Linx Blog

What Are Identity Governance and Administration (IGA) Solutions and Why Are They Important?

Identity governance and administration (IGA) solutions manage the lifecycle of user identities and their permissions across an entire organization, providing full coverage for on-premises, cloud, and hybrid environments. With IGA, you can control who has access to which systems, enforce policies, and provide audit trails.

IGA is critical for security. Within an organization, the number of identities can easily reach into the thousands. Employees, contractors, partners, service accounts, and principals may have access to dozens or hundreds of applications. 

Without proper governance, overprivileged access can lead to breaches at scale. Attackers just need access to a single overprivileged account, and then they can move laterally until they hit the systems they’re interested in. (Read our article about the anatomy of an identity breach to learn more.)

How Do IGA Solutions Work?

At the core of IGA is identity lifecycle management (ILM), which is the end-to-end process of managing identities from creation and modification (for role changes) to deletion. User lifecycle management is a subset of ILM that focuses on human identities, but modern platforms extend lifecycle management to non-human identities as well.

One important note: Most IGA tools are not security tools; they’re IT administration tools built to address provisioning and lifecycle management problems. A security-first IGA solution like Linx Security evaluates every entitlement, making it easy to understand the potential damage it could cause.

What Are the 10 Questions to Ask When Evaluating IGA Solutions?

Asking targeted questions is the best way to determine whether the IGA tool you’re considering will strengthen your security posture. The right questions center on the common failure points for IGA solutions, not the checkbox features every vendor supports. 

Below, you’ll find a structured framework for the top 10 questions that truly matter. Each section includes context for why the question is important, real benchmarks for good and bad answers, and a discussion of how tools that fall short can lead to vulnerabilities.

1. How Easy Is It to Provision and Deprovision Accounts?

• Why Does This Matter?: In large organizations, accounts are provisioned and deprovisioned daily. Orphaned accounts (active accounts that no longer belong to anyone) are one of the most common entry points for attackers.
• Good Answer: Provisioning and deprovisioning are done automatically through your identity access and governance process. When a new person joins, their account is created with the appropriate access based on their role. Additional permissions can be requested through a self-service portal, which the security team evaluates. When somebody leaves the team, every account across all applications is disabled and removed the same day. Role changes trigger automatic access adjustments.
• Bad Answer: All provisioning and deprovisioning requests rely on manual tickets. IT teams add access for new users step by step, and when someone leaves, the spreadsheet gets updated.
  
  • Impact: Spreadsheet-based workflows can fall through the cracks. Six months after someone’s left, their orphaned account might still have broad access, which is an invitation to attack. 

2. What Is the API Coverage for the IGA Solution?

• Why Does This Matter?: The IGA solution you choose needs to integrate with your cloud providers, SaaS applications, HR platform, and ticketing systems.
• Good Answer: The IGA solution is API-first, with all functionality available via the API, including provisioning, deprovisioning, policy management, and even reporting. Implementing custom integrations shouldn’t be a tedious process; it should be easy out of the box.
• Bad Answer: The API is limited to read-only operations or offers only a fraction of what the UI can do. It’s possible to implement custom integrations, but it’s a complex process.
  
  • Impact: With limited API coverage, you can’t really implement automation. There will be delays and misconfigurations, which translate into access gaps that expand your blast radius.

3. What AI/ML Capabilities Does the Platform Have?

• Why Does This Matter?: Manual governance is unsustainable, and AI and ML capabilities can reduce the burden on reviewers and even surface risk.
• Good Answer: The IGA solution uses AI to analyze access patterns, detect anomalies, and make recommendations that reviewers can act on.
• Bad Answer: The IGA solution is “AI-powered,” but it only offers a basic rule engine with no feedback loop.
  
  • Impact: If your IGA solution can’t show you the blast radius of a compromised identity, it’s not actually using AI; it’s a buzzword.

4. What Expertise Is Needed to Get Value Out of the IGA Solution?

• Why Does This Matter?: If you need a large, dedicated team to manage the IGA solution, it will slow you down more than it helps.
• Good Answer: The platform is designed so that identity and security teams can operate it without being experts. 
• Bad Answer: You need certified consultants to manage your platform.
  
  • Impact: If operating the platform is too hard or expensive, nobody will update the rules, leading to vulnerabilities. For example, stale access policies can allow former employees to retain permissions they shouldn’t have.

