For years, primarily driven by regulatory compliance mandates, such as the Sarbanes-Oxley Act of 2002, identity and access management has been treated as a regulatory compliance exercise, rather than the security exercise it should be — and simply checking off compliance requirements leaves many organizations with a dangerous and false sense of security. This is the central warning from the State of Attack Path Management report from SpecterOps, released today.

Organizations today consist of a complex web of identities, and their associated privileges can efficiently serve as a pathway for attackers, just as they do for legitimate users. Today’s report lays out how threat actors exploit the hidden relationships between accounts, services, and privilege assignments to achieve compromise—even in organizations that believe themselves to be well-defended.

Jared Atkinson, chief technology officer at SpecterOps, explains how attackers use identity attack pathways that consist of seemingly minor permissions and group memberships that can be chained together to enable an attacker to move laterally or escalate their access within organizations clandestinely.

According to Atkinson, defenders are often blind to these chains that look disconnected and harmless but pose real risk for enabling unauthorized entry that can lead to data breaches, ransomware attacks, and disruption.

The scale of the challenge is daunting, and the increasing number of machine-based identities means it’s only going to grow more challenging in the years ahead. According to SpecterOps’ report, there are currently 20 non-human identities—service accounts, applications, automation tools, and AI agents—for every human user in an environment. As the pool of identities swells, the potential attack paths between them also grow. 

Atkinson explains that even diligent adherence to least privilege principles is not enough, as overlapping roles, legacy permissions, and rushed cloud migrations routinely produce “shadow entitlements,” unexpected privilege overlaps that appear compliant on paper but enable attacks in practice. 

During customer engagements, SpecterOps has encountered many ways threat actors creatively exploit identity-based attack paths. In one example, a standard user account in Active Directory was used to abuse a misconfigured certificate template to impersonate higher-privilege accounts, escalated via Microsoft System Center Configuration Management administration rights, and ultimately hijacked a cloud SaaS session, bypassing multi-factor authentication by stealing session tokens from a legitimate user’s browser. All of this was achieved without relying on any software vulnerabilities to conduct the attack.

In another scenario, the compromise of Okta session cookies on a MacBook allowed attackers to pivot to sensitive systems, evade additional authentication prompts using trusted session artifacts, and eventually assume privileged roles in both GitHub and AWS, enabled by overly broad OpenID Connect configurations.

And in yet another incident, an attacker moved from a single, unprivileged Windows account to complete domain and AWS root compromise by chaining New Technology LAN Manager relay, shadow credential abuse, and weak third-party service (OneLogin AD Connect) integrations and relying primarily on architectural weaknesses and poor secrets management rather than novel exploits.

This SpecterOps analysis points to a systemic industry gap: detection methods and tools remain focused on static credentials, while attackers increasingly target “identities in transit”—active sessions, tokens, and browser cookies representing authenticated access. Once an attacker compromises an endpoint where a privileged user is active, session theft or replay tactics can let them inherit access invisibly, rendering most pre-authentication controls irrelevant.

Efforts to reinforce existing models—through more granular entitlement reviews, privileged access management systems, or endpoint detection—usually fall short because they cannot visualize, analyze, or block the assembled chains of privilege attackers rely on, Atkinson explains. Even among mature, security-conscious organizations, continuous red team operations still find overlooked attack paths that would allow an adversary with modest initial access to escalate to the highest privilege levels, he adds. 

This is why, according to Atkinson, successfully managing identity risk requires a shift to continuous “attack path management.” This involves adopting adversary-like models to map not just static permissions, but all possible privilege chains; enriching detections with the context of the full environment, rather than isolating single technical “alerts”; and implementing proactive operational practices for identifying, owning, and remediating the structural risks that enable privilege escalation. 

Today, SpecterOps announced BloodHound v8.0, the latest update to its flagship open-source Attack Path Management security platform, featuring the “BloodHound OpenGraph” capability. SpecterOps’s BloodHound and its open-source community help to automate the mapping of attack paths, expanding to cover hybrid on-premises and cloud complexities, and increasingly integrating machine learning to handle the scale.

This enables the platform to expose attack paths across an organization’s technology stack by ingesting data from disparate systems, including GitHub, Snowflake, and Microsoft SQL Server, allowing security teams to create custom threat models for their specific environments. The release represents a shift from focusing primarily on Microsoft Active Directory and Entra ID to comprehensive identity risk management across hybrid enterprise infrastructures, Atkinson says.

For boards, CISOs, and practitioners, the implication is clear: identity risk can no longer be treated as a compliance issue or a technical afterthought. “Our motto is: See your network through the eyes of the adversary. That’s because it’s great that organizations have these intentions about how they’re going to structure access. But reality is often very different than how we envision everything in our heads,” Atkinson says.