Brian Contos is the Field CISO at Mitiga with 30+ years of experience building successful companies and evangelizing cybersecurity.
The identity apocalypse isn’t coming. It’s already logged in. Today’s attacks inherit trust, look legitimate and operate unnoticed inside your environment.
Autonomous AI is accelerating a shift that was already underway. Human and non-human identities now operate at a scale and with a level of access that traditional security models were never designed to handle. The result is, you guessed it, more risk. Mostly, it’s a breakdown of the assumptions that identity-based security depends on.
Attackers don’t need to break in anymore. They log in, and increasingly, they look legitimate when they do.
Identity Is Exploding Right Along With Risk
Every organization is now managing a growing mix of human users, service accounts, APIs and autonomous agents. These identities interact, inherit permissions and expand their reach through integrations. Most of them are also overprivileged.
Agents are deployed with the path of least resistance: full access, SaaS integrations quietly extend that access across systems, and permissions compound through second-, third- and fourth-party connections.
What starts as a simple integration (a chatbot, a sales tool, an AI assistant) quickly becomes a gateway into critical systems. You think you’re granting access to one function. In reality, you’re exposing your entire environment.
Excessive risk was the problem before. Now, it’s invisible access at scale.
Blending In, Not Breaking In
Identity-based attacks have evolved beyond obvious compromises. They now rely on just the right amount of plausibility.
Consider the rise of fake workers: nefarious state-sponsored actors embedded inside organizations with legitimate credentials. Some move quickly by downloading everything they can before detection. Others play the long game, staying in role for months and even angling for promotions to expand access. They pass interviews using AI-generated video and voice, actually do their jobs and build trust. Then, they act.
At the same time, attackers are also exploiting the edges of identity systems: calling help desks to reset MFA using minimal personal information, studying internal policies to understand exactly how to gain access and leveraging AI to scale phishing, vishing and impersonation with precision.
This are-they-or-aren’t-they sheen of legitimacy is what makes the problem so difficult. Traditional anomalies are one thing. Valid identities exhibiting subtle, risky behavior are a whole new and incrementally evolving ballgame. Security teams are now looking beyond intrusions for specific intent buried inside normal activity.
Why Prevention Is Breaking Down
For years, security strategies prioritized prevention with a pretty straightforward set of protocols. Lock it down, minimize access and block threats before they execute. Check, check and check. However, that once-reliable model is failing under the weight of speed and scale.
Identities are too numerous to fully govern, access paths are too complex to fully understand and attackers are moving too quickly to manually track. Most importantly, for what we’re talking about, AI is amplifying all of it. It’s increasing the volume of attacks, accelerating execution and refining targeting. What used to take weeks now happens in minutes.
Teams won’t be able to keep up by hiring more analysts or tightening more controls. Even people who are bad at math know those numbers won’t work. The model is changing.
Block First, Fix Later
A growing number of security leaders are embracing a novel new approach: act first, validate later. If something looks suspicious, shut it down. Disable the account, quarantine the asset and contain the blast radius immediately. If it turns out to be a false positive, then you restore access.
This was once an unthinkable security posture. Blocking the wrong user, even for just a few minutes, was seen as nothing short of unacceptable. Frankly, it was a reputation killer. However, this “mea culpa” model marks a necessary, fundamental shift in thinking. It prioritizes speed over certainty, accepts temporary disruption as the cost of protection and assumes that waiting for confirmation is riskier than acting early.
Because everything is interconnected, there’s no safe perimeter. There’s no “low-risk” access. Every identity has the potential to touch something critical, so you can’t wait until the thieves reach the crown jewels. You have to assume they’re already there and you’re right behind them.
Autonomous Detection And Response Is No Longer Optional
This is where the conversation shifts from AI as a tool to AI as a requirement. We already said attackers are using AI to scale their efforts. Defenders need the same level of speed and autonomy to respond. That means moving toward an autonomous detection and response model that can:
● Continuously monitor behavior across all identities.
● Identify anomalies in real time, not weeks later.
● Trigger immediate containment actions without human delay.
● Provide visibility and traceability so teams can validate and adjust.
However, it’s easy to forget that the humans set the policy. Systems execute at speed. We can’t just get rid of human-in-the-loop responsibilities. Instead, we just need to change their role. Analysts must become judgment layers responsible for reviewing AI decisions and outcomes, calibrating models and automation policies, investigating high-consequence edge cases and challenging assumptions when context matters.
This is a fundamentally different role than traditional SOC triage, yet most teams haven’t been hired, trained or measured for it. The CISO’s job is to get ahead of that gap through:
• Deliberate role redesign.
• Metrics that reward oversight quality rather than ticket volume.
• Training focused on judgment, validation and escalation.
• A culture that treats healthy AI skepticism as a strength.
The leaders who get this right will build smaller, sharper teams operating at a scale no fully manual SOC can match.
Identity Is An Attack Surface Now
Identity can no longer be trusted as a signal of intent. It’s too easy to obtain, too easy to manipulate and too deeply embedded across systems. In an autonomous AI world, behavior is the only signal that holds.
Organizations that continue to rely on static identity controls are already predictable targets. Those that shift to continuous detection and rapid response at least have a chance to keep up. We can’t stop every attack, but we can see it faster, act sooner and limit how far it can go.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