5. Can the IGA Solution Model Complex Environment Relationships?

• Why Does This Matter?: In large enterprises, permissions aren’t flat. They involve nested groups, inherited roles, and service accounts that have chained permissions.
• Good Answer: The IGA solution uses a graph-native model to represent data relationships. An identity graph makes it easy to traverse complex access paths and understand dependencies.
• Bad Answer: The platform uses a relational database that stores access as row-level associations. You can understand that a user has a role, but there’s no context for why that role is dangerous.
  
  • Impact: Without a graph model, blast radius is a permanent blind spot.

6. What Is the Operational Overhead?

• Why Does This Matter?: If you need to pay 5–10 engineers just to manage day-to-day operations, you don’t have an IGA solution; you have IGA overhead.
• Good Answer: A small team of 1–3 engineers is enough to manage the IGA solution. Connectors are maintained by the vendor.
• Bad Answer: The IGA solution needs a dedicated team, and for each new application, you need to implement a manual connector configuration.
  
  • Impact: A team that spends more than half its time keeping the lights on is firefighting instead of focusing on implementing new features.

7. How Can You Deploy the IGA Platform (SaaS, On-Prem, Hybrid)?

• Why Does This Matter?: When you need speed, SaaS solutions are the best fit. Yet for highly regulated industries, on-prem is more suitable. An IGA solution must account for both. Depending on your compliance and speed requirements, you should be able to choose where you deploy your IGA platform.
• Good Answer: You have the flexibility to deploy the IGA platform wherever you want.
• Bad Answer: You can deploy the IGA tool in on-premises or SaaS environments, but there are critical differences between the solutions (e.g., the SaaS version has more features than the on-prem one because it relies on existing cloud services).
  
  • Impact: Without feature parity across deployment models, on-prem customers will receive a second-class experience. At the same time, if you start with SaaS and later want to migrate to on-prem, you’ll need to sacrifice some features in order to make the switch.

8. How Many of My Apps Have Production Connectors Today? 

• Why Does This Matter?: There’s a big difference between an app that’s “supported” (meaning you might need a dedicated team to integrate it) and a production-ready connector that’s available right now.
• Good Answer: The IGA solution has a transparent connector catalog that shows exactly which applications have production-ready connectors.
• Bad Answer: The IGA solution claims to have more than 100 built-in connectors, but for half of them, you need to implement custom solutions.
  
  • Impact: If your IGA solution can’t connect to an application, you can’t see the available access. These gaps dramatically increase your attack surface.

9. What Happens When a Review Decision Is Revoked?

• Why Does This Matter?: Every IGA solution can create tickets when access is revoked, but this is a risky default. Tickets pile up, and they can take several days to be implemented.
• Good Answer: When access is revoked, the IGA solution automatically executes the revocation through its connectors. Remediation is tracked, verified, and auditable. This is what a mature IGA solution looks like.
• Bad Answer: The IGA platform generates a ServiceNow ticket that goes into a queue, and someone implements it when they have time.
  
  • Impact: The time between a revocation decision and the actual implementation is pure risk exposure.

10. Can a Reviewer See Why Access Is Flagged Without Opening Another Tool?

• Why Does This Matter?: Toggling between several applications to analyze access is inefficient and overloads engineers.
• Good Answer: The IGA solution is graph-based, meaning the reviewer can understand why the access is flagged at a glance. They never need to leave the platform.
• Bad Answer: The reviewer needs to check several tools to understand why access has been flagged.
  
  • Impact: Friction can lead to a culture of rubber-stamped access permissions.

How Linx Revolutionizes IGA

Traditional IGA solutions were built for compliance, not security. Linx is different.

With Linx, you get an AI-native, security-first IGA solution. All of Linx’s features are purpose-built to give identity teams the visibility and context they need to reduce the blast radius of every identity in your organization.

Linx uses a graph-powered architecture to map every identity to every permission, resource, and relationship across your environments. It offers out-of-the-box automated remediation and a faster time to value with pre-built integrations and no-code connectors.

And with Linx Autopilot, teams can now deploy AI agents that work continuously on their behalf. Autopilot monitors identity environments 24/7, detects meaningful changes, evaluates risk in context, and takes action in real time.

Conclusion

Identity governance and administration solutions ensure that the right people have access to the right resources. Because a single over-privileged identity can become an entry point for a full-scale breach, the IGA solution you choose should be a security control that shows you exactly how large your blast radius is when an attack happens.

The 10 questions in this article help you separate IGA solutions that look good on paper from vendors that actually secure identities in practice. They empower you to make a choice that slashes risks and provides immediate value.

That’s where Linx stands apart.

If you’re ready to see what AI-native, graph-powered IGA looks like in practice, request a demo of Linx.

