What this means:
Most organisations validate identity security through configuration reviews and vendor health checks – approaches that confirm what is configured, not what is exploitable. This article explains why identity is now the primary attack surface, why vendor-led assessments miss cross-platform vulnerabilities, and how adversarial testing using real-world offensive techniques proves whether controls like MFA, conditional access, and privileged access management actually hold up under attack.
86% of data breaches involve stolen credentials. Not zero-day exploits. Not sophisticated malware. Stolen credentials. Most organisations have invested in identity security controls: Multi-Factor Authentication (MFA), Privileged Access Management (PAM), conditional access policies, and identity governance tooling. The controls exist. The question security leaders rarely ask is whether those controls actually work when someone tries to break them.
Most organisations validate identity security through configuration reviews, audits, and vendor health checks. These approaches confirm what is configured, not what is exploitable. Because identity is now the primary attack surface and attackers routinely bypass controls using credential theft and social engineering, organisations need adversarial testing to prove whether their identity defences actually work under real-world conditions.
Identity has become the primary attack surface in modern organisations, driven by the rapid growth of human and machine identities and the complexity of managing them across fragmented systems. This expansion creates visibility gaps, increases the risk of misconfiguration, and makes identity-based attacks both more likely and harder to detect.
Attackers do not break in, they log in.
The standard approach to validating identity security is a configuration review. A vendor examines tenant settings, checks them against best practice, and produces a report. Compliance teams file it. The board receives assurance. Everyone moves on. The problem is that configuration reviews check what is set, not what is exploitable.
A conditional access policy can be correctly configured and still be bypassed through token theft. MFA can be in place and still be defeated by session hijacking or fatigue attacks. Role assignments can follow documented procedures and still create privilege escalation paths that an attacker chains together in minutes.
In many environments, identity controls are spread across multiple tools (access management, identity governance, and privileged access) with limited integration between them. This fragmentation creates blind spots, where risks exist between systems rather than within them. These gaps do not show up in a settings audit. They show up when someone tests the defences the way an attacker would.
Vendor-led health checks assess the vendor’s own product. Okta reviews your Okta configuration. Microsoft reviews your Entra ID settings. CyberArk reviews your PAM deployment. No single vendor sees the full picture.
Identity attacks do not respect product boundaries. An attacker who compromises a session token in one system will use it to move laterally through another. Federation trust chains, directory synchronisation, and cross-platform entitlements create attack paths that span the entire identity estate. Account takeover is not a rare event - it is an ongoing reality. Attackers continue to rely on well-established techniques such as phishing, social engineering, and credential theft, which remain consistently effective despite advances in security tooling.
This is the equivalent of marking your own homework. The grade might look good. It does not tell you what happens under exam conditions.
When organisations move from configuration reviews to adversarial identity testing, the results are consistently uncomfortable. Controls that passed every audit turn out to be by-passable. Detection rules that should fire on suspicious behaviour remain silent. Privilege escalation paths that nobody mapped give a tester domain-level access within hours.
Even where modern authentication controls are in place, organisations often overestimate their effectiveness. Traditional and legacy MFA approaches remain vulnerable to modern attack techniques, and the shift toward stronger authentication has not always been matched by improvements in how those controls are managed, recovered, or monitored in practice.
These findings are not theoretical. They are demonstrated, evidenced, and repeatable. The difference between knowing your MFA policy is enabled and knowing whether it survives a real attack is the difference between assumption and assurance.
Identity assurance testing differs from a traditional penetration test in one critical respect. Penetration testing typically targets networks and endpoints.
Identity testing focuses on the controls that govern:
The most effective approach is collaborative. A purple team model, where offensive testers work alongside the organisation’s security team, produces better outcomes than a black-box exercise conducted in isolation. Every finding should map to a practical remediation, with a defined effort, cost, and delivery path. A report without a route to fix the issue creates anxiety, not progress.
Leading organisations are shifting toward more continuous and intelligence-driven approaches to identity security.
They are investing in:
Static reviews are no longer sufficient in a dynamic threat landscape.
If your organisation has invested in identity controls, you have already done the hard part. The missing step is evidence.
The question is simple: When did you last test your identity defences the way an attacker would?
If the answer is “never,” that is the gap worth closing.
Intragen and Dionach, both part of the Nomios Group, deliver Identity Assurance: a packaged, collaborative service that tests identity controls using real-world offensive techniques. Book a 30-minute briefing with our experts here.