Identity is now the primary attack surface. The IBM X-Force 2026 Threat Intelligence Index found that 40% of incidents now begin with vulnerability exploitation, infostealer malware exposed over 300,000 AI platform credentials on dark web markets, and AI-powered cyberattacks increased 47% globally in 2025. The perimeter is gone. The new front line is identity — and both defenders and attackers are deploying AI to fight over it.

The Problem with Traditional Identity Monitoring

Legacy IAM systems authenticate at login and then trust the session. A user enters a password, passes an MFA prompt, and gets eight hours of unmonitored access. For an attacker who has already stolen valid credentials, that window is more than enough.

Traditional alerting compounds the problem. Threshold-based rules — flag if more than five failed logins, alert if a login comes from a new country — generate enormous volumes of low-quality noise while missing sophisticated attacks that stay deliberately below trigger thresholds. Security teams spend their time chasing false positives, not real threats.

What AI-Driven ITDR Changes

Identity Threat Detection and Response (ITDR) has matured into a distinct security discipline in the past two years. Rather than waiting for a threshold breach, AI-powered ITDR platforms build continuous behavioural baselines for every user and identity — what hours they work, what systems they typically access, what volumes of data they move, where they log in from, what devices they use.

Deviations from that baseline trigger investigation, not just rules. The result: organisations using AI-driven behavioural analytics are reducing mean time to detect identity-based threats by up to 80%.

The key capabilities that matter:

  • Continuous session monitoring — Authentication is not a one-time event. ITDR monitors throughout the active session and can terminate it or step up authentication requirements mid-session if anomalies appear. Okta's Identity Threat Protection does exactly this.
  • Adaptive authentication — Instead of blanket MFA on every login, context-aware systems assess device posture, location, time of access, and behavioural signals in real time. Low-risk sessions get through with minimal friction; anomalous ones get challenged.
  • Privileged account surveillance — AI monitors lateral movement, privilege escalation, Golden Ticket attacks, and DCSync — the techniques attackers use once they're inside. CrowdStrike Falcon Identity Threat Protection and SentinelOne Singularity Identity both cover this layer.
  • Automated response — Detection without response just creates a longer audit log. Modern ITDR platforms integrate with SIEM/SOAR to trigger playbooks: isolate the session, disable the account, page the analyst, contain the blast radius automatically.

Attackers Are Using AI Too

The same technology that powers defensive AI is being weaponised on the offensive side — and at a pace that should concern every security team.

AI-generated phishing at machine speed. Okta's threat intelligence team documented adversaries creating convincing phishing sites in under 30 seconds using AI generation tools. The cost and skill barrier to identity phishing has effectively collapsed.

Deepfake identity fraud. Gartner warned in early 2024 that by 2026, 30% of enterprises would no longer consider face biometrics reliable in isolation — and that prediction is materialising. North Korean operatives using real-time AI face-masking software during video interviews have successfully infiltrated enterprises at scale, with infiltration incidents up 220% in 2025. KnowBe4 discovered this problem personally when a newly hired engineer turned out to be a DPRK operative who had passed every identity verification step.

Adversary-in-the-middle (AiTM) phishing. Groups like Scattered Spider have refined the technique of intercepting authentication tokens in real time — bypassing MFA entirely without stealing the password. Even organisations with MFA enforced are not protected if they're using TOTP or push-based factors rather than phishing-resistant FIDO2/WebAuthn keys.

Infostealer automation. Automated malware campaigns continuously harvest credentials and session cookies from infected endpoints. SpyCloud recaptured 5.3 billion credential pairs in 2025 alone, with 80% containing plaintext passwords.

What Organisations Should Be Doing Now

AI-driven ITDR is not a replacement for foundational IAM hygiene — it amplifies it. The platforms that perform best are built on strong identity foundations:

  1. Deploy phishing-resistant MFA — FIDO2/WebAuthn hardware keys or passkeys. CISA and NSA have explicitly recommended moving away from TOTP and SMS. AiTM attacks cannot intercept a hardware-bound key.

  2. Implement Zero Standing Privilege (ZSP) — Forrester has named ZSP the new benchmark. Privileges are granted just-in-time, scoped to a specific task and timeframe, and automatically revoked. A stolen credential with no standing privileges gives an attacker nothing to escalate from.

  3. Adopt Continuous Access Evaluation Protocol (CAEP) — Enables real-time token revocation mid-session. Microsoft and Okta have both implemented CAEP; it's becoming a de facto standard for enterprise identity platforms.

  4. Integrate ITDR with your SIEM — Identity signals in isolation are useful; correlated with endpoint telemetry and network data, they become decisive. The combination of identity anomaly, unusual process execution, and lateral network movement is far harder to dismiss as a false positive than any one signal alone.

  5. Replace quarterly access reviews with continuous AI-driven certification — ML-based access analysis identifies excessive permissions, dormant accounts, and toxic privilege combinations continuously, not once per quarter.

The organisations that are handling identity threats well in 2026 are not just buying AI-powered tools — they're treating identity as the control plane of their entire security architecture. Every authentication decision, every session, every privilege grant is a security event worth monitoring.

AccessSphere Managed provides ITDR implementation, phishing-resistant MFA deployment, and Zero Trust identity programme design. If your current IAM stack relies on perimeter trust or legacy MFA factors, it's worth a conversation.