Identity has become the primary attack vector in 2026 not because perimeter defenses have weakened but because attackers have learned that compromising credentials is faster, quieter, and more scalable than exploiting infrastructure vulnerabilities. Over 80% of breaches involving a confirmed initial access vector now trace back to credential theft, session hijacking, or identity-based social engineering. MFA bypass techniques have matured from theoretical concern to operational reality, with adversary-in-the-middle phishing kits available as commodity services. The explosion of SaaS adoption has created identity sprawl: the average enterprise employee now has credentials in 30 to 50 separate applications, each with its own access model, and many with no centralized governance oversight. Against this threat landscape, NIS2 Article 21(2)(i) and DORA Article 9(4)(c) have elevated access control and identity governance from security best practice to explicit regulatory obligation. Organizations that still treat identity governance as IAM housekeeping are making a risk posture decision, whether they realize it or not.
The Threat Landscape: Why Identity Is the Preferred Attack Path
Understanding why identity dominates the attack landscape requires understanding attacker economics. Exploiting infrastructure vulnerabilities requires reconnaissance, technical skill, and often zero-day or near-zero-day timing. The window of opportunity is narrow, the skill requirement is high, and defensive detection has improved significantly for network-based and endpoint-based attacks.
Credential-based attacks are different in every dimension. Phishing kits that harvest credentials and session tokens are available on underground markets for hundreds of dollars. Initial access brokers sell verified corporate credentials in bulk. Infostealer malware running on personal devices harvests credentials to corporate SaaS applications without ever touching the corporate endpoint, bypassing EDR entirely.
Once an attacker has valid credentials, they authenticate as the legitimate user. Most security monitoring systems treat authenticated sessions as trusted by default. The attacker inherits whatever privileges the compromised identity holds. If those privileges are excessive (and they almost always are), the attacker can move laterally, escalate privileges, and access sensitive systems without triggering the behavioral anomalies that network-based attacks produce.
MFA bypass has become operational. Adversary-in-the-middle (AitM) phishing proxies like EvilGinx intercept both the credentials and the MFA token in real time, establishing a session that survives MFA validation. Token theft from browser local storage or memory bypasses MFA entirely because the attacker uses the post-authentication session token rather than re-authenticating. Push fatigue attacks exploit users who approve MFA prompts reflexively. The ENISA Threat Landscape 2025 report catalogued a significant increase in AitM phishing campaigns targeting EU organizations, particularly in the financial services and energy sectors where NIS2 and DORA apply.
Session hijacking and token replay have emerged as post-authentication attack techniques that bypass credential-focused defenses. Even if the initial authentication was legitimate and MFA-protected, a stolen session token allows the attacker to assume the user's identity for the duration of the session. Without continuous session validation and behavioral analytics, the organization cannot distinguish between the legitimate user and an attacker holding their session token.
The practical implication for governance is stark. Perimeter security, endpoint protection, and even MFA do not solve the identity risk problem. They reduce specific attack techniques without addressing the structural issue: organizations grant more access than necessary, retain it longer than appropriate, and lack the visibility to detect when that excess access is exploited.
Identity Sprawl: The Governance Gap That Organizations Tolerate
Identity sprawl is the structural condition that makes credential-based attacks so effective. It has three dimensions.
Application proliferation. Enterprise SaaS adoption has accelerated continuously. An organization with 2,000 employees may have 400 to 600 SaaS applications in active use, many adopted by individual business units without IT procurement oversight. Each application has its own user directory, its own access model, and its own lifecycle management (or lack thereof). Centralized identity governance through the corporate IdP covers a fraction of these applications.
Privilege accumulation. As employees change roles, take on projects, join cross-functional teams, and receive temporary access for troubleshooting or migration activities, their accumulated access grows monotonically. Access is granted for operational reasons and retained by inertia. The access review process, if it exists, rubber-stamps existing entitlements because reviewers lack the context to know which entitlements are still needed and which are historical artifacts. Over a three-year tenure, a typical knowledge worker accumulates two to three times the access their current role requires.
Non-human identity explosion. Service accounts, API keys, automation credentials, CI/CD pipeline tokens, and machine-to-machine identities now outnumber human identities in most enterprise environments. These non-human identities are often excluded from access review programs, lack expiry policies, use shared credentials, and have elevated privileges that were granted for initial setup and never scoped down. A compromised service account with administrative privileges is the attacker's ideal entry point: no MFA, no behavioral baseline for anomaly detection, and often no logged activity reviewed by humans.