We're at one of those rare moments where an entire software category gets rewritten from scratch. Not improved. Replaced. AI isn't making identity governance faster - it's making the old architecture obsolete.

When Niv and I started Linx two years ago, we made a bet: that the identity governance category was overdue for a fundamental rethink, and that AI-native architecture - not AI bolted onto legacy infrastructure - would be what made that possible. That the future of IGA wasn't periodic reviews and manual workflows. It was continuous, autonomous, and built for a world where humans, machines, and AI agents all coexist inside the same enterprise.

Today, I'm proud to announce that Linx Security has raised a $50M Series B, led by Insight Partners, with continued support from Cyberstarts and Index Ventures - bringing our total funding to $83 million. And alongside this round, we've launched Linx Autopilot: the industry's first AI agent purpose-built for Identity Governance and Administration.

This isn't just a funding milestone. It's a signal that the IGA category is at an inflection point - and that Linx is leading it.

Why Now

The identity landscape has been transformed by three forces converging at once.

First, AI agents are proliferating inside every enterprise - not as experiments, but as active participants in business workflows. They hold credentials. They access sensitive systems. They act with autonomy. And almost none of today's governance frameworks were built to manage them.

Second, the attack surface has exploded. One breach, one over-privileged service account, one dormant credential - and the damage can be catastrophic. Boards know it. CISOs feel it daily. The compliance frameworks are finally catching up.

Third - and this is what excites me most - the technology is finally ready. AI-native architecture makes it possible to do in seconds what traditional tools take weeks to accomplish: detect, evaluate risk in context, and act. Not reactively. Continuously.

IGA was always treated as a necessary evil. A compliance checkbox. Something you suffered through. We built Linx on the premise that it doesn't have to be that way.

What We're Building - and Why It Matters Now

The enterprise of 2026 doesn't look like the enterprise IGA was designed for. AI agents are being provisioned inside every workflow. Non-human identities now outnumber human ones. The attack surface isn't growing linearly - it's multiplying. And the governance frameworks built for a world of on-prem directories and annual access reviews were simply never designed for this reality.

Linx is built AI-native from the ground up - not AI layered onto legacy architecture. That distinction matters more than it might sound. It's what allows us to move from periodic, reactive governance to something fundamentally different: continuous, autonomous identity security that operates at the speed of the business and the speed of the threat.

Think of it as having a security operator working 24/7 on your behalf - one that monitors every identity in your environment, detects risk in context as it emerges, and acts before the damage is done. When a privileged account behaves unexpectedly, it responds. When an AI agent is provisioned with excessive permissions, it sees it. When an employee moves roles and leaves ghost access behind, it remediates - before an attacker finds it first.

Security teams don't lose control. They gain leverage. The tedious, repetitive work gets handled autonomously. The decisions that require human judgment get escalated. That's what modern identity governance looks like - and that's what we're delivering.

To the People Who Made This Possible

None of this happens without the people.

To Niv - twenty years of shared history, and I still learn something from you every week. Building this company alongside you has been one of the great privileges of my career. You push this product to places I wouldn't have imagined.

To Sarit - your technical vision and relentless standards are woven into every line of this platform. What you've built with the engineering team is something we'll be proud of for a long time.

To our entire Linx team - 100 people who bet on a vision and made it real. Every customer win, every product breakthrough, every late night - that's us, together. I'm incredibly proud of what we've built as a team.

To Teddie, Elan and the Insight Partners team - your belief in where this market is going gave us a true partner for the next chapter. And to Gili at Cyberstarts, and Shardul at Index Ventures - you've been with us from the beginning, and your conviction in this vision has never wavered. We don't get here without all of you.

And to our customers - the security leaders and identity practitioners who chose to build with us early, challenged us to be better, and trusted us with what matters most. You are the reason we do this. Your trust is the highest validation we know.

What Comes Next

The market isn't just ready, it's asking for it. Every security leader we talk to, every enterprise scrambling to govern AI agents they provisioned last quarter with no visibility into what they can access, confirms what we believed two years ago: this category was overdue, and the moment is now.

What comes next is simple to say and hard to execute: we scale. We're growing the team, accelerating the Autopilot roadmap, and going deeper with the enterprises already trusting us to govern millions of identities in production.

The IGA category is being rewritten. The window to define what the next generation looks like is open.

We intend to define it.

‍

- Israel Duanis, CEO & Co-Founder, Linx Security

NEW YORK, March 31, 2026 - Linx Security, a pioneer in modern identity security and governance solutions, today announced a $50 million Series B financing round led by global software investor Insight Partners, with continued participation from Cyberstarts and Index Ventures. This brings Linx’s total funding to $83 million. The 100-person startup has already signed multimillion-dollar contracts with banks, healthcare companies, and Fortune 500 firms, governing millions of identities globally.

