86% of data breaches involve stolen credentials. Not zero-day exploits. Not sophisticated malware. Stolen credentials. Most organisations have invested in identity security controls: Multi-Factor Authentication (MFA), Privileged Access Management (PAM), conditional access policies, and identity governance tooling. The controls exist. The question security leaders rarely ask is whether those controls actually work when someone tries to break them. 

Most organisations validate identity security through configuration reviews, audits, and vendor health checks. These approaches confirm what is configured, not what is exploitable. Because identity is now the primary attack surface and attackers routinely bypass controls using credential theft and social engineering, organisations need adversarial testing to prove whether their identity defences actually work under real-world conditions.

Why Is Identity Now the Primary Attack Surface?

Identity has become the primary attack surface in modern organisations, driven by the rapid growth of human and machine identities and the complexity of managing them across fragmented systems. This expansion creates visibility gaps, increases the risk of misconfiguration, and makes identity-based attacks both more likely and harder to detect.

Attackers do not break in, they log in.

Are You Falling Into The Configuration Trap?

The standard approach to validating identity security is a configuration review. A vendor examines tenant settings, checks them against best practice, and produces a report. Compliance teams file it. The board receives assurance. Everyone moves on. The problem is that configuration reviews check what is set, not what is exploitable.

A conditional access policy can be correctly configured and still be bypassed through token theft. MFA can be in place and still be defeated by session hijacking or fatigue attacks. Role assignments can follow documented procedures and still create privilege escalation paths that an attacker chains together in minutes.

In many environments, identity controls are spread across multiple tools (access management, identity governance, and privileged access) with limited integration between them. This fragmentation creates blind spots, where risks exist between systems rather than within them. These gaps do not show up in a settings audit. They show up when someone tests the defences the way an attacker would.

Why Can't Vendors Validate Their Own Controls?

Vendor-led health checks assess the vendor’s own product. Okta reviews your Okta configuration. Microsoft reviews your Entra ID settings. CyberArk reviews your PAM deployment. No single vendor sees the full picture.

Identity attacks do not respect product boundaries. An attacker who compromises a session token in one system will use it to move laterally through another. Federation trust chains, directory synchronisation, and cross-platform entitlements create attack paths that span the entire identity estate. Account takeover is not a rare event - it is an ongoing reality. Attackers continue to rely on well-established techniques such as phishing, social engineering, and credential theft, which remain consistently effective despite advances in security tooling.

This is the equivalent of marking your own homework. The grade might look good. It does not tell you what happens under exam conditions.

What Does Adversarial Testing Actually Reveal?

When organisations move from configuration reviews to adversarial identity testing, the results are consistently uncomfortable. Controls that passed every audit turn out to be by-passable. Detection rules that should fire on suspicious behaviour remain silent. Privilege escalation paths that nobody mapped give a tester domain-level access within hours.

Even where modern authentication controls are in place, organisations often overestimate their effectiveness. Traditional and legacy MFA approaches remain vulnerable to modern attack techniques, and the shift toward stronger authentication has not always been matched by improvements in how those controls are managed, recovered, or monitored in practice.

These findings are not theoretical. They are demonstrated, evidenced, and repeatable. The difference between knowing your MFA policy is enabled and knowing whether it survives a real attack is the difference between assumption and assurance.

How Does Identity Testing Go Beyond A Penetration Test?

Identity assurance testing differs from a traditional penetration test in one critical respect. Penetration testing typically targets networks and endpoints.

Identity testing focuses on the controls that govern:

• Who can access what
• How they authenticate
• What happens when those controls are bypassed

The most effective approach is collaborative. A purple team model, where offensive testers work alongside the organisation’s security team, produces better outcomes than a black-box exercise conducted in isolation. Every finding should map to a practical remediation, with a defined effort, cost, and delivery path. A report without a route to fix the issue creates anxiety, not progress.

How Do You Move From Assumption to Assurance?

Leading organisations are shifting toward more continuous and intelligence-driven approaches to identity security.

They are investing in:

• Greater visibility across identity systems
• Real-time anomaly detection
• Adaptive and risk-based access controls

Static reviews are no longer sufficient in a dynamic threat landscape.

What's The One Question Worth Asking?

If your organisation has invested in identity controls, you have already done the hard part. The missing step is evidence.

The question is simple: When did you last test your identity defences the way an attacker would?

If the answer is “never,” that is the gap worth closing.

Intragen and Dionach, both part of the Nomios Group, deliver Identity Assurance: a packaged, collaborative service that tests identity controls using real-world offensive techniques. Book a 30-minute briefing with our experts here.