In modern enterprise environments, credential compromise serves as the dominant pathway for breaches. The rise of techniques such as deepfake technology and job candidate fraud exposes gaps in identity security that cannot be closed by measures like passwords and multi-factor authentication (MFA).
Data from the FBI’s Internet Crime Complaint Center (IC3) reveals that losses to cybercrime exceeded $16 billion in 2024, representing the systemic failure of perimeter-centric identity strategies. A recent white paper from Omdia and ID Dataweb, “Controlling Identity Risk: Detecting and Mitigating Identity Threats,” explores the ongoing crisis in identity security.
Why Traditional IAM Has Reached Its Limits
The legacy tools and measures of traditional identity and access management (IAM) are no longer sufficient in protecting users and enterprises against modern threats. There is a growing structural mismatch between the capabilities of static credential frameworks and the danger presented by dynamic, AI-assisted threat actors. Point-in-time verification provides a false assurance by assessing an identity once, failing to account for the window between authentication and compromise.
Organizational silos are a force multiplier for attacker success across the workforce, third-party, and customer channels. The more separated and isolated different areas of the enterprise network are from each other, the more difficult it is to obtain the necessary visibility and control over the entire landscape. Supply chain and third-party risks are also compounded by unanswered questions of governance and visibility.
The Maturity Model: From Credentials to Continuous Intelligence
It is crucial for modern enterprises and defenders to shift their approach to identity and verification in order to be prepared for dynamic threats in the age of AI. The Omdia paper outlines a four-stage progression in identity verification maturity:
- Credential-Only Authentication: operates under the assumption that usernames and passwords are adequate to grant access to apps and networks.
- Step-Up Authentication: incorporates additional authentication like 2FA/MFA to augment credentials in high-risk interactions.
- Identity Verification (IDV): moves to prioritizing verification of the person behind the credential, confirming the user’s identity with point-in-time checks against photo ID, government records, or personal knowledge questions.
- Identity Threat Detection and Risk Mitigation: acknowledges that IDV can be bypassed and implements a holistic, multi-layered approach that fully analyzes transactions and activity.
Measures like adaptive verification, behavioral analytics, and risk scoring close the gap between identity issuance and ongoing trust. Feedback loops and machine learning play significant roles in refining decision engines over time to ensure the ongoing success of these systems.
Building a Holistic Identity Risk Architecture
Truly effective IAM in the modern threat and technology landscape requires the implementation of several core capabilities: flexible orchestration, authoritative data access, infrastructure resilience, and privacy preservation. A unified platform across all identity use cases reduces complexity, cost, and enterprise-wide exposure by ensuring full visibility and coordination to counter increasingly siloed environments. It is important to align solution architecture to divergent risk tolerances across business units without fragmenting the security posture.
Experts stress the importance of implementing measures that can mitigate the scope of the damage done in the event of a compromised identity. “Privileged access management restores control by limiting user actions, verifying every request, and maintaining detailed activity records that strengthen accountability,” says Shane Barney, Chief Information Security Officer at Keeper Security. “This is not a compliance exercise but a fundamental component of risk management that enables faster containment and recovery when incidents occur.”
Protecting against rising AI-empowered identity threats like advanced phishing and deepfake technology also requires a shift in how users are trained to respond to potentially suspicious communications, and how their reaction is addressed in return by the company. “Organizations need to normalize ‘see something, say something’ behavior and make verification frictionless,” according to Mika Aalto, Co-Founder and CEO at Hoxhunt. “Behavioral monitoring tools can help flag unusual actions, but the real challenge is cultural: giving employees confidence that slowing down to verify is expected, supported, and reinforced through Human Risk Management practices.”
From Identity Verification to Identity Resilience
Ensuring ongoing success against identity risk in the coming years demands a strategic reframe of identity security as a continuous operational discipline rather than strictly a gatekeeping function. Verifying the person behind the credential across the full identity lifecycle means implementing advanced, dynamic measures in areas including “adaptive identity verification, behavioral analytics, device and credential intelligence, and risk scoring,” as outlined in the Omdia white paper. Moving forward with identity security, the industry must define the organizational and technical prerequisites for enterprises that are ready to make the transition in order to sufficiently establish a baseline standard.
