Industry has arrived at a precarious crossroads; identity, once viewed as a basic IT function, is now the linchpin of business resilience.
Identity has become both the first line of access and a consistent point of failure in the ever-evolving global cyber threat landscape. In response to this shift, many have invested in an array of sophisticated technologies—machine learning-based detection engines, user behaviour analytics platforms, security orchestration response platforms and SIEM tools capable of surfacing anomalies in user and data activity at scale. These tools are engineered to hunt the “unknown unknowns” and flag deviations or irregularities as potential indicators of compromise.
Yet, amidst all this innovation, we appear to have overlooked a truth we’ve always known; we've become preoccupied with detecting the breach, but not with hardening the data and digital identity layer that is consistently and predictably exploited in its wake.
The aftermath of a breach—zero day or otherwise—rarely surprises us; Credentials are harvested, privileges are escalated, lateral movement begins, persistence gained and ultimately, data (regulated, sensitive, or proprietary) is the endgame. The script rarely changes, yet our response to it remains fractured.
If we know that identity is both the vector and the victim, why hasn’t our security architecture (and our spending) evolved accordingly? Why do we continue to allocate disproportionately to edge control and anomaly detection, while under-investing in the resilience of the very systems that govern access, trust, and authentication?
How Did We Get Here?
The answer is simple: this started as businesses moved to the cloud. In less than a decade, enterprises adopted hybrid architectures, SaaS platforms, remote access, and AI-driven workflows. This expanded the identity surface exponentially. Every employee, contractor, service account, and API identity, became a new gateway to business-critical data and functions.
At the same time, attackers evolved. There’s been a shift away from smash-and-grab ransomware and data exfiltration hits. Attackers now prefer long-haul campaigns designed to gain footholds that last years. Nation-state groups have quietly turned to malware-free persistence tactics exploiting credentials, manipulating group policies, and blending into systems undetected. They use “living-off-the-land” techniques, exploiting the very tools and systems we use (and trust) daily to maintain the lifeblood of our business operations.
In many cases, the modern cyberattack contains no malware at all—just compromised identities and quiet continuous control.
The Problem Isn’t Just Access, It’s Trust
When identity is compromised, so is trust across the enterprise. If you can't trust Active Directory or Entra ID, you can't trust your access controls, your audit logs, or even your backup infrastructure. We’ve seen cases where the identity layer is used to deactivate endpoint detection and response, manipulate backup retention, or access privileged data from siloed systems—all without triggering alarms.
The more dispersed and federated identity becomes—across cloud, SaaS, AI platforms, and traditional data centers—the harder it is to detect when something is wrong. Worse still, when a breach is detected, recovery becomes murky. Do you restore the whole identity forest? Which objects were changed? Were the anomalies part of legitimate business processes or covert escalation paths?
These are questions most business continuity and disaster recovery plans aren’t even asking, let alone prepared to answer.
We’ve Reached a Tipping Point
Let’s call this what it is: an identity crisis. Identity is now the primary attack surface, the key vector for lateral movement, and the main vehicle for persistence. Yet most organizations have no formal strategy for identity risk management and (more importantly) recovery/resilience.
Identity must now extend beyond SSO and MFA to include:
• Continuous visibility across identity silos, human and machine
• Historical intelligence to detect and trace malicious changes
• Recovery plans that don’t assume identity systems are clean
• AI governance that includes identity mapping and entitlements
• Proven ability to surgically restore only what was compromised
Critically, we must ensure that identity resilience is a core component of our cyber recovery strategy, on equal footing with backup, disaster recovery, and incident response.
A Call to the Boardroom
The identity crisis is urgent. When identity fails, the business fails. Potentially, it can fail permanently. So identity must be on the agenda at the highest level of the enterprise. To have constructive Board-level conversations, you must be ready to face some hard questions:
If our identity platform were compromised today, how fast could we recover it, safely and surgically?
Can we prove to regulators and customers that our identity state is clean post-incident?
Are AI platforms, privileged accounts, and cloud services covered in our identity strategy, or are they exposed?
The uncomfortable truth is that many organizations don’t have the answers to these questions. Attackers are betting on exactly that.
The Path Forward: Identity Recovery Is Business Recovery
We need to recognize that identity is the foundation of digital business. Identity doesn’t just control access; It governs every transaction, every application, and every service. It’s embedded in how we manage finances, handle customers, authorize trades, approve medical decisions, or initiate supply chain operations. It is the digital heartbeat of modern business.
So, what happens when this heartbeat is compromised?
Business continuity doesn't begin when the network is back online or the data is decrypted post a ransomware event. It begins when trust in identity is restored. But you may not be able to confirm who is who. Privileges may have been altered. Authentication flows could be broken or manipulated. If you can’t trust these functions of identity, then nothing downstream can be trusted or resumed. The recovery clock doesn’t start at detection, it starts at validated restoration of identity infrastructure.
But most organizations are not prepared for this reality.
We often talk about recovery times for databases, VMs, and applications. But how long would it take your organisation to safely, surgically, and verifiably recover its identity fabric? Once everything is back online, could you trust that it’s clean?
Without a strategy for identity resilience, every other layer of your recovery architecture is a castle built on brittles of sand. It’s why nation-state actors and advanced threat groups are increasingly going after identity—not just to cause harm, but to neutralize the ability to recover quickly. Attackers know that once identity is gone, the road back is long, chaotic, and uncertain. This gives your opponents greater leverage in their extortion, ransom and attack operations.
Let’s be clear: identity is no longer relegated to security strategy. Identity is now core to operational sovereignty and an organization’s ability to reassert control when it matters most—to restart the business, restore services, and meet regulatory expectations with confidence.
Your identity infrastructure will be attacked. Will you be ready to bring it back safely, completely, and without doubts? This is why identity resilience must move from an afterthought to a pillar at the forefront of your continuity strategy.