When the industry talks about identity-based attacks, the conversation usually centers on compromised credentials: a phished employee, a reused password, an MFA bypass. The threat model is a human attacker authenticating as a human user.

Detection logic, investigation workflows, and response playbooks are all built around that assumption.

That assumption is wrong. Attackers who gain initial access through a compromised account don't stop at the inbox. They move laterally, and the path runs through non-human identities.

Service accounts have broad resource access. API tokens persist long after the sessions that created them. OAuth grants connect applications in ways nobody fully mapped at provisioning. An attacker who understands that graph can move through an environment without triggering detection logic built for humans — because service accounts behaving unusually don't look like humans behaving unusually.

Most tooling doesn't have an opinion on the difference.

The gap isn't visibility. Most organizations can see that a service account authenticated. What they can't see is whether that authentication was normal for that account.

Lateral movement via NHI works because defenders lack the behavioral baseline to distinguish expected from anomalous. A service account accessing systems it has never touched, at hours it has never operated, from infrastructure it has never used — that's a signal. But only if you know what normal looked like before the breach.

The industry's response has been to harden NHI configurations and reduce excess permissions. Necessary. But it doesn't address the runtime problem. An attacker with access to a service account that has appropriate permissions is invisible to a posture-only approach.

See the latest from Abnormal's product and engineering teams.