<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Research | vnceb</title>
    <link>https://www.20-100.net/research/</link>
    <description>Recent content in Research on vnceb</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Tue, 14 Apr 2026 00:00:00 &#43;0000</lastBuildDate>
    <atom:link href="https://www.20-100.net/research/index.xml" rel="self" type="application/rss+xml" />
    
    <item>
      <title>The End of NTLM and the Kerberos Reckoning</title>
      <link>https://www.20-100.net/research/the-end-of-ntlm-and-the-kerberos-reckoning/</link>
      <pubDate>Tue, 14 Apr 2026 00:00:00 &#43;0000</pubDate>
      <guid>https://www.20-100.net/research/the-end-of-ntlm-and-the-kerberos-reckoning/</guid>
      <description>&lt;p&gt;&lt;strong&gt;Independent Research Note | April 2026&lt;/strong&gt;&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;bottom-line&#34;&gt;Bottom Line&lt;/h2&gt;
&lt;p&gt;Microsoft is dismantling NTLM, the 30-year-old authentication protocol still used by 64% of Active Directory accounts, through a three-phase deprecation plan that will disable it by default in the next major Windows Server release. This transition represents the most significant shift in Windows enterprise authentication since Kerberos replaced NTLM as the default protocol in Windows 2000. Organizations that delay migration face escalating risk: at least 10 actively exploited NTLM CVEs were disclosed in 2024-2025 alone, and identity-based attacks became the leading intrusion vector in 2024, accounting for &lt;strong&gt;30% of all breaches&lt;/strong&gt; according to IBM X-Force. Meanwhile, Kerberos itself faces a parallel crisis. Newly discovered attack techniques like BadSuccessor and Golden dMSA exploit the very features Microsoft designed to replace legacy weaknesses, while Kerberoasting remains the dominant credential-theft technique across enterprise environments.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;key-findings&#34;&gt;Key Findings&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Microsoft formally deprecated all NTLM versions in June 2024 and published a three-phase deprecation roadmap on January 29, 2026.&lt;/strong&gt; NTLMv1 has been fully removed from Windows 11 24H2 and Windows Server 2025. NTLMv2 will be disabled by default in the next major Windows Server LTSC release. Complete removal has no announced date.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;At least 10 actively exploited NTLM CVEs were disclosed in 2024-2025, including two CVSS 9.8 vulnerabilities.&lt;/strong&gt; The patch-bypass-repatch cycle around CVE-2025-24054 demonstrates that NTLM&amp;rsquo;s architectural weaknesses cannot be incrementally fixed. Cymulate bypassed Microsoft&amp;rsquo;s patches twice, achieving zero-click credential leakage on fully patched systems.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Kerberoasting activity increased 583% year-over-year&lt;/strong&gt; (CrowdStrike), and new attack techniques targeting Windows Server 2025 features designed to replace NTLM (BadSuccessor, Golden dMSA) show that Kerberos itself requires significant hardening.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;64% of Active Directory user accounts still regularly authenticate with NTLM&lt;/strong&gt; (Silverfort), and Gartner estimates over 50% of organizations actively use it. Enterprise migration typically requires 18-22 months. The gap between deprecation intent and operational reality is substantial.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;The passwordless authentication market has reached a tipping point.&lt;/strong&gt; FIDO2 passkeys achieve a 93% login success rate versus 63% for traditional authentication. Microsoft made passkeys the default sign-in for all new accounts in May 2025. The market is valued at $18.8-24.1 billion and projected to reach $55-90 billion by 2030-2035.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Nation-state actors weaponize NTLM vulnerabilities within days of disclosure.