When we last talked to you about the new network perimeter, we shared some reasons why zero trust is losing support—like the overfocus on network controls. Zero trust security models seem promising until organizations actually try to implement them.
Identity access management (IAM) has promised a more intuitive and user-friendly way to implement zero trust, especially since IAM can adapt to an organization’s data security profile, operations, and IT processes. In short: Identity is still the new(ish) perimeter in 2025. But “identity” has come to have a much broader definition this year, in a way that’s sort of Halloween-ish. Call these identities zombies (i.e., unused, or forgotten user accounts), the “undead,” or non-humans that steal your data.
Non-human Identities Are Multiplying
Identity and security tactics that focus on managing only human identities will miss an increasingly large number of potential attack vectors in the form of non-human identities (NHIs). The NHIs include API keys, automated workflow agents, cookies, AI assistants, and misconfigured machine IDs. NHIs are often legitimate, and there are many of them. They’re estimated to outnumber human identities by a factor of 100 to 1 in the average enterprise—a metric that will only become more lopsided over time.
Cybercriminals have identified NHIs as a promising attack vector. NHIs are easy to miss because they often exist at code level. They may lack clear ownership. Developers might assign credentials to these entities liberally to help speed up the development process. And worst of all, they often aren’t lifecycle managed, meaning they persist long after they’ve been used.
Compromised NHIs have played a role in some high-profile recent cases:
- A breach at the U.S. Department of the Treasury involving a compromised API key
- Toyota suffered a data breach by exposing a secret key on GitHub
- The New York Times exposed a GitHub token, resulting in 5,600 code repositories being leaked online
The solution to preventing such breaches can be stated simply: Manage every non-human credential, key, token, and identity with the same techniques, processes, and rigor applied to human identities.
Why ‘Undead’ Identities Are a Threat
There’s also renewed focus on a branch of identity access management that could be useful for managing the NHIs discussed above: the zero standing privilege model. The idea is that many ID security systems are well-designed to grant access but often less well-designed to terminate it. The most obvious example would be an employee who leaves or moves to a different part of the organization, potentially leaving behind months’ or years’ worth of credentials that, while no longer animated by use, go on existing (in limbo between life and death) nevertheless.
At least one startup based on this concept has made news recently for its concept of “zero standing privilege.” Its technology is based on the continuous access evaluation protocol (CAEP), a widely used standard adopted by the OpenID Foundation and supported industry-wide. CAEP uses real-time contextual information continuously transmitted by users such as location, applications in use, device in use, biometric keys, and even detailed behavioral patterns to verify user or agent identity. The goal is dynamic authentication, supported by rich context, that can respond to changing parameters and workflows and be deployed anywhere in an organization.
Why Hackers Love Forgotten Identities
Also coming into focus in 2025 is just how evolved the cybercriminal ecosystem has become. We know about the threat of ransomware, data brokers who supply the data that’s used to set up scams, and hackers who go for low-hanging fruit—that is, the ones who steal data from poorly secured or vulnerable storage platforms or applications.
But beneath these layers are players who use infostealer malware to steal data in use. This malware can be hidden in online ads, email attachments, messaging apps, social media messages, or malicious search results. Once surreptitiously activated, the infostealer malware will harvest screen grabs, field contents, clipboard text—anything a bad actor might be able to sell later—from the host device and its network traffic. If there are credentials hidden in the mass of stolen data, another player in the ecosystem will analyze the horde and find credentials before passing them on to a data broker. Most infostealer malware is deployed en masse as part of opportunistic campaigns, but the malware could also be targeted at specific companies or even individuals.
These are just the latest data points showing that definable IT perimeters continue to dissolve, which means identities of all kinds need to be lifecycle managed. To guard against threats from an increasingly sophisticated criminal economy, IAM must become even more nuanced in how it sees identity to repel criminals and adapt to a wide variety of use cases.
Learn more about the new Pure Storage Identity and Access Management Portal in Pure1.