Shift
Lateral movement moved up the stack
The primary pivot points are now SSO, app permissions, identity policies, and admin surfaces; not file shares and RDP.
Research Note · Identity & Access
Identity Is the New Blast Radius
Why one incident becomes many
In legacy environments, “blast radius” meant a subnet, a server group, or a domain. In modern environments, identity is the connective tissue across SaaS, cloud, vendors, and internal apps; so one compromised identity plane can cascade into many incidents at once.
Trust relationships
Cross-app impact
Token-driven access
Network segmentation matters. Identity segmentation decides outcomes.
Executive summary
Compromise scales through trust, not routing
Identity centralization improves usability and control, until it becomes the single point of failure. When attackers gain durable identity access (privileged roles, OAuth grants, token theft, federation abuse), they don’t need to “move laterally” across the network. They move laterally across trust relationships.
Risk
Incidents become multi-domain
One identity incident can become a SaaS incident, a data incident, a vendor incident, and a governance incident; simultaneously.
Reality
“Least privilege” is often local
Organizations enforce least privilege internally while leaving third-party integrations and standing vendor access largely ungoverned.
Cascade mechanics
How identity compromise cascades
These are the common paths that turn a single foothold into enterprise-wide impact.
Admin roles change the rules
Privileged identity doesn’t just grant access; it changes policies, disables controls, and alters visibility. Attackers aim for control, not files.
OAuth grants create durable access
App consents and delegated permissions persist through password resets. If you don’t govern OAuth, “resetting passwords” won’t reset access.
Tokens bypass login controls
Session tokens and refresh tokens can preserve access without new authentication events; minimizing signals defenders rely on.
Federation links blast radius to partners
When identity is federated across business units, subsidiaries, or partners, compromise in one environment becomes an access path into another.
Defender gap
Why teams underestimate identity blast radius
Most security programs were built around endpoint and network boundaries. Identity breaches ignore those boundaries.
Visibility is fragmented
Identity logs, SaaS audit logs, and vendor logs are often in different places with different owners. Attackers exploit those seams.
Controls are over-trusted
“We have MFA” is treated as a conclusion. In reality, tokens, legacy auth paths, consent, and admin changes can bypass “MFA compliance.”
Response actions are mis-sequenced
Teams isolate endpoints before stabilizing identity. If attackers retain identity control, they re-enter and continue shaping the incident.
Third-party access is unmanaged
Vendor standing access, service principals, and integrations often have outsized privileges and weak monitoring; yet remain business-critical.
Program direction
Reducing identity blast radius in practice
The goal is not “perfect identity.” The goal is preventing one compromise from becoming many.
Priority
Segment privileged identity
Separate admin identities from daily identities, constrain where they can authenticate, and reduce standing privilege through role hygiene.
Priority
Govern OAuth and app access
Treat app consents as privileged access. Enforce approval, periodic review, and monitoring for permission changes and anomalous grants.
Priority
Instrument identity “success” events
Measure what matters: role changes, policy edits, new service principals, consent grants, session anomalies; not just failed logins.
Priority
Model third-party blast radius
Inventory vendor access, enforce least privilege, require MFA and conditional access alignment, and ensure you can revoke access rapidly.