As enterprises adopt cloud, automation, and AI, the number of identities inside organizations has exploded, now spanning not just employees, but machines, services, and AI agents, which outnumber humans by roughly 80 to 1. Traditional identity governance tools, built for a smaller and more static environment, have struggled to keep up, leaving security teams with limited visibility, slower response times, and expanding risk at a time when nearly 90% of security incidents involve identity-related failures.

Founded in 2023 by cybersecurity veterans Israel Duanis and Niv Goldenberg, the company provides an AI-native platform that continuously maps, monitors, and governs all identities across the enterprise, human, non-human, and agents alike. By replacing manual processes and periodic reviews with real-time detection and automated remediation, Linx enables organizations to reduce identity risk without slowing down the business.

“Identity governance has shifted from a back-office compliance function to a core pillar of enterprise security,” said Israel Duanis, CEO and co-founder of Linx Security. “This funding allows us to scale faster and meet the growing demand from organizations that need real-time visibility and control over every kind of identity operating in their environment.”

Linx recently introduced Linx Autopilot, the first autonomous AI agent designed to fundamentally change how identity governance is managed. Moving away from the constraints of manual oversight and reactive processes, Autopilot continuously monitors identity activity, detects meaningful changes in real time, and takes action, either resolving issues automatically or escalating when needed. By operating across human, machine, and agents, it enables security teams to move from periodic control to continuous, intelligent enforcement, without adding operational overhead.

The new funding will support Linx’s next phase of growth, including expanding its global footprint, scaling enterprise go-to-market efforts, and accelerating product development around autonomous identity governance.

"Linx is reimagining IGA architecture to tackle the emerging problem of agent governance. The company’s AI-first approach, along with the introduction of Linx Autopilot, well positions Linx in this critical category and we're thrilled to partner on this journey,” said Teddie Wardi, Managing Director at Insight Partners.

"We backed Linx at inception because we believe identity would become the core control layer of modern security,” said Gili Raanan, Founding Partner at Cyberstarts. “AI agents are rapidly expanding the number of identities operating inside organizations, turning identity governance from a back-office compliance task into a board-level risk. Linx is building the platform to govern that new reality.”

About Linx Security

Linx Security is the AI-native identity security and governance platform built for the era of AI agents and non-human identities. Founded in 2023 and headquartered in New York, the company delivers unified visibility, continuous risk detection, and autonomous remediation across every identity in the enterprise - human, non-human, and AI. Backed by Insight Partners, Index Ventures, and Cyberstarts, Linx Security is trusted by identity-intensive enterprises globally to eliminate identity risk without slowing the business. For more information, visit www.linx.security.

About Insight Partners

Insight Partners is a global software investor partnering with high-growth technology, software, and Internet startup and Scale-up companies that are driving transformative change in their industries. As of June 30, 2025, the firm has over $90B in regulatory assets under management. Insight Partners has invested in more than 875 companies worldwide and has seen over 55 portfolio companies achieve an IPO. Headquartered in New York City, Insight has a global presence with leadership in London, Tel Aviv, and the Bay Area. Insight's mission is to find, fund, and work successfully with visionary executives, providing them with tailored, hands-on software expertise along their growth journey, from their first investment to IPO. For more information on Insight and all its investments, visit insightpartners.com or follow us on X @insightpartners.

TL;DR

• Traditional identity governance relies on periodic review cycles, but point-in-time checks detect risks and misconfigurations long after they are introduced. Organizations need to take a new, modern approach to securing identity.
• Current AI-powered identity security systems are not autonomous. They show alerts and generate recommendations but rely on a human trigger before they start taking action.
• Truly autonomous identity security is a fundamental shift, and that’s where Linx Security’s revolutionary new Autopilot AI comes in. Autopilot evaluates access, assesses risk, and either initiates remediation or escalates to a human when oversight is required.

What Are the Limits of Reactive Identity Security?

Reactive identity security and point-in-time checks can’t keep up with the constant change that characterizes modern identity environments, especially at scale. Employees change roles, contractors rotate in and out, and machine identities created to perform a specific task are no longer needed once the task is done.

Periodic review cycles made sense in a world where identity was changing slowly and the blast radius of a compromised account was limited. But today, a single compromised identity can cascade across different cloud environments, SaaS platforms, and CI/CD pipelines in minutes. 

