Identity is under siege as AI and cyber exploits evolve and outpace defenses

At the center of today’s cybersecurity crises is a single, unifying vulnerability: digital identity. The IBM X-Force 2025 Threat Intelligence Index, recent commentary from identity solution leaders, and the near-collapse of the Common Vulnerabilities and Exposures (CVE) Program, all paint a converging picture of a threat landscape defined not by brute force, but by the silent, systematic breakdown of how identity is secured, verified, and exploited.

CVE is run by MITRE with funding from the Cybersecurity and Infrastructure Security Agency (CISA). CVE catalogs software vulnerabilities that are essential for patching and mitigation that are used globally to assess risk. Without it, organizations would be left blind to newly discovered flaws, further accelerating the advantage held by attackers.

Whether it’s IBM’s warning of mass credential theft, the business community’s struggle to retain user trust, or the precarious fate of the CVE program, the common denominator is that identity defines access, and access defines risk. Those who control identity shape the battlefield. Those who ignore it become casualties of a new kind of cyberwarfare, one that is fought not with destruction, but with impersonation, automation, and silence.

The data from IBM shows that identity attacks now comprise nearly a third of all intrusions. Rather than relying on disruptive ransomware payloads or noisy breaches, threat actors are quietly infiltrating systems through infostealers, credential phishing campaigns, and adversary-in-the-middle tactics. These low-profile, scalable attacks are not only harder to detect, but they are devastatingly efficient.

In 2024 alone, IBM recorded an 84 percent spike in emails delivering infostealer malware, with early 2025 metrics showing a staggering 180 percent increase. The top five infostealers had over eight million advertisements on dark web marketplaces, each containing dozens or hundreds of stolen login credentials.

This shift in tactics reflects a deeper transformation within the threat environment. Cybercriminals are no longer simply targeting systems; they are targeting trust. They understand that identity is the key to access, lateral movement, and long-term exploitation.

Once stolen, credentials unlock sensitive data, allow persistence within networks, and enable follow-on attacks with minimal risk. Moreover, the economic model has changed. Data theft is now often preferred over encryption. According to IBM, 18 percent of cybercriminals chose to exfiltrate data, while only 11 percent encrypted it.

Meanwhile, AI is allowing threat actors to mass-produce highly believable phishing emails and generate polymorphic malware that bypasses signature-based defenses. IBM’s report emphasizes how AI is not only writing the malicious code, but it is also helping to craft tailored social engineering messages that improve the success rate of identity-based attacks. With AI-as-a-service available on underground markets, even low-skilled actors can launch sophisticated operations.

“Cybercriminals are most often breaking in without breaking anything – capitalizing on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points,” said Mark Hughes, Global Managing Partner of Cybersecurity Services at IBM. “Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernizing authentication management, plugging multi-factor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.”

At the same time, security professionals and enterprises are facing an identity crisis of their own. Johan Fantenberg, product and solution director at Ping Identity, has noted that legacy identity systems, poor user experiences, and rigid authentication mechanisms are eroding digital trust. Users are burdened by password fatigue and repeated verification prompts, while businesses struggle with disjointed identity infrastructures that can’t keep pace with transformation demands.

“Today’s users are overwhelmed by passwords, frustrated by clunky authentication processes and often deterred from engaging with digital platforms due to complex sign-up procedures,” Fantenberg said, adding that, “On the other side of the equation, businesses are facing a sophisticated threat landscape powered by AI, along with regulatory pressures and outdated identity management systems that are ill-equipped to keep pace with Digital Transformation.”

The implications are not limited to private enterprises. Critical infrastructure, including manufacturing, energy, and healthcare systems, is particularly exposed. IBM found that 70 percent of the attacks it responded to in 2024 targeted critical infrastructure, with more than a quarter due to unpatched vulnerabilities. Worse, many of the CVEs that were exploited were linked to nation-state actor toolkits, blurring the lines between cybercrime and geopolitical sabotage. IBM’s analysis of the dark web found that 40 percent of the most discussed vulnerabilities were tied to sophisticated nation-state-affiliated groups.

And while threat actors operate with increasing efficiency, government-backed cybersecurity programs like the CVE face instability. The CVE program came within hours of being shut down due to administrative delays and potential budget cuts. Even with a last-minute reprieve from CISA, the uncertainty surrounding the CVE program has shaken confidence. Members of the CVE board have already announced plans to transition the project into an independent nonprofit foundation, citing long-standing concerns over its sustainability under sole U.S. government control.

While such a transition might offer long-term neutrality, the instability it introduces in the short term is concerning. As IBM’s findings emphasized, many organizations already struggle with patch management, particularly those using Red Hat Enterprise Linux, where over half had not patched even a single critical CVE.

What ties these developments together is the failure to view identity as a strategic priority. Identity is no longer merely a security checkpoint, but rather it is the new perimeter, the core enabler of trust, and the primary target of threat actors. As the lines between user and machine blur, as AI agents interact with internal systems, and as human trust is continuously challenged by deepfakes and impersonation, the ability to verify who or what is behind an attack becomes paramount.

Enterprises are beginning to wake up to this reality. Fantenberg and others argue that digital identity must be built into every layer of an organization’s architecture. Modern identity and access management (IAM) systems should no longer be treated as backend utilities, but as strategic assets, they point out. Passwords must give way to adaptive, password-less authentication, and context-aware systems must detect behavioral anomalies in real time. Identity verification must extend not only to people, but to devices, applications, and autonomous agents.

This evolution must also take place across supply chains and partner ecosystems. With 98 percent of organizations working with at least one vendor that has suffered a data breach, the risk from third-party access is enormous. Proper B2B identity governance, including granular access control and automated provisioning, is essential.

Equally critical is the internal identity experience. Clunky, delayed, or intrusive access processes not only frustrate employees, but they also invite workarounds that compromise security. Smarter workforce IAM platforms, including single sign-on and risk-based authentication, empower users while reducing the burden on IT.

None of these improvements though are possible without structural investment. The funding chaos surrounding the CVE program has exposed a troubling reality: cybersecurity cannot be maintained through ad-hoc gestures or eleventh-hour extensions. As federal budgets tighten under the Trump administration’s mandates, foundational programs risk collapse just as threat actors accelerate. This contradiction undermines every warning issued by security leaders and every report produced by threat intelligence teams.

The path forward demands a wholesale rethinking of digital identity. Businesses, governments, and critical infrastructure operators must stop treating identity as a checkbox in compliance frameworks and start recognizing it as the keystone of operational continuity and national security. Continuous authentication, decentralized identifiers, AI-secured behavioral analysis, and zero trust frameworks must no longer be futuristic aspirations. They must be standard operating procedure.

Article Topics

cybersecurity  |  digital identity  |  IBM  |  identity access management (IAM)  |  market report  |  Mitre Corp.