Together, these three dimensions create an identity attack surface that most organizations do not fully understand, much less govern. The identity governance program covers the corporate directory. The actual identity landscape extends far beyond it.
The Regulatory Mandate: NIS2 and DORA on Access Control
Both NIS2 and DORA have made identity governance an explicit regulatory obligation, not an implied best practice.
NIS2 Article 21(2)(i) requires essential and important entities to implement measures for "human resources security, access control policies and asset management." The grouping is deliberate. Access control is placed alongside human resources security because the legislative intent recognizes that identity lifecycle management (onboarding, role changes, offboarding) is inseparable from access governance. An organization that manages access control as an IT function disconnected from HR processes violates the spirit of the article even if it meets a narrow technical interpretation.
NIS2 Article 21(2)(j) adds "the use of multi-factor authentication or continuous authentication solutions." The explicit mention of MFA as a regulatory requirement reflects the legislative recognition that password-only authentication is insufficient. But the mention of "continuous authentication" alongside MFA signals a regulatory expectation that goes beyond point-of-login verification. Continuous authentication implies ongoing validation of session integrity, not just initial credential verification.
DORA Article 9(4)(c) requires financial entities to implement, as part of their ICT risk management framework, policies and procedures for "managing access rights" including "authentication methods commensurate with the criticality of the ICT assets." This is a risk-proportionate access control requirement. Not all assets require the same authentication strength. Financial entities must classify assets by criticality and apply access controls proportionate to that classification. A flat access model that applies the same authentication to all systems does not satisfy this requirement.
DORA Article 9(4)(d) requires "strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys." For financial entities subject to DORA, strong authentication is not optional for critical ICT assets. The reference to "relevant standards" points to FIDO2/WebAuthn and similar phishing-resistant authentication mechanisms, which are the current standard for strong authentication.
The regulatory direction is unambiguous. Identity governance is a compliance obligation with specific requirements for access lifecycle management, multi-factor and continuous authentication, risk-proportionate access controls, and strong authentication for critical assets. Organizations that do not meet these requirements face supervisory action under NIS2 Article 32-34 and DORA's supervisory framework.
From IAM Dashboard to Enterprise Risk View
The strategic failure of most identity governance programs is isolation. The IAM team runs access reviews, manages provisioning, and produces reports on access hygiene metrics. These reports exist in the identity governance platform, seen by the IAM team and occasionally shared with the CISO. They are not integrated into the enterprise risk view.
This isolation means that identity risk is invisible at the board level. The board sees vulnerability metrics from the security operations team, compliance percentages from the GRC team, and vendor risk ratings from the procurement team. Identity risk appears, if at all, as a technical IAM metric (percentage of access reviews completed, number of orphaned accounts) that does not connect to business impact.
The integration gap matters because identity is a risk amplifier, not just a standalone risk domain. An unpatched vulnerability is dangerous. An unpatched vulnerability on a system with over-privileged identities that can reach critical business services through lateral movement is catastrophically dangerous. The vulnerability creates the entry point. The identity governance failure determines the blast radius.
Effective identity risk governance requires identity signals to be correlated with:
Asset criticality. An over-privileged account on a development system and an over-privileged account on the production payment database are different risks by orders of magnitude. Identity risk scoring must reflect the criticality of the assets the identity can access.
Vendor dependency. Third-party personnel with access to internal systems create identity risk that spans the identity governance and TPRM domains. A vendor whose security posture is degrading while their personnel retain elevated access to critical systems represents a compound risk that neither domain sees in isolation.
Compliance scope. Identities with access to systems under NIS2, DORA, or GDPR scope carry regulatory risk in addition to operational risk. An access governance failure on a DORA-scoped system has supervisory consequences that the same failure on an out-of-scope system does not.
Exposure context. Identity paths from internet-facing systems to critical internal infrastructure create attack chains that determine incident blast radius. An identity governance program that does not map these paths cannot assess the actual exposure that identity drift creates.
Privilege Drift: The Silent Compounder
Privilege drift is the gradual accumulation of access beyond what a role requires. It is the most common identity governance failure and the hardest to detect because it happens incrementally and appears normal at each individual step.