The 2024 Midnight Blizzard breach at Microsoft proves this point. During this attack, threat actors compromised a single test tenant account, then moved laterally to high-value assets like cybersecurity team accounts and even executives’ accounts. 

The difficult truth? Identity is now the quickest path attackers can take to reach critical systems, and reactive security isn’t enough. (Learn more about why identity breaches are preferred by attackers here.)

How Do Identity Risks Emerge Between Reviews?

Identity risk arises from the slow accumulation of misconfigurations and access changes that happen between governance reviews.

Typically, role drift and privilege accumulation are the most common sources of identity risk in any organization. Even though an access grant for a specific engineer might have been legitimate when it was approved, permissions often persist long after a role change makes them irrelevant.

Access entitlements across multiple systems exacerbate this issue, as a single user might have multiple identities and permissions across different cloud providers, SaaS applications, CI/CD platforms, and other tools. 

Risks don’t live in these systems in isolation. Think of a user who has read-only access to a production AWS account but admin access to a CI/CD pipeline that can deploy resources to that account. Human reviewers and review tools that look at systems independently won’t catch this escalation path.

And the problem compounds when time enters the equation. When someone is granted permanent elevated access to address a particular issue instead of JIT admin access, the window between that change and the next governance review becomes especially dangerous. 

For example, a developer might get admin access to a production environment to help troubleshoot an outage. Though the incident is resolved within hours, the elevated permissions persist. 

If an attacker compromises this account, the blast radius can be significant: They’ll have access to all applications, secrets, and workloads that are running in that production environment. Identity solutions that conduct periodic reviews will eventually catch over-privileged access, but there might be months of exposure in the meantime.

Finally, department restructures happen all the time. In fact, with AI adoption, they’re more frequent than ever. These organizational changes shift the access context entirely. For instance, a team that used to need access to a particular environment may no longer exist in the same form. Despite this shift, their permissions usually stay in place until the next review cycle, resulting in over-privileged access on a team-wide scale.

What Is Reactive Tooling? What Is the Alternative?

Many enterprises believe that they’re keeping pace with risks because they’ve invested heavily in Identity Governance and Administration (IGA) platforms and Privileged Access Management (PAM) solutions. But these tools flag risks long after they’ve been introduced. 

Even the newer generation of identity security tools that have AI and machine learning (ML) capabilities still function as analysis engines. They identify issues and give you recommendations on how to solve them, but they don’t act on your behalf. 

Without automated provisioning and deprovisioning tied directly to lifecycle events, permissions drift between review cycles with no option to correct them.

The organizations that are effectively slashing identity risks are those embracing AI identity security automation in 2026: continuous, always-on coverage from autonomous AI that can detect, prioritize, and remediate access issues in real time, with minimal human oversight.

Why Should You Move From AI Assistance to Autonomous Execution?

Most of what the market calls today “AI-powered identity security” is actually AI-assisted security. As we’ve seen, these tools detect anomalies and generate recommendations. They might identify that a particular user has more privileges than most of their peers or that a service account hasn’t been used for a long period of time. These insights are useful, but AI-assisted tools leave a critical gap between identifying an issue and remediating it.

Depending on a human for input isn’t always the wrong move. Yet workflows where humans have to analyze and act on every notification from AI tools keep engineers trapped in a cycle of alerts. After all, human bandwidth will never be able to match the pace at which identity risks are growing.

To free engineers up to innovate and turbocharge remediation speed, autonomous systems handle straightforward fixes and repetitive actions. They determine when human input isn’t required by evaluating context. Then, they decide on an appropriate response and execute the corresponding workflow. 

By leveraging an autonomous security agent, the entire identity security workflow shifts from “send an alert and a recommendation to a human” to “assess the problem, decide what to do about it, and act accordingly.”

Introducing Autopilot

With Linx Security’s Autopilot, teams can now deploy AI agents that work continuously on their behalf: monitoring their identity environments 24/7, detecting meaningful changes as they happen, evaluating risk in context, and taking action in real time whenever there are issues.

What Does Autopilot Offer?

• Speed and Control: Autopilot evaluates access, assesses risk, and either initiates remediation or escalates to a human when oversight is required, solving the speed-control paradox.
• Governed Autonomy: Autonomy demands trust. Autopilot is designed with that in mind, featuring guardrails and intelligent oversight mechanisms that ensure each autonomous action is carefully controlled. 
• Reduced Alert Fatigue: Unlike AI-assisted platforms, Autopilot reduces alert fatigue by looping in humans only when it’s truly necessary.
• Task-Specific Agents: Each Autopilot agent is an expert at a core identity task, such as identification of access drift, profile tuning, and JIT access approvals.
• A Comprehensive Suite of Tools: Autopilot is part of a three-tier AI architecture, alongside AI enhancements that constantly optimize and refine your data and AI Copilot, a personal AI assistant that makes engineers Linx system superusers.

