If Identity Is the New Perimeter, Why Are We Still Trusting It on Day One?

Sponsored article

The entire security stack, from endpoint detection to privileged access management, is built on one assumption: that the person behind the credential is who they claim to be. Attackers have noticed this vulnerability, and that assumption is now being exploited across hiring, onboarding, and help desk workflows.

Most breaches no longer begin with malware, software exploits, or other vulnerabilities. They begin with trusted access. Every downstream security control assumes the identity behind a credential is legitimate, and attackers are increasingly targeting the moments where that assumption is made.

Huge thanks to our sponsor, Incode Technologies

Incode Workforce helps enterprises stop deepfakes, prevent fraud, and secure every identity moment. By matching an ID to a selfie with AI-powered biometrics, Incode confirms the real person behind each IAM interaction, safeguarding onboarding, access, and recovery with frictionless verification that ensures workforce security and trust at scale.

It started with a resume

Mandiant Consulting CTO Charles Carmakal said at RSAC 2025 that “nearly every CISO that I’ve spoken to about the North Korean IT worker problem has admitted they’ve hired at least one North Korean IT worker, if not a dozen or a few dozen.” The attack does not start with malware. It starts with a resume.

Operatives apply using stolen or synthetic identities, pass remote video interviews, often with AI tools, accept an offer, and receive a corporate laptop. On day one, they log in and are provisioned into company systems.

From that point forward, everything looks normal. IAM (identity and access management) sees a valid employee, the endpoint is managed, and monitoring reflects expected behavior. Every control is functioning exactly as designed for an identity that should never have been trusted in the first place.

CrowdStrike tracked 304 incidents in 2024 tied to this group, known as Famous Chollima, in which operatives simultaneously held multiple jobs at different organizations. This is not improvised.

Microsoft Threat Intelligence uncovered a public repository containing AI-enhanced photos, resumes, and step-by-step playbooks for navigating job platforms and building credible profiles on LinkedIn and GitHu.

The attack surface here is not technical. It is the hiring and onboarding workflow, which most security teams do not own and most HR teams do not treat as a risk surface.

No malware required

The same gap appears once someone is already inside the environment.

An attacker who has done basic research can call the help desk, claim to be locked out, and walk away with a freshly reset MFA credential. No malware or phishing link required, just a phone call.

In the MGM breach, Scattered Spider used this exact approach, socially engineering the help desk to reset MFA and moving from initial contact to domain admin access in under 40 minutes. The help desk agents followed their documented procedures. It was those very procedures that allowed for the reset.

The vulnerability was not the agent. It was a policy that allowed identity to be assumed at a high-risk moment. Once an attacker successfully impersonates a legitimate user, traditional authentication controls often become ineffective.

Obsidian Security’s 2025 SaaS Threat Report found that MFA failed to prevent compromise in 84 percent of incident responses it analyzed. A figure that reflects how frequently attackers are bypassing MFA rather than breaking it. Adding another authentication factor does not close that gap when the underlying identity was never verified.

Verification is a policy decision, not a technology gap

Workforce identity changes hands at three critical moments: hiring, onboarding or day one provisioning, and help desk account recovery.

If identity is falsely established or improperly restored at any one of them, every downstream control inherits that trust decision.

The problem persists because responsibility is fragmented across HR, IT, and security. Each team manages part of the workflow, but no single function consistently owns identity verification as a security control.

Closing the gap does not require replacing existing security tools. It requires adding a verification step at the moments where identity is currently assumed rather than confirmed. That means confirming the person accepting a role matches the individual who was interviewed, verifying identity before initial credential provisioning, and requiring stronger proof of identity during high-risk help desk actions such as MFA resets or privileged account recovery.

According to Unit 42’s 2025 Global Incident Response Report, social engineering was the initial access vector in 36 percent of incident response cases. Most did not require a technical exploit. They required convincing someone that the attacker was a legitimate employee, contractor, or user.

Closing that gap starts with treating verification as a security control, not an onboarding checkbox.

The more immediate question is simpler: what would it take for someone to get an MFA reset approved in your environment today?

Go Deeper

Listen to the Security You Should Know episode, Verifying Identity with Incode Technologies, to hear how organizations are applying identity assurance at these critical moments without introducing unnecessary friction.

Fernanda Sottil
Fernanda Sottil is Senior Director of Strategy at Incode Technologies, a leading identity verification company. She leads product strategy and helps drive innovations, including Incode’s work on agentic identity and building trust for autonomous systems.
Before Incode, Fernanda held strategic roles at Uber and Google, where she supported product launches and operational growth across the United States and Latin America. She is also a former entrepreneur.
Fernanda earned an MBA from Stanford Graduate School of Business and a double degree in Industrial and Business Engineering from ITAM in Mexico City.