&lt;/strong&gt; CVE-2025-24054 was exploited eight days after patch release, with campaigns targeting Polish and Romanian government institutions traced to infrastructure previously linked to APT28 (Fancy Bear). Volt Typhoon, Scattered Spider, and Wizard Spider all incorporate NTLM exploitation into their toolkits.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id=&#34;forward-looking-assumptions&#34;&gt;Forward-Looking Assumptions&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By mid-2027, Microsoft will disable NTLMv2 by default in the next Windows Server LTSC release,&lt;/strong&gt; forcing organizations that have not migrated into explicit re-enablement through policy. Organizations without NTLM audit data by Q4 2026 will face emergency remediation timelines.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Through 2028, Kerberoasting will remain the dominant Active Directory credential-theft technique,&lt;/strong&gt; despite RC4 deprecation efforts. Enterprises with mixed Windows Server 2019/2025 environments will encounter encryption type mismatches that slow AES-only enforcement.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By 2027, at least one major breach attributed to a BadSuccessor or Golden dMSA attack will force Microsoft to reclassify dMSA attack surface from &amp;ldquo;moderate&amp;rdquo; to &amp;ldquo;critical&amp;rdquo; severity.&lt;/strong&gt; Akamai found 91% of environments had non-admin users with sufficient permissions to execute BadSuccessor. The attack surface is too broad for the current severity classification to hold.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By 2029, FIDO2/passkeys will be the default enterprise authentication method for over 50% of Fortune 500 companies.&lt;/strong&gt; The combination of Microsoft, Google, and Apple platform support, 87% enterprise deployment or planning rates (FIDO Alliance), and regulatory pressure from CISA and NIST will drive adoption past the tipping point.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Through 2027, the most common cause of NTLM migration failure will be hidden NTLM fallback from misconfigured SPNs and IP-based access patterns,&lt;/strong&gt; not legacy application hardcoding. Phase 1 auditing will reveal NTLM dependencies that organizations did not know existed, extending migration timelines beyond initial estimates.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id=&#34;analysis&#34;&gt;Analysis&lt;/h2&gt;
&lt;h3 id=&#34;1-microsofts-three-phase-deprecation-roadmap&#34;&gt;1. Microsoft&amp;rsquo;s Three-Phase Deprecation Roadmap&lt;/h3&gt;
&lt;p&gt;Microsoft formally deprecated all NTLM versions (LANMAN, NTLMv1, and NTLMv2) in &lt;strong&gt;June 2024&lt;/strong&gt;, adding them to the Windows Deprecated Features list. NTLMv1 was not just deprecated but &lt;strong&gt;fully removed&lt;/strong&gt; from Windows 11 24H2 and Windows Server 2025. NTLMv2 remains functional but receives no active development. On January 29, 2026, Microsoft published a definitive roadmap with three phases.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Phase 1 (available now)&lt;/strong&gt; delivers enhanced NTLM auditing in Windows Server 2025 and Windows 11 24H2. New event IDs (4020-4033) capture which accounts use NTLM, which processes trigger it, why Kerberos failed, and the NTLM version negotiated. This visibility layer is the critical first step. Most organizations cannot enumerate their NTLM dependencies without it.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Phase 2 (H2 2026)&lt;/strong&gt; addresses the technical barriers that force NTLM fallback. Two new capabilities ship: &lt;strong&gt;IAKerb&lt;/strong&gt; (Initial and Pass Through Authentication Using Kerberos), which enables Kerberos authentication without direct domain controller connectivity, and &lt;strong&gt;Local KDC&lt;/strong&gt;, which provides Kerberos for local account authentication. Microsoft estimates these cover roughly 5% of remaining NTLM usage, specifically the hardest cases involving workgroup-joined systems, IP-based access, and disconnected scenarios.