Consider a cached access key on a single Windows machine. It got there the way most cached credentials do – a user logged in, and the key stored itself automatically. Standard AWS behavior. No one misconfigured anything or violated a policy. Yet that single key, which was easily accessible to a minor-league attacker, could have opened a path to some 98% of entities in the company’s cloud environment – nearly every critical workload the business depended on.
This real-world exposure was caught before an attacker could use it. But the takeaway is clear: identity itself, and every permission it carries, has become the attack path.
Your environment runs on identity. Active Directory, cloud identity providers, service accounts, machine identities, and AI agents – all of these carry permissions that span systems and trust boundaries. A single stolen credential hands the attacker a legitimate identity – along with every permission attached to it.
Despite this, most security programs still treat identity as a perimeter control – something to protect through authentication and access policies. Yet the real risk starts inside the front door. Once an attacker has a foothold, identity is what lets them advance, cross boundaries, and reach critical assets. Because identity is not a perimeter – it’s a highway that runs through every layer of your environment.
In this article, we’ll look at how cached credentials, excessive permissions, and forgotten role assignments can turn into attack paths across hybrid environments – and why the tools designed to catch them keep missing.
The Attack Path Runs Through Identity
The cached access key from that opening scenario is just one example of a much larger phenomenon. Across hybrid environments, identity
One Active Directory group membership that no one reviewed gives an attacker on a retail endpoint a direct path to the corporate domain. A developer SSO role provisioned for a cloud migration keeps its permissions long after the project wraps, giving anyone who compromises that identity a four-step route from developer access to production admin. What makes these real-world examples so dangerous is how they connect. That cached credential on the retail endpoint led to an overprivileged role in Active Directory, which led to a cloud workload with an attached admin policy. Together, the links in this type of identity exposure chain form a single attack path – from an initial foothold to a critical asset.
How prevalent is this? Palo Alto found that identity weaknesses played a serious role in nearly 90% of its 2025 incident response investigations. And given the prevalence of AI agents taking on enterprise workloads, those numbers are likely to go up. SpyCloud’s 2026 Identity Exposure Report flagged non-human identity theft as one of the fastest-growing categories in the criminal underground, with a third of recovered non-human credentials tied to AI tools.
What happens when one of those non-human identities carries admin-level permissions? Consider a dev team that configures an MCP server with high-level permissions so their AI tooling can operate across systems. The AI agent using the MCP server inherits those privileges as its own identity. A vulnerability in the open-source tooling can easily hand an attacker the permissions that agent holds. From there, the path runs straight into cloud resources, databases, and production infrastructure. The credentials that make this possible are exactly the kind found circulating in criminal marketplaces by the millions.
Why the Tools Keep Missing
Clearly, the threat of identity exposures is not a new one. Yet the identity tools most organizations still rely on were built to solve specific problems in isolation – and in a different threat era.
IGA platforms manage user lifecycle – provisioning, deprovisioning, access reviews, and more. PAM solutions store privileged credentials and monitor sessions. Each of these tools does its job in isolation. But none of them can map how identity exposures chain together across endpoints, Active Directory, and cloud environments into a single exploitable route.
This is why the rates of identity-based incidents keep climbing even as security spending grows. The IBM X-Force 2026 Threat Intelligence Index found that stolen or misused credentials accounted for 32% of incidents – the second most common initial access vector. Today’s attackers really don’t need to write malware or exploits, they can just log in.
The vast majority of these identity-based exposures are entirely preventable. In fact, Palo Alto found that over 90% of the breaches its teams investigated in 2025 were enabled by exposures that existing tools should have caught. The organizations had the tools and the staff. Yet the gaps persisted because no single tool had visibility into how identity exposures chained together across environments into attack paths.
Closing the Gap
Until security programs can connect identity, permissions, and access controls into a unified view of how an attacker actually moves, identity will remain one of the easiest ways to compromise critical assets.
Every scenario in this article follows the same structure: a credential, permission, or role assignment that no single tool flags as dangerous creates a traversable path from a low-level foothold to a critical asset. The path only becomes visible when identity, access policies, and environment context are mapped together.
Security programs that map those connections across hybrid environments can close identity-based attack paths before an attacker chains them. Programs that keep treating identity as a perimeter problem will continue losing ground to attackers who already know it’s a highway.
Note: This article was thoughtfully written and contributed for our audience by Alex Gardner, Director of Product Marketing at XM Cyber
