have a meaningful edge.

What COVID-19 did was accelerate this dissolution from a gradual erosion into an overnight collapse. Organisations that had spent a decade defending a perimeter found themselves with tens of thousands of remote users connecting from unmanaged devices across uncontrolled networks. The perimeter did not expand quickly enough to match the way organisations now operate. As cloud services, remote work and SaaS adoption accelerated, the traditional network boundary became progressively less relevant as a security control.

What replaced it was not a new boundary in the same sense. What replaced it was identity - the verification of who is requesting access, from what context, with what authorisation, to what resource. Identity became the control point because it was the only control point that travelled with the user and the workload, regardless of where either was located.

The Scale of the Identity Attack Surface

Most organisations significantly underestimate the size of their identity attack surface because they think of it in terms of employees. But the identity population in a modern enterprise is far larger and far more complex than the headcount on the HR system.

Human identities - employees, contractors, third-party suppliers, and temporary workers - represent only a fraction of the total. Non-human identities: service accounts, API keys, application credentials, machine tokens, and automated pipeline identities frequently outnumber human accounts by a factor of ten or more in mature cloud environments. A large financial institution might have 20,000 employees and 200,000 service accounts. The security posture of those service accounts - how they are provisioned, what access they hold, how their credentials are managed, whether they are ever deprovisioned - determines the real attack surface more than almost any other factor.

The problem is compounded by how credentials accumulate. Joiners, movers, and leavers processes that work adequately for human accounts fail systematically for non-human identities. Service accounts are created for a specific integration, granted broad permissions to avoid debugging complexity, and then never reviewed or revoked when the integration changes. API keys are generated for a short-term project and remain valid for years. A penetration tester conducting a real engagement in 2026 will find, in almost every large enterprise, a catalogue of stale credentials, overprivileged service accounts, and forgotten API keys that represent a persistent, unmonitored attack surface of significant scale.

This is the identity sprawl problem - and it is the gap that most security programmes have not yet closed, even in organisations that have invested heavily in identity infrastructure.

Every identity is a potential access path. Modern security depends less on protecting the network and more on governing trust.

Why Attackers Moved to Identity

Attackers follow the path of least resistance. For most of the 2000s and early 2010s, that path ran through software vulnerabilities: unpatched systems, exploitable services, web application weaknesses. The security industry responded by improving patch management, deploying vulnerability scanners, and building the vulnerability management programmes that now run in most mature organisations.

The response worked - not perfectly, but well enough to raise the cost of vulnerability exploitation significantly. Credential theft and identity-based attacks require no zero-day exploit. They require a phishing email, a password spray, a credential from a previous breach (reused passwords remain disturbingly common), or social engineering of a user or help desk. The investment required to mount an identity-based initial access campaign is a fraction of the investment required to develop and weaponise a novel software exploit. The success rate, given the state of credential hygiene and MFA adoption in most organisations, is significantly higher.

The economics of this shift are stark. Unit 42's 2026 Incident Response Report found that identity weaknesses played a material role in almost 90% of investigations. The Verizon DBIR consistently shows stolen credentials as the leading initial access vector. This is not a temporary pattern. It is the current optimal attack strategy, and it will remain so as long as identity security lags behind perimeter security investment.

Defenders got better at closing the windows. So attackers moved to the doors.

What Identity as the Perimeter Actually Requires

Understanding that identity is the new perimeter is the easy part. The harder part is understanding what that means in operational terms - because the answer is not simply "buy an identity provider and enable MFA." The organisations that have suffered significant identity-based breaches in the last three years had identity infrastructure in place. What they lacked was the operational rigour that makes identity infrastructure effective.

Least privilege at scale

The principle of least privilege - granting accounts only the access they need for their specific function - is conceptually simple and operationally very difficult. In practice, least privilege requires knowing what access every identity in the environment holds, what access they actually need, and building the processes to maintain that alignment over time as roles change and systems evolve. Most organisations have a significant gap between what their role definitions say and what their accounts actually have access to. Privilege creep - the accumulation of access rights over time as new permissions are added and old ones are never removed - is endemic. Closing that gap requires not a one-time remediation project but a continuous process backed by automated tooling and meaningful governance.

Conditional access and context-aware authentication

Static authentication - a username and password combination - is no longer adequate as a sole gate for resource access, even when augmented with basic MFA. The more sophisticated approach, now standard in mature identity programmes, is conditional access: evaluating not just whether a credential is valid but whether the context of the access request is consistent with expected behaviour. Is the user accessing from a managed, compliant device? Is the location consistent with their normal pattern? Is the time of access unusual? Is the requested resource sensitive enough to require step-up authentication? Conditional access policies, properly constructed, allow organisations to apply friction proportionate to risk rather than applying the same authentication gate to a low-sensitivity internal wiki and a privileged administrative console.