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Phase 3 (next major Windows Server LTSC release)&lt;/strong&gt; will &lt;strong&gt;disable network NTLM by default&lt;/strong&gt;. Applications requiring NTLM must explicitly re-enable it through policy. Microsoft has been careful to clarify: &lt;em&gt;&amp;ldquo;Disabling NTLM by default does not mean completely removing NTLM from Windows yet.&amp;rdquo;&lt;/em&gt; Complete removal has no announced date. The &lt;code&gt;BlockNTLMv1SSO&lt;/code&gt; registry key will flip from audit to enforce mode by &lt;strong&gt;October 2026&lt;/strong&gt;, and &lt;strong&gt;RC4 encryption for Kerberos&lt;/strong&gt;, the cryptographic weakness enabling Kerberoasting, will be disabled by default for new domains in Q1 2026, with broader enforcement by mid-2026.&lt;/p&gt;
&lt;h3 id=&#34;2-kerberos-under-siege-old-attacks-persist-new-ones-emerge&#34;&gt;2. Kerberos Under Siege: Old Attacks Persist, New Ones Emerge&lt;/h3&gt;
&lt;p&gt;While Microsoft positions Kerberos as NTLM&amp;rsquo;s successor, the protocol faces its own expanding attack surface. &lt;strong&gt;Kerberoasting&lt;/strong&gt; remains the single most impactful Active Directory attack technique. CrowdStrike documented a &lt;strong&gt;583% year-over-year increase&lt;/strong&gt; in Kerberoasting activity, and the Ascension Health ransomware breach in May 2024, which exposed 5.6 million patient records, was enabled by RC4 support in Kerberos. That breach prompted a U.S. Senator to demand an FTC investigation into Microsoft&amp;rsquo;s security defaults.&lt;/p&gt;
&lt;p&gt;The traditional attack taxonomy (Golden Tickets, Silver Tickets, Pass-the-Ticket, AS-REP Roasting) remains fully relevant. But researchers have introduced increasingly stealthy variants that challenge conventional detection:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Diamond Tickets&lt;/strong&gt; modify a legitimately issued TGT by decrypting it with the KRBTGT key, altering the PAC to add privileged group memberships, and re-encrypting. Because the ticket has a corresponding AS-REQ in KDC logs, it evades detections that look for forged tickets without authentication history.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Sapphire Tickets&lt;/strong&gt; go further, replacing the PAC entirely with a legitimate PAC obtained through S4U2Self+U2U extensions. The resulting ticket contains no forged data whatsoever, making detection through PAC inspection effectively impossible.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;BadSuccessor&lt;/strong&gt; (disclosed by Akamai, April 2025) exploits Delegated Managed Service Accounts (dMSA), a Windows Server 2025 feature designed to mitigate Kerberoasting. An attacker with CreateChild permissions on any OU can create a dMSA that impersonates a Domain Admin. Akamai found &lt;strong&gt;91% of environments&lt;/strong&gt; had non-admin users with sufficient permissions to execute this attack. Microsoft classified it as &amp;ldquo;moderate severity&amp;rdquo; and released a patch in August 2025.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Golden dMSA&lt;/strong&gt; (Semperis, July 2025) enables an attacker who obtains the KDS root key to brute-force valid dMSA passwords offline with only ~1,024 possible combinations, providing persistent access to all managed service accounts in the forest with no expiration.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The most critical Kerberos CVE of this period was &lt;strong&gt;CVE-2024-43639 (CVSS 9.8)&lt;/strong&gt;, an unauthenticated remote code execution vulnerability in the Windows KDC Proxy caused by an integer overflow. It required no user interaction and affected Windows Server 2012 through 2025. Microsoft&amp;rsquo;s &lt;strong&gt;PAC validation enforcement&lt;/strong&gt;, completed in April 2025 after a multi-year rollout, represents the most significant defensive improvement, making Golden and Silver Ticket attacks harder to execute undetected.&lt;/p&gt;
