Enterprise identity and access management teams are facing more pressure than ever before.
Identity has become one of the most active and fast-changing threat vectors in cybersecurity. So far, in 2025, the signals are clear: attackers are targeting identity systems with more precision, more automation, and fewer warning signs.
Generative AI is accelerating impersonation and social engineering. Single sign-on (SSO) is unintentionally enabling lateral movement. Multi-factor authentication (MFA) is being actively bypassed. Synthetic media are undermining traditional verification techniques. And identity data itself is becoming a critical signal in detection and response. These patterns, drawn from the latest threat intelligence, reveal not isolated issues but a deeper shift in how access is attacked and abused.
AI Speeds Up Identity Exploitation
Experts from the SANS Institute have long emphasized generative AI’s accelerating effect on social engineering and reconnaissance operations. Threat actors use AI-generated deepfake audio and video to impersonate trusted users, often in real time during voice phishing (vishing) campaigns. Previously seen as experimental, these synthetic media tools are now being operationalized by ransomware groups and criminal syndicates.
Bots, enhanced by machine learning models, are now more likely than humans to solve CAPTCHA challenges. This erodes longstanding defenses for verifying user legitimacy in digital environments, particularly in digital environments where physical presence cannot be used as a trust signal.
SSO as a Focal Point for Attackers
Credential compromise remains a consistent and well-documented threat. Data from the Verizon 2025 Data Breach Investigations Report shows that 88% of web application breaches involved stolen credentials, underscoring how problematic this compromise can be. However, the integration of SSO systems has elevated the impact of a single compromised credential.
Once an attacker gains SSO access—especially to an organization without zero-trust policies in place—they can leverage that authentication to move laterally across federated applications, including email, document repositories, SaaS platforms, and administrative portals, without needing to break through additional access controls.
MFA Bypass: A Growing Concern
MFA, long promoted as a key identity safeguard, is now being actively destabilized. According to Verizon, attackers are increasingly using tactics such as:
- Token theft: Capturing session tokens from browsers or devices to impersonate users
- Prompt bombing: Overwhelming users with push notifications to elicit accidental approval
- Adversary-in-the-middle (AiTM) attacks: Intercepting MFA credentials through phishing proxies
These methods allow threat actors to circumvent MFA protections, even when they are technically implemented correctly. As a result of the documented rise in such bypass techniques, many organizations are now exploring continuous identity validation and behavior-based authentication, challenging the longstanding reliance on one-time MFA checkpoints.
Deepfake Impersonation and Verification Limitations
The SANS report describes scenarios where attackers used generative AI to produce realistic voice impersonations of employees, enabling fraudulent calls to help desks to initiate password resets.
The sophistication of synthetic impersonation now extends beyond visual deepfakes to convincing audio and even real-time avatar simulations. Verification systems that rely on caller voice recognition, informal knowledge checks, or visual matching are proving inadequate in these conditions. Organizations are beginning to evaluate biometric liveness detection and behavioral modeling as alternatives, but broad deployment remains limited.
Organizational Response: Hardening Beyond the Perimeter
Security experts from SANS point to a growing trend: organizations are starting to connect identity-related data like suspicious logins, failed MFA attempts, or unusual SSO activity with their existing detection tools to uncover identity-related attacks. Extended detection and response (XDR) platforms help bring this information together with data from devices, networks, and cloud apps. By combining these signals, security teams can catch threats earlier and respond more quickly when something looks wrong.
Managed detection and response (MDR) platforms are also increasingly tailored for identity-driven threats. The SANS report notes that some MDR providers now leverage AI engines to automate triage and investigation across identity-centric data sets and even find that many threats can be stopped before escalation by combining identity, endpoint, and behavioral telemetry.
This shift marks a move away from isolated identity and access management toward identity-informed threat detection. It reflects a growing understanding that authentication alone is no longer sufficient. Continuous monitoring of identity activity is essential.
Looking Ahead
As the second half of 2025 unfolds, the convergence of identity risks, AI capabilities, regulatory complexity, and operational fragility points to one clear priority: organizations must move beyond silos and commit to cohesive identity and access management strategies that enhance visibility, build resilience, and improve readiness for what comes next.
