7 Identity Threats in 2025 That are Keeping CISOs Up at Night

It wasn’t too long ago that massive GitHub scans uncovered over 39 million exposed API keys and credentials, many of which granted direct access to AWS, Azure, and other cloud systems. This shows how easily cloud environments can be compromised via leaked secrets.

It’s no news that forgotten Active Directory service accounts that were left untouched for years remain active in many environments. These orphaned accounts pose a stealthy threat, offering attackers undetected pivot paths into on‑prem infrastructures.

GitHub’s case wasn’t an isolated event, but it highlights a broader identity-security crisis, which is that unmanaged service accounts and exposed API keys are now among the top identity‑centric attack vectors that’s keeping CISOs awake at night. 

Here are others:

1. Compromised Credentials and Infostealer Malware

Attackers are flooding in through credential theft and reuse. They often gain access via infostealer malware that silently grabs logins and API tokens.

The global Snowflake breach in mid‑2024 began with stolen credentials harvested through infostealers. Over 160 customer environments, including AT&T, Ticketmaster, Santander, and Neiman Marcus, were compromised because MFA was not enforced.

According to Verizon, credentials remain the number one breach vector and fuel nearly 80 percent of web-based attacks. Stolen secrets are cheap (often $10), plentiful, and devastating if MFA is absent or incomplete.

2. Active Directory and Hybrid Identity Misconfigurations

Misconfigured Active Directory or federated systems can spill access into cloud environments, especially when service accounts sync to Azure or Entra ID.

In May 2024, Cisco Talos found that 44 percent of identity-based attacks targeted Active Directory, exploiting misconfigured MFA and weak privileges.

A single compromised machine identity can escalate to full domain compromise. And hybrid identity missteps can let attackers blend into normal business operations, without any effort.

‍

3. API Key and OAuth Token Abuse

This one often gets overlooked but once API keys or OAuth tokens leak, attackers can access systems at scale. Sometimes without even triggering alerts. A recent report on the U.S. Treasury incidents revealed that API keys are a hidden threat and can easily lead to lateral movement and data exfiltration.

In December 2024, attackers stole API keys from SaaS vendor Beyond Trust and reset the Treasury Department administrator passwords. This is a clear case of how insecure API token practices can harm critical institutions.

Has SaaS weakened the enterprise security perimeter? Watch what seasoned CISO, Steve Zalewski has to say:

‍

4. Non-Human Identity Explosion and Shadow Entitlements

This is alarming because for every human account, enterprises may have dozens of machine identities such as service accounts, bots, agents. Many even exist unbeknownst to IT. Untracked identities lead to privilege creep, unmonitored access, and hidden attack vectors that stay invisible until exploited.

A June 2025 Hacker News study showed that 46 percent of firms faced breaches that were tied to non-human identities. Attackers exploited hard-coded, ungoverned secrets in repos, some months old.

‍‍

5. SaaS Sprawl and Concentration Risk

Recently, JP Morgan’s CISO wrote an open letter to third-party vendors, warning about concentration risk and API sprawl. The letter stated that SaaS usage has far outgrown its original design, bypassing identity controls.

In a webinar hosted by Redblock CEO Indus Khaitan, Gopi Ramamoorthy, Head of CyberSecurity and AI Security at Symmetry Systems noted that in traditional on-prem setups, CISOs had near-total control over their software and systems. With the rise of SaaS, that control has shifted. Now, up to 80% of the stack lives in third-party platforms, leaving it outside direct oversight. This lack of visibility creates blind spots where misconfigurations and threats can go unnoticed. Frequent vendor updates only add to the challenge.

To make matters worse, SaaS vendors push frequent updates that can reset security settings or override custom configurations. This results in turning secure postures into moving targets. CISOs are left playing catch-up with limited visibility and control over a major part of their attack surface. 

Watch the full webinar where Steve Zalewski, ex-CISO of Levi Strauss & Co., Indus Khaitan, CEO of Redblock, and Gopi Ramamoorthy unpack Patrick Opet’s open letter and analyze SaaS security risks:

6. Deepfake and AI-Powered Identity Fraud

One of the emerging threats that’s keeping the CISO’s up at night is voice cloning and AI-assisted impersonation which are being used to bypass verification controls in finance and HR.

In early 2024, a finance employee at Arup in Hong Kong was scammed out of approximately HK $200 million (about US $25 million) after responding to a video call with deepfake versions of their CFO and team. 

This is an alarming example of how synthetic identity attacks are evolving. Such fraud bypasses MFA, phone verification, and call transcripts and make the trusted human voice their weapon.

7. Dormant Accounts and Privilege Creep

Old accounts of retirees, former vendors, and expired service credentials often remain active indefinitely and pose a threat. These dormant accounts are easy to exploit as they are also often overlooked during audits.

In July 2024, a retired admin account in the Dutch police registry that retained elevated privileges exposed 63,000+ officer records. 

These identity threats map onto three core issues from that piece: the erosion of traditional perimeter controls, the critical need for continuous telemetry, and the insistence on vendor accountability for built-in security.

What Should Organizations Do? 

Here’s how organizations can get ahead of rising identity risks:

‍

1. Inventory and audit all identities - Start by inventorying and auditing all identities, both human and non-human, across Active Directory, Entra ID, Okta, and SaaS environments. 

2. Run regular privilege reviews - Running privilege reviews regularly and capturing detailed logs of service account activity will help in spotting anomalies early on.

3. Enforce Strong, Context-Aware MFA - Enforce strong, context-aware multi-factor authentication (MFA) everywhere. Block single-factor logins and adopt risk-adaptive MFA to deny access when location or device behavior looks suspicious.  

4. Treat API keys like passwords - Vault your API keys, rotate them frequently, and restrict their usage by context and scope. Long-lived static keys are a no-go. 

5. Identity Detection & Response (IDR) - Implement Identity Detection & Response (IDR) to monitor behavior, flag anomalies like agent-driven actions or unusual context, and enable policy-driven auto-remediation.

‍

These steps are critical to defending against modern identity-based attacks in increasingly complex hybrid environments.

‍

Final Word

Identity attacks have become the central battlefield in cybersecurity. From hybrid identity misconfigurations to stolen API tokens, deepfakes, and “invisible” SaaS agents, classic patch-and-prevent models are obsolete. And therefore, real security demands:

• A shift in mindset—from perimeter defense to identity-first resilience.
• Investment in continuous monitoring and smart controls.
• Vendor accountability and mutual responsibility baked into SaaS contracts.
  
  

CISOs must wake up. The safety of modern enterprises depends on managing all identities, human or not, as real liabilities. Missing even one is like opening a door for attackers.