A new employee is provisioned with base role access. Month two: a project requires access to a financial system. Access is granted. Month six: the project ends. Access is not revoked because no revocation process triggers on project completion. Month eight: a troubleshooting request requires temporary admin access to a database. Access is granted with a note to review in two weeks. The review never happens. Month twelve: the employee is now a standard business user with access to a financial system they no longer use and admin privileges on a database they touched once.
Multiply this by 2,000 employees over three years, and the organization has a privilege landscape that no one designed, no one approved in its entirety, and no one can explain. The quarterly access review encounters this landscape and rubber-stamps it because the reviewer lacks the historical context to know which entitlements are current and which are artifacts.
Privilege drift compounds silently until one of three events exposes it: an access review that is actually rigorous (rare), a regulatory audit that examines access logs against role definitions (increasingly common under NIS2 and DORA), or a security incident where the blast radius reveals the accumulated excess access (expensive and public).
The solution to privilege drift is not better annual reviews. It is continuous measurement. Organizations must track privilege accumulation as a metric, flag entitlements that exceed role-based norms, and enforce access expiry for temporary grants. This requires treating identity governance as a continuous operational function rather than a periodic compliance ceremony.
Practical Steps for Board-Level Identity Governance
Moving identity governance from an IAM housekeeping function to a board-level risk discipline requires five structural changes.
Measure privilege drift continuously. Define role-based access baselines and measure actual entitlements against baselines on a continuous basis. Report the delta as a risk metric: what percentage of identities exceed their role baseline, and by how much? Trend this metric monthly for board reporting.
Enforce offboarding completeness with evidence. Offboarding completion should not be a status assumption. It should be an evidence-backed verification. Every system the departing employee had access to should be checked for revocation confirmation. Systems where revocation cannot be verified should be escalated, not assumed.
Surface non-human identity risk. Include service accounts, API keys, and automation credentials in the identity governance scope. Inventory all non-human identities, assign owners, enforce expiry policies, and include them in access review campaigns. The non-human identity population is often the higher-risk population and is almost always the less-governed one.
Integrate identity risk into the enterprise risk view. Identity risk scores should appear in the same executive dashboard as vulnerability risk, vendor risk, and compliance risk. The board should see identity governance not as a technical IAM metric but as a business risk dimension with financial and regulatory consequence.
Tie identity exceptions to expiry and accountability. Every exception to access policy (emergency access grants, temporary elevated privileges, SoD override approvals) must have an expiry date and an accountable owner. Exceptions without expiry become permanent entitlements. Exceptions without owners become unmanaged risks.
How FortisEU Integrates Identity Governance with Risk Intelligence
FortisEU treats identity governance as a core risk domain integrated with compliance, vendor risk, and exposure management rather than an isolated IAM function. The platform's identity governance module maps access entitlements to asset criticality, traces identity paths to critical business services, and scores identity risk in the same model used for vulnerability exposure and vendor dependency.
Access review campaigns in FortisEU produce audit-grade evidence that satisfies NIS2 Article 21(2)(i) and DORA Article 9(4)(c) requirements, with timestamped decisions, reviewer attribution, and remediation tracking for revoked entitlements. Privilege drift is measured continuously against role baselines, with automated escalation when drift exceeds defined thresholds.
For boards and executive leadership, identity risk appears in the unified risk view alongside all other risk domains, contextualized by business service impact rather than presented as standalone IAM metrics.
Key Takeaways
- Identity is the #1 attack vector in 2026 because credential-based attacks are cheaper, quieter, and more scalable than infrastructure exploitation. MFA bypass through AitM phishing and token theft has made traditional authentication controls insufficient on their own.
- Identity sprawl across SaaS applications, combined with privilege accumulation and non-human identity proliferation, creates an identity attack surface that most organizations do not fully govern or even fully understand.
- NIS2 Article 21(2)(i) and DORA Article 9(4)(c) make access control and identity governance explicit regulatory obligations with specific requirements for lifecycle management, risk-proportionate authentication, and strong authentication for critical assets.
- Identity risk is a blast radius amplifier that must be integrated into the enterprise risk view alongside vulnerability, vendor, and compliance risk. Isolated IAM metrics do not give boards the visibility they need.
- Privilege drift is the most common and most dangerous identity governance failure. It can only be addressed through continuous measurement against role baselines, not through periodic access review ceremonies.