&lt;h3 id=&#34;3-ntlms-2024-2025-cve-crisis&#34;&gt;3. NTLM&amp;rsquo;s 2024-2025 CVE Crisis&lt;/h3&gt;
&lt;p&gt;The volume and severity of NTLM vulnerabilities disclosed in 2024-2025 has been extraordinary, demonstrating that NTLM&amp;rsquo;s fundamental design cannot be patched into safety.&lt;/p&gt;
&lt;table&gt;
  &lt;thead&gt;
      &lt;tr&gt;
          &lt;th&gt;CVE&lt;/th&gt;
          &lt;th&gt;CVSS&lt;/th&gt;
          &lt;th&gt;Type&lt;/th&gt;
          &lt;th&gt;Exploited in Wild&lt;/th&gt;
          &lt;th&gt;Key Detail&lt;/th&gt;
      &lt;/tr&gt;
  &lt;/thead&gt;
  &lt;tbody&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2024-21410&lt;/td&gt;
          &lt;td&gt;9.8&lt;/td&gt;
          &lt;td&gt;Exchange NTLM relay&lt;/td&gt;
          &lt;td&gt;Yes&lt;/td&gt;
          &lt;td&gt;Prompted default EPA enablement&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2024-43451&lt;/td&gt;
          &lt;td&gt;6.5&lt;/td&gt;
          &lt;td&gt;NTLMv2 hash disclosure (zero-day)&lt;/td&gt;
          &lt;td&gt;Yes&lt;/td&gt;
          &lt;td&gt;Used by Russian-linked UAC-0194, BlindEagle, Head Mare&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2025-21311&lt;/td&gt;
          &lt;td&gt;&lt;strong&gt;9.8&lt;/strong&gt;&lt;/td&gt;
          &lt;td&gt;NTLMv1 privilege escalation&lt;/td&gt;
          &lt;td&gt;Automatable&lt;/td&gt;
          &lt;td&gt;CISA flagged &amp;ldquo;total technical impact&amp;rdquo;&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2025-24054&lt;/td&gt;
          &lt;td&gt;6.5&lt;/td&gt;
          &lt;td&gt;Hash disclosure via .library-ms&lt;/td&gt;
          &lt;td&gt;Yes&lt;/td&gt;
          &lt;td&gt;Exploited 8 days after patch; CISA KEV&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2025-33073&lt;/td&gt;
          &lt;td&gt;High&lt;/td&gt;
          &lt;td&gt;NTLM reflection to SYSTEM&lt;/td&gt;
          &lt;td&gt;PoC available&lt;/td&gt;
          &lt;td&gt;Any domain user to SYSTEM on hosts without SMB signing&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;CVE-2025-59214&lt;/td&gt;
          &lt;td&gt;Medium&lt;/td&gt;
          &lt;td&gt;Third bypass of hash disclosure patch&lt;/td&gt;
          &lt;td&gt;Demonstrated&lt;/td&gt;
          &lt;td&gt;Zero-click on fully patched systems&lt;/td&gt;
      &lt;/tr&gt;
  &lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;strong&gt;CVE-2025-24054&lt;/strong&gt; illustrates the problem&amp;rsquo;s urgency. Patched on March 11, 2025, it was exploited in the wild by March 19, just &lt;strong&gt;eight days&lt;/strong&gt; later. Check Point Research documented approximately 10 campaigns by March 25, targeting Polish and Romanian government institutions. SMB hash-collection servers were traced to Russia, Bulgaria, Netherlands, Australia, and Turkey, with one IP previously linked to &lt;strong&gt;APT28 (Fancy Bear)&lt;/strong&gt;. CISA added it to the Known Exploited Vulnerabilities catalog with a mandatory remediation deadline.&lt;/p&gt;
&lt;p&gt;Cymulate Research Labs discovered that Microsoft&amp;rsquo;s patches for CVE-2025-24054 could be &lt;strong&gt;bypassed twice&lt;/strong&gt; (CVE-2025-50154 and CVE-2025-59214), with the latter achieving zero-click NTLM credential leakage on fully patched systems. This pattern of patch-bypass-repatch underscores that NTLM&amp;rsquo;s architectural weaknesses cannot be incrementally fixed. They require protocol elimination.&lt;/p&gt;
&lt;p&gt;Nation-state actors and ransomware groups actively weaponize these weaknesses. &lt;strong&gt;Volt Typhoon&lt;/strong&gt;, &lt;strong&gt;APT28&lt;/strong&gt;, &lt;strong&gt;Scattered Spider&lt;/strong&gt;, and &lt;strong&gt;Wizard Spider&lt;/strong&gt; all incorporate NTLM exploitation into their toolkits. &lt;strong&gt;90% of ransomware breaches&lt;/strong&gt; involve RDP abuse (Sophos), and groups like ALPHV/BlackCat, Akira, and RansomHub routinely leverage NTLM-based lateral movement to escalate from initial access to domain compromise.&lt;/p&gt;
