AI-Driven Identity Attacks in 2025

At the beginning of 2025, I was asked to share my thoughts on the main threats we might face throughout the year. My key prediction was that we would see AI driven attacks targeting identity. With the recent incidents involving major supermarkets such as M&S (Check Point Threat Intelligence Report), my prediction has proven to be true. In addition to this, we have seen sophisticated attacks using AI-generated voices and videos to trick companies into granting access or transfer large sums of money to cyber criminals (Fortinet Cyber Glossary).

Many organisations implement Multi-Factor Authentication (MFA) and consider their work done, when in reality, securing access to our key systems by identity needs to be a fundamental part of our security stack.

Now that we’re halfway through the year and have seen high-profile breaches, I hope more companies will come to understand this: it’s not about who you say you are, but who we can prove you to be.

Identity-Centric Security

The burden of identifying a user to grant access should not fall solely be on them to complete an MFA prompt. Instead, it should be a combination of their given credentials and the contextual information gathered at the time of authentication. What device are they authenticating from? Is the device running our corporate EDR solution? Are they trying to gain access from a location we’ve seen before? There’s a wealth of real-time data we can check and whilst every user and organisation is different, there will always be common denominators that we can use to reinforce our confidence in each request.

This level of authorisation does not need to be burdensome for users or administrators. With the correct tools, it should be seamless. The only friction should be felt by unauthorised attackers trying to break through these protections, prompting immediate alerts to our SOC teams about potential account compromise attempts.

Authentication and authorisation shouldn’t just be a consideration at the start of a user’s session either. Too often, a user’s attributes are verified once, and then once they have their authentication token, it is assumed that they will continue to be secure. This shouldn’t be the case, and it does not have to be. We can and should continue to validate user and device properties throughout the session, ensuring that the request is being made by who they say they are.

Tools That Support Identity

Security tools are making this easier than ever. Platforms such as Chrome Enterprise Premium embed authentication, authorisation, and accounting into the heart of their systems, ensuring every request and action is performed only by those allowed to do so. Greater system integrations with platforms such as CrowdStrike Falcon with its ZTNA components, offers greater visibility into every aspect of who and what is trying to access our platforms.

My Key Takeaway

If it wasn’t clear at the start of the year, it should be now, security by identity must be at the heart of our strategy. But identities do not and should not stop at a user. We must verify not only who is making a request, but also from what device and location, so we can stop account compromises before they even begin.

Let’s Talk Identity

We’re here to help you build a more resilient, AI-aware security posture. Contact us today to find out how SEP2 can help you.