“Security teams don’t need more noise—they need meaningful leverage,” says Niv Goldenberg, Chief Product Officer and Co-Founder at Linx Security. “Autopilot allows organizations to modernize identity security responsibly, combining continuous AI-driven execution with human expertise.”

Conclusion

In a periodic review model, there’s a gap between when identity risks emerge and when governance catches up. Access changes constantly, governance occurs quarterly, and attackers operate within this window.

With autonomous identity security, this gap is closed by autonomous agents that monitor access changes in real time, evaluate them against an organization's in-play policies, and take immediate action to resolve any issues. 

Autonomous identity security is where Linx stands apart.

“Autopilot marks the beginning of a new chapter for Linx,” says Israel Duanis, CEO and Co-Founder of Linx Security. “Our vision is to build a security platform that doesn’t just inform teams—it operates alongside them. The future of identity security isn’t more alerts or more manual reviews. It’s intelligent systems that continuously strengthen posture while keeping humans in control. This launch establishes Linx as a leader in autonomous identity security and sets the foundation for where our platform is headed.”

If you want to see Autopilot in action, join us for an in-person demonstration during the RSA Conference (March 23–26). We’ll also be hosting a live virtual demonstration on April 9th at 11 a.m. ET.

To see Autopilot live virtually, register for our upcoming webinar on April 9th: Autopilot: Closing the Identity Risk Gap with Autonomous AI, or schedule a demo to get a personalized demonstration.

TL;DR

• Attackers typically follow seven steps to carry out an identity attack, and there are ways to protect yourself at each stage of the kill chain.
• Always check if your credentials have appeared in data leaks and change them, implement phishing-resistant MFA, take advantage of JIT for admin accounts, and use the principle of least privilege.
• Preventing attacks is just one piece of the puzzle; you should also take measures that limit the blast radius, ensure you can detect issues if they pass your prevention mechanisms, and leverage automated workflows that respond to issues.

Why Do Attackers Prefer Identity-Based Attacks?

Identity is now the fastest route to critical systems: Humans, non-human identities (like service accounts, workloads, and API keys), SaaS apps, cloud control planes, and AI agents all operate through permissions and tokens that can give attackers a dangerous foothold.

Raising the stakes, identity attacks are more likely to succeed than other attacks, and they’re also harder to detect. When a threat actor uses one of your credentials, they blend in with legitimate traffic, and most security tools miss the subtle signs that point to a compromise.

While it’s impossible to build perfect prevention against all of these attacks, you can implement ironclad defenses. The key is to take a layered approach. With defense–in-depth strategies in place, when one layer is compromised, another layer will block the attack, whether it stems from phishing, credential stuffing, token harvesting, or another identity attack vector.

In this article, we’ll explore the practical steps attackers take to compromise identities and provide hands-on advice for thwarting them at each stage of the identity kill chain.

What are the 7 Steps Attackers Use for Identity Breach?

Attackers typically follow these steps to carry out an identity attack:

1. Initial access
2. MFA or “friction” bypass
3. Privilege gain
4. Lateral movement via identity
5. Persistence
6. Taking action on objectives (data access, fraud, ransomware enablement)
7. Evasion and reentry

Each step links together, enabling the next step in the chain. As a result, a minor compromise can lead to widespread breaches because of privilege escalation, lateral movement, and persistent actions.

Let’s take a look at each step in detail.

Step 1: Initial Access (Credentials or Foothold)

An attacker can obtain access to credentials through phishing campaigns, reused passwords, accidentally exposed secrets in VCS systems or CI/CD pipelines, or by purchasing compromised accounts on the dark web. 

Reused passwords are especially problematic. Despite security training programs, many employees continue to use the same passwords across personal and professional accounts. This practice creates a domino effect: Compromised access to one service compromises access to many others.

What’s a Real-World Example?

In 2021, attackers gained access to Colonial Pipeline’s systems by using a compromised password for a VPN account that didn’t have MFA enabled. This account actually belonged to a former employee, but it was never disabled after their termination. The threat actors used this foothold for a ransomware attack against the company, which provides fuel for about half of the East Coast. System outages cascaded into fuel shortages, and a state of emergency was declared in 17 states and Washington, D.C. Restoring operations took a $4.4 million ransom payment.

How Can Organizations Keep Systems Safe?