&lt;h3 id=&#34;4-enterprise-migration-barriers&#34;&gt;4. Enterprise Migration Barriers&lt;/h3&gt;
&lt;p&gt;Despite the clear threat, enterprise NTLM elimination remains a significant operational challenge. Silverfort&amp;rsquo;s research found that &lt;strong&gt;64% of Active Directory user accounts regularly authenticate with NTLM&lt;/strong&gt;, and Gartner estimates over &lt;strong&gt;50% of organizations&lt;/strong&gt; still actively use it.&lt;/p&gt;
&lt;p&gt;The primary obstacles are well-documented. Legacy applications (ERP systems, HR platforms, and industrial control software built before the 2000s) often hardcode NTLM with no Kerberos support. Third-party firmware in printers, network devices, and IoT equipment frequently embeds NTLMv1 with no upgrade path. Hidden NTLM fallback occurs when Kerberos fails silently due to misconfigured SPNs, IP-based access patterns, or missing DNS entries. Cross-forest trust scenarios and Exchange hybrid migrations add further complexity. Mandiant&amp;rsquo;s January 2026 release of &lt;strong&gt;8.6 terabytes of NTLMv1 rainbow tables&lt;/strong&gt;, enabling hash recovery in under 12 hours on $600 hardware, was a deliberate forcing function designed to eliminate any remaining justification for NTLMv1 retention.&lt;/p&gt;
&lt;p&gt;Organizations following Microsoft&amp;rsquo;s recommended migration path typically plan &lt;strong&gt;18-22 months&lt;/strong&gt; for full NTLM elimination. The most heavily affected industries include &lt;strong&gt;manufacturing&lt;/strong&gt; (50% of observed NTLM exploitation targets per Kaspersky telemetry), &lt;strong&gt;healthcare&lt;/strong&gt; (the Ascension breach being the most prominent case), &lt;strong&gt;government&lt;/strong&gt; (CISA assessments identify credential access as the most prevalent attack against federal agencies), and &lt;strong&gt;financial services&lt;/strong&gt; (where strict compliance requirements both motivate and complicate migration timelines).&lt;/p&gt;
&lt;h3 id=&#34;5-vendor-landscape&#34;&gt;5. Vendor Landscape&lt;/h3&gt;
&lt;p&gt;The NTLM deprecation has catalyzed a competitive vendor landscape spanning detection, migration, governance, and replacement.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Microsoft&lt;/strong&gt; is driving the transition most aggressively, with Entra ID as the centerpiece. Microsoft Entra Private Access (GA July 2024) acts as an OAuth/OIDC-to-Kerberos bridge, layering Conditional Access and MFA on legacy NTLM/Kerberos applications without code changes. Entra Kerberos (Cloud Kerberos Trust) turns Entra ID into a cloud-based KDC, enabling passwordless SSO to on-premises resources and is now the recommended deployment model for Windows Hello for Business. Windows Server 2025 ships with &lt;strong&gt;EPA enabled by default&lt;/strong&gt; for AD CS and LDAP, &lt;strong&gt;Credential Guard enabled by default&lt;/strong&gt;, and mandatory SMB signing.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Silverfort&lt;/strong&gt; has emerged as the most prominent vendor specifically addressing NTLM security, offering the only solution that extends MFA to NTLM and Kerberos authentications without agents. Their research discovered that on-premises applications can bypass the Group Policy designed to block NTLMv1, creating what they called a &amp;ldquo;false sense of protection.&amp;rdquo; Gartner&amp;rsquo;s May 2025 report &amp;ldquo;A Well-Run Active Directory Requires Strong Identity Controls&amp;rdquo; named Silverfort as an example vendor in three categories.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;CrowdStrike&amp;rsquo;s Falcon Identity Protection&lt;/strong&gt; performs real-time inspection of NTLM, Kerberos, and LDAP traffic, with specialized detection for relay attacks, Kerberoasting, and Golden/Silver Ticket usage. Their acquisition of Preempt Security in 2020, whose researchers discovered critical NTLM bypass vulnerabilities, underpins deep protocol expertise.