The identity crisis: Why digital identity is attackers' path of least resistance

Digital identity has become the crown jewel for cyberattackers—and for good reason. In RSM's 2026 Attack Vectors Report, which analyzed more than 650 offensive security engagements conducted throughout 2025, identity-related weaknesses provided successful access in more than 80% of cases.

Even more concerning, these attacks succeeded in mature enterprise environments that had invested significantly in zero-trust initiatives and multifactor authentication (MFA). The message is clear: Digital identity isn't just another attack vector—it's become the attack vector.

The scope of the problem

The numbers from our 2025 testing paint a stark picture:

• 2,047 total vulnerabilities: Roughly one-third were rated high or critical severity, directly enabling privileged access or data theft.
• Primary targets: Active Directory security, excessive privileges and insufficient authentication were the most common vulnerabilities.
• The outcome: These weaknesses provided a repeatable path from initial access to high-impact control of enterprise systems, including domain compromise.

The identity security gap: Vulnerable vs. resilient organizations

Based on our 2025 testing, here's what separates organizations that were compromised in hours from those that successfully contained or prevented identity-based attacks:

The MFA illusion

Our teams identified practical bypasses in nearly 75% of organizations using MFA. MFA is not ineffective, but implementation gaps are creating a false sense of security. Common bypass techniques observed include:

RSM's offensive security team documented a financial services case where a browser-in-the-browser (BitB) attack captured credentials from 35% of targeted users. By combining this attack with a voice phishing (vishing) call to the help desk, our team achieved full access within just four hours.

The AD CS vulnerability cascade

If a single technology vulnerability defined 2025 for our offensive teams, it was Active Directory Certificate Services (AD CS). Our analysis found misconfigurations in 42% of tested environments.

Misconfigurations (specifically, domain escalation scenarios ESC1, ESC4, ESC8 and ESC11) enabled certificate forgery and stealthy persistence. Because certificate-based abuse blends into legitimate authentication activity, it consistently bypassed many conventional detection tools. As noted in the Attack Vectors Report, "in multiple engagements, testers achieved lateral movement and domain dominance within hours, even in environments with mature monitoring."

The vishing and AI revolution

As email security strengthens, attackers have pivoted to voice-based attacks. Our offensive security engagement team documented a sharp increase in vishing efficiency in late 2025 and early 2026. This rise is due to several factors, including:

The RSM report warned, "Many security programs still assume they have hours or days to identify, investigate, contain and remove an active threat. In practice, AI-enabled offensive techniques are rapidly shrinking that window toward hours or minutes."

Privilege sprawl: The force multiplier

Privilege sprawl amplifies the impact of every identity compromise. Our testing identified several consistent patterns:

• Excessive permissions: Compromising a standard employee account often provided access to sensitive systems far beyond that employee’s role.
• Shared credentials: Common local admin passwords enabled unrestricted lateral movement.
• Flat architectures: In 83% of cases, inadequate segmentation allowed a single-system compromise to escalate into enterprise-wide access.

Our cloud-focused assessments found that "in 71% of assessments, users and service accounts had broad permissions with wild-card actions that enabled privilege escalation, resource manipulation or data exfiltration."

The uncomfortable truth: Zero trust failed (or did it?)

Here's a statement that will make some security leaders uncomfortable: Organizations that proudly announced "zero-trust implementation" in 2023−24 still suffered identity-based compromise in over 80% of our 2025 offensive security engagements.

But before we declare zero trust dead, we need to acknowledge the real problem: Most organizations implemented zero-trust architecture without zero-trust identity.

They bought the software-defined perimeter. They implemented microsegmentation. They deployed endpoint verification. They configured conditional access policies. But they left the front door wide open by:

• Allowing MFA bypass through legacy protocols
• Never auditing AD CS configurations that enable certificate forgery
• Operating critical systems with service accounts using five-year-old static passwords
• Training help desk staff to reset MFA based on a convincing phone call
• Deploying “zero trust” while 70% of users still use push notification MFA that can be fatigued

The result? Attackers stopped trying to break through the sophisticated network controls and started walking through the identity layer with valid credentials. Microsegmentation means nothing when the attacker has legitimate credentials for the target system.

The uncomfortable truth isn't that zero trust failed—it's that organizations' efforts were incomplete. They implemented 30% of the zero-trust framework and wondered why they didn't get 100% of the benefit.

What actually works: Recommendations from the report

Based on what successfully stopped our teams during 2025 testing, RSM recommends:

Looking ahead: 2026 identity security predictions

Based on attack trends observed in our 2025 testing and conversations with security leaders across industries, here's what we expect in 2026:

What you can do this week: Identity security quick wins

Feeling overwhelmed? Start here. These five actions require minimal investment but can provide immediate visibility into your identity security posture:

Day 1: Run an AD CS configuration scan

If you have AD CS deployed, use free tools like Certify or PSPKIAudit to scan for common misconfigurations (ESC1, ESC4, ESC8, ESC11). This 30-minute scan can reveal critical vulnerabilities that enable certificate forgery and privilege escalation.

Time investment: 30 minutes | Potential impact: Identify critical vulnerabilities present in 42% of environments in our report.

Day 2: Audit service accounts for password age

Query Active Directory for all service accounts and sort by password last-changed date. Any service account with a password older than 90 days (or worse, set to never expire) represents a persistent risk for attacks.

Time investment: 15 minutes | Potential impact: Identify stale credentials, used in 73% of the Kerberoasting attacks in our study.

Day 3: Review help desk MFA reset procedures

Pull the last 30 days of MFA resets and password changes executed by your help desk. Look for patterns: Are resets happening outside business hours? Are the same users repeatedly resetting MFA? Are verification steps documented?

Time investment: 45 minutes | Potential impact: Close the gap exploited in device code phishing and vishing attacks.

Day 4: Scan your top five repositories for hardcoded credentials

Use tools like TruffleHog or GitHub's built-in secret scanning to check your most active code repositories for exposed credentials, application programming interface (API) keys and access tokens.

Time investment: 1 hour | Potential impact: Find credentials in Lambda, IaC and scripts, as we did in 71% of our cloud assessments.

Day 5: Enable and review conditional access policies

If you're using Microsoft 365 or Azure AD, review your conditional access policies. Are legacy authentication protocols blocked? Is MFA enforced for all admin access? Are sign-ins from unusual locations flagged?

Time investment: 1 hour | Potential impact: Close legacy protocol bypass used in 75% of the MFA evasions identified in our testing.

Read the complete 2026 RSM Attack Vectors Report for detailed findings and analysis on application security, cloud and API security, architecture and network segmentation, and user awareness.