• Prevent: Identify and disable all inactive accounts, as they can also pose security risks if compromised. Ensure MFA is enabled for all your users.
• Limit the Blast Radius: Reduce the number of externally accessible services, and require additional passwords and MFA for anything important.
• Detect: Monitor for unusual activity, like authentication attempts from unfamiliar locations or devices or numerous failed login attempts that signal credential stuffing.
• Respond: Leverage automated workflows to immediately disable compromised accounts.

Step 2: MFA or “Friction” Bypass

MFA is just the first line of defense, and it’s not a silver bullet. When attackers encounter MFA, they can employ tactics to get around it. For example, fatigue attacks involve sending a flood of MFA approval requests to your users until they accept.

Social engineering isn’t the only risk, though. Phone-based MFA is vulnerable to SIM swap attacks, which could allow attackers to intercept your SMS codes.

What’s a Real-World Example?

In 2022, Uber experienced a data breach that began when a hacker purchased an employee’s credentials on the dark web. After encountering MFA, the attacker impersonated a security employee, initiated a fatigue attack, and asked the compromised user to accept the MFA requests he sent. Once the fatigue attack proved successful, the attacker gained access to Uber’s VPN; from there, he moved laterally, ultimately gaining full admin privileges.

How Can Organizations Keep Systems Safe?

• Prevent: Use strong MFA mechanisms (Authenticator Apps, Hardware keys or Passkeys) for all accounts if possible, otherwise at least for privileged ones. Implement phishing-resistant MFA, and establish strict proof-of-identity requirements for help desk employees.
• Limit the Blast Radius: Require multiple approvals for high-privilege account resets; require additional passwords for sensitive services.
• Detect: Implement MFA monitoring that automatically denies a flood of requests, and require human approval (with identity verification) before users can add a new authentication device.
• Respond: Whenever you detect suspicious MFA activity, temporarily restrict access for your user until verification is complete.

Step 3: Privilege Escalation

Accounts with permanent administrative rights are exactly what malicious actors are looking for. Instead of standing privileges, a better move is to grant temporary admin privileges through a mechanism like just-in-time access. 

Another problem to look out for? When secrets hygiene is not implemented consistently, and secrets like API keys are stored in VCS systems or wikis, there are simple opportunities for privilege escalation.

What’s a Real-World Example?

In October 2023, Okta experienced a breach after an attacker compromised a customer support engineer’s account. This account had administrative rights, allowing the attacker to view HTTP Archive (HAR) files containing cookies and session tokens uploaded by customers during support troubleshooting sessions. By stealing session tokens, the attacker was able to impersonate legitimate users across different organizations.

How Can Organizations Keep Systems Safe?

• Prevent: Implement just-in-time (JIT) access for administrative accounts.
• Limit the Blast Radius: Ensure admin accounts are specific to a single service and don’t have cross-service privileges.
• Detect: Implement alerts for role changes or permission modifications.
• Respond: Build in automation that responds to a suspicious account by revoking elevated access and reviewing recent actions.

Step 4: Lateral Movement via Identity (SSO, SaaS, Cloud Control Plane)

It goes without saying: When attackers gain elevated privileges, what they’re really gaining is the ability to move laterally through your connected systems. For example, a compromised SSO can unlock access to dozens of applications, and cloud control planes can be easily accessed from anywhere if you have valid tokens.

What’s a Real-World Example?

In 2023, an attacker known as Storm-0558 leveraged forged Microsoft authentication tokens to access enterprise email accounts. The mechanism of attack? Lateral movement from MSA (customer) keys to the Azure AD enterprise system. The breach affected approximately 25 organizations, primarily government agencies, including U.S. State Department email accounts. 

How Can Organizations Keep Systems Safe?

• Prevent: Avoid creating “super admin” accounts that can access all your systems.
• Limit the Blast Radius: Remove unnecessary permissions that might offer access to systems your users don’t actually need access to.
• Detect: Implement monitoring for unusual access patterns, especially accounts accessing systems they’ve never accessed before.
• Respond: When you detect lateral movement, isolate the compromised identity and review access logs.

Step 5: Persistence (Tokens, OAuth Apps, Service Principals, Backdoor Identities)

As soon as an attacker gains access to your systems, they’ll look for ways to maintain it if the original entry point is detected and blocked. Persistence techniques include the creation of OAuth applications, service principals, and API keys. These mechanisms are highly effective because they are often mistaken for legitimate administrative objects and can even survive password resets.

What’s a Real-World Example?