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Semperis&lt;/strong&gt; focuses on AD resilience and recovery, with Directory Services Protector monitoring for NTLM-related indicators and a new Service Account Protection Essential (August 2025) specifically targeting Kerberoasting-vulnerable service accounts. Their researchers discovered the Golden dMSA attack and coordinated multiple CVE disclosures with Microsoft.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Cisco Duo&lt;/strong&gt; made a significant competitive entry in 2025-2026, extending MFA directly to all Active Directory authentications, including CLI and legacy applications using Kerberos and NTLM. Cisco Identity Intelligence provides deep posture management, and Cisco Talos found nearly half of identity-based attacks in 2024 focused on Active Directory.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Delinea&lt;/strong&gt; explicitly added Kerberos authentication support to Connection Manager in Q1 2025, noting it &amp;ldquo;mitigates risks associated with NTLM, including Pass-the-Hash, DCSync, NTLM relay.&amp;rdquo; &lt;strong&gt;Okta&amp;rsquo;s&lt;/strong&gt; Agentless Desktop SSO explicitly requires Kerberos tickets; NTLM tokens cause authentication failure by design. &lt;strong&gt;Ping Identity&lt;/strong&gt; and &lt;strong&gt;SailPoint&lt;/strong&gt; operate at the federation and governance layers respectively, providing standards-based SSO and identity lifecycle management that inherently bypass NTLM.&lt;/p&gt;
&lt;h3 id=&#34;6-modern-alternatives-reaching-enterprise-maturity&#34;&gt;6. Modern Alternatives Reaching Enterprise Maturity&lt;/h3&gt;
&lt;p&gt;The authentication stack replacing NTLM and password-based Kerberos is coalescing around three pillars: passwordless credentials, cloud identity platforms, and Zero Trust architecture.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;FIDO2 and passkeys reached a tipping point in 2025.&lt;/strong&gt; The FIDO Alliance reports that 87% of US and UK enterprises are deploying or planning passkey deployment for employee sign-ins. Passkeys achieve a &lt;strong&gt;93% login success rate&lt;/strong&gt; versus 63% for traditional authentication. Microsoft made passkeys the default sign-in for all new Microsoft accounts in May 2025, driving 120% growth in passkey authentications. Okta&amp;rsquo;s data shows phishing-resistant passwordless authentication grew 63% year-over-year, and workforce MFA adoption reached 70%.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Certificate-based authentication&lt;/strong&gt; serves regulated environments requiring digital signatures, email encryption, and high-assurance identity proofing. Microsoft Entra CBA is now generally available, enabling X.509 certificate authentication directly to Entra ID without AD FS and classified as phishing-resistant MFA by both Microsoft and CISA. Federal agencies using PIV/CAC smart cards can authenticate directly to cloud resources, removing a lateral movement path through Active Directory.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Zero Trust architecture&lt;/strong&gt; provides the strategic framework driving NTLM elimination. CISA&amp;rsquo;s Zero Trust Maturity Model v2.0 requires phishing-resistant MFA at the &amp;ldquo;Advanced&amp;rdquo; level and continuous identity validation at the &amp;ldquo;Optimal&amp;rdquo; level, both incompatible with NTLM&amp;rsquo;s implicit trust model. &lt;strong&gt;OMB M-22-09&lt;/strong&gt; mandates federal agencies achieve Zero Trust objectives including phishing-resistant MFA. Internationally, the EU&amp;rsquo;s NIS2 Directive, eIDAS 2.0 (requiring digital identity wallets by 2026), and PCI DSS 4.0 all strengthen authentication requirements. Eighty-one percent of companies are pursuing some form of Zero Trust strategy.