MFA that is resistant to modern bypass techniques

Multi-factor authentication is necessary but not sufficient. MFA fatigue attacks - flooding a user with authentication push notifications until exhaustion produces an accidental or deliberate approval - have been used successfully against organisations that had strong MFA policies on paper. SIM-swapping attacks undermine SMS-based second factors. Adversary-in-the-middle phishing toolkits can intercept both credentials and session tokens in real time. The MFA implementations that are resistant to these techniques are phishing-resistant: FIDO2 hardware keys, passkeys bound to a specific device and origin. Moving from any MFA to phishing-resistant MFA is one of the highest-return identity security investments available, and one that most organisations have not yet made.

Non-human identity governance

Service accounts and machine identities require the same governance rigour as human accounts - arguably more, because they are less visible and rarely subject to the same lifecycle processes. Every service account should have a documented owner, a defined scope of access, a credential rotation schedule, and a deprovisioning trigger. In most organisations, none of these things exist systematically. Building non-human identity governance from the existing state - which typically involves discovering what service accounts actually exist before any governance programme can be applied - is one of the most practically complex identity security challenges in 2026.

Privileged access management

Administrative accounts - the accounts that can modify systems, deploy code, change configurations, and access sensitive data - represent the highest-value identity targets. A threat actor who obtains a privileged credential has not gained access to one system; they have often gained access to many. Privileged access management: vaulting privileged credentials, requiring just-in-time access elevation rather than persistent administrative access, recording privileged sessions, and reviewing privileged access grants, is the control that most limits the blast radius of a successful identity compromise. It is also the control that creates the most operational friction and therefore requires the most careful implementation to achieve adoption.

The Governance and Regulatory Dimension

Identity security is not only a technical discipline. It carries governance obligations that are becoming progressively harder to ignore.

NIS2, which came into force across EU member states in 2024, includes specific requirements for access control and authentication for operators of essential services. DORA - the Digital Operational Resilience Act applying to financial entities in the EU - requires demonstrable identity and access management controls as part of ICT risk management. The FCA's operational resilience framework in the UK implicitly requires robust identity controls to protect important business services. ISO 27001:2022 added significantly more specific access control and identity management requirements in its revision.

The accountability dimension is personal as well as organisational. CISOs in regulated sectors who cannot demonstrate that their organisation's identity controls meet regulatory expectations are not just exposing the organisation to fines. They are exposing themselves to personal accountability for failures that were foreseeable and preventable. The identity breach that occurs in an organisation without phishing-resistant MFA, without a privileged access management programme, and without non-human identity governance is not an unforeseeable incident. It is a predictable consequence of a known gap - and regulators are beginning to treat it that way.

The Technology Stack Is Not the Programme

The identity security market is mature, well-funded, and full of capable products. Microsoft Entra ID, Okta, CyberArk, BeyondTrust, SailPoint, Saviynt, and a growing field of non-human identity management platforms provide the tooling required to build a capable identity security programme. Most large organisations have already procured and deployed several of these platforms.

The gap in most organisations is not the technology. It is the programme rigour that makes the technology effective. An identity provider deployed without a joiner-mover-leaver process produces an organisation with a sophisticated authentication platform sitting in front of a directory full of stale accounts. A privileged access management vault deployed without a policy requiring its use produces a vault with most privileged credentials inside it and administrators who continue to use service account passwords stored in a spreadsheet. A conditional access policy framework built by the identity team and never validated against actual user behaviour produces a set of policies full of exceptions and workarounds that undermine the very controls they were designed to enforce.

Building an effective identity security programme requires treating identity as a discipline with its own strategy, its own governance, its own metrics, and its own maturity model - not as a feature of the directory service that the infrastructure team manages alongside DNS and DHCP.

The New Security Reality

The identity perimeter is the only perimeter that travels with the user, the workload, and the data regardless of where any of them are located. Organisations that still think of security as a boundary around a network are defending a geography that no longer determines where attacks occur or where they succeed. The evidence from the last five years of significant breaches is consistent: the entry point was an identity, and the damage was determined by what that identity could reach.

The organisations that close this gap are the ones that treat identity with the same investment seriousness, the same governance rigour, and the same programme maturity that they have applied to endpoint security and network security over the last decade. The ones that do not will continue to appear in breach disclosures - not because their firewalls failed, but because their identity programmes were not built to match the threat.