In 2025, Salesforce warned customers that a group called ShinyHunters was using vishing (voice phishing) to trick help desk staff into resetting MFA on privileged accounts. Once they got a foothold in a Salesforce instance, the attackers created malicious OAuth applications that allowed them to maintain persistent access.

How Can Organizations Keep Systems Safe?

• Prevent: Control who can create OAuth applications, and establish lifecycle governance for service principals to ensure they have expiration dates.
• Limit the Blast Radius: Restrict the permissions that can be granted to OAuth applications (for example, in AWS, use permission boundaries or service control policies to limit what IAM roles your OAuth apps can assume); ensure your service principals respect the principle of least privilege (PoLP).
• Detect: Alert on the creation of new applications that require extensive permissions.
• Respond: Maintain an inventory of authorized OAuth apps and service principals, and remove any new apps that are created outside of your process.

Step 6: Action on Objectives (Data Access, Fraud, Ransomware Enablement)

Identity compromise is rarely the final objective for an attacker. Usually, it’s only a stepping stone on the way to accessing data, committing fraud, or enabling ransomware.

What’s a Real-World Example?

In September 2023, MGM Resorts experienced a devastating ransomware attack that led to more than a week of operational problems across 30 resorts, like shutdown slot machines, offline ATMs, and locked-out guests (the downside of digital hotel keys). Attackers gained access by researching employees on LinkedIn, then calling the help desk to request a password reset in their names.

How Can Organizations Keep Systems Safe?

• Prevent: Implement PoLP on both the infrastructure and data layer; require additional verifications before a user can perform sensitive actions (e.g., ask users to reauthenticate with MFA or ask them for a manager’s approval).
• Limit the Blast Radius: Prevent the creation of “super admins.” If any exist in your systems, downgrade their privileges. 
• Detect: Alert on mass downloads or unusual queries against sensitive databases.
• Respond: Implement automation that can quickly restrict access when suspicious data is detected.

Step 7: Cover, Repeat, Expand (Defense Evasion + Re-Entry)

Powerful attackers try to reduce their visibility as much as possible by altering audit logs and disabling security tools. They also wreak havoc by creating multiple re-entry points. Many times, this goes unnoticed: In the wake of a breach, organizations can get tunnel vision and focus only on the initial entry point.

What’s a Real-World Example?

In 2023, a threat group called LockBit demonstrated impressive defense-evasion techniques, accounting for $91 million in ransomware payments in the U.S. alone. The secret to their success? They played the long game. When they gained access to their victims’ systems, they didn’t deploy ransomware right away; they first covered their tracks and expanded their foothold. Malware deployment and ransom demands came weeks or months later.

How Can Organizations Keep Systems Safe?

• Prevent: Implement audit logging, and forward logs to immutable storage.
• Limit the Blast Radius: Ensure that no one can disable security monitoring, not even for testing purposes.
• Detect: Alert on log-retention policy changes and treat them as high-priority security incidents.
• Respond: Implement automation that can quickly revoke access for a compromised identity across all systems.

What Are Best Practices for Reducing Identity Breaches?

Follow this checklist to cut your identity risk:

• Start by Gaining Visibility: You can’t protect what you don’t see, so inventory your identity sprawl and identify password-only external access.
• Review Admin Privileges: Determine who has admin rights, and analyze if they actually need all those permissions.
• Test How Fast You Respond to Issues: Identify how much time it takes to revoke all access for a specific identity. Use this test result as a baseline for improvement.
• Deploy Phishing-Resistant MFA: Phishing-resistant MFA needs to be implemented everywhere, as attackers often compromise lower-priority systems first and then move laterally.
• Eliminate Exposed Credentials and Leaked Secrets: Scan your code repositories, wikis, and shared documents for exposed credentials. Implement automated scanning in your CI/CD pipelines to prevent secret leaks.
• Protect Audit Logs: Audit logs should be stored in immutable storage to ensure they cannot be altered after creation.
• Create Alerts: Alert on role changes, app consents, unusual MFA behavior, and federation changes.
• Implement JIT Elevation: You don’t need persistent admin permissions. Administrative access should be granted on demand for a specific time period.

Conclusion

Identity breaches are the easiest way in for attackers, and they usually follow a predictable pattern.

To disrupt this pattern, shifting left with stronger prevention is a start, but it’s not enough. You’ll also need to build powerful detection capabilities and automate quick responses to threats. Your motto should be, “Make it harder to get in, harder to escalate, harder to persist, easier to detect, and faster to contain.”

At Linx Security, we help organizations build robust identity security that addresses each stage of the attack chain. Book a demo with one of our engineers to learn more about how we can keep your systems safe from identity breaches.