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;recommendations-for-security-and-risk-management-leaders&#34;&gt;Recommendations for Security and Risk Management Leaders&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Deploy Phase 1 NTLM auditing immediately.&lt;/strong&gt; Windows Server 2025 and Windows 11 24H2 provide new event IDs (4020-4033) that map all NTLM dependencies. Without this data, migration planning is guesswork. Set a 90-day deadline for complete NTLM dependency inventory.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Enforce NTLMv2-only and block NTLMv1 now.&lt;/strong&gt; Set LmCompatibilityLevel=5 across all systems. NTLMv1 is already removed from current operating systems. Mandiant&amp;rsquo;s rainbow tables make any remaining NTLMv1 usage an immediate compromise risk.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Begin RC4 deprecation for Kerberos as the single highest-impact defensive action.&lt;/strong&gt; Kerberoasting depends on RC4. Disable RC4 for new domains immediately; plan AES-only enforcement for existing domains by mid-2026. Test thoroughly in mixed Windows Server 2019/2025 environments where encryption type mismatches cause authentication failures.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Enable EPA, SMB signing, and Credential Guard on all servers.&lt;/strong&gt; These are the three controls that most effectively mitigate NTLM relay, pass-the-hash, and credential theft. Windows Server 2025 enables them by default; backport to older systems through Group Policy.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Block NTLM progressively, starting with domain controllers and certificate authorities.&lt;/strong&gt; Add privileged accounts to the Protected Users group. Use the Negotiate package instead of explicit NTLM calls (often a one-line code change). Plan 18-22 months for full domain-wide NTLM blocking.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Audit dMSA permissions immediately.&lt;/strong&gt; Akamai found 91% of environments have non-admin users with sufficient permissions to execute the BadSuccessor attack. Restrict CreateChild permissions on OUs and monitor dMSA creation events until Microsoft&amp;rsquo;s patch is widely deployed.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Invest in phishing-resistant authentication infrastructure.&lt;/strong&gt; FIDO2 passkeys and certificate-based authentication through Entra ID are the long-term replacements for password-based protocols. Begin pilot deployments now; align with NIST SP 800-63B-4 requirements for AAL3 hardware-based authenticators.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Block outbound SMB (TCP 445) at the network perimeter.&lt;/strong&gt; This prevents NTLM hash exfiltration to attacker-controlled servers, the technique used in CVE-2025-24054 campaigns. This is a low-effort, high-impact network control.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id=&#34;market-outlook&#34;&gt;Market Outlook&lt;/h2&gt;
&lt;p&gt;The NTLM deprecation is creating distinct market dynamics across three vendor categories. Identity protection vendors (Silverfort, CrowdStrike, Semperis) are best positioned in the near term because they address the immediate operational challenge: detecting and controlling NTLM usage during the multi-year migration period. These vendors have a finite window of relevance tied to NTLM&amp;rsquo;s lifecycle, but the 18-22 month migration timeline and the long tail of legacy environments means that window extends through at least 2029.&lt;/p&gt;
&lt;p&gt;Microsoft holds the strongest structural position. Entra ID, IAKerb, Local KDC, and the Windows Server 2025 security defaults form a coherent stack that addresses both the deprecation path and the replacement architecture. Organizations heavily invested in Microsoft infrastructure will find the migration path most natural, though multi-cloud and hybrid environments will require supplementary tooling.&lt;/p&gt;
&lt;p&gt;The passwordless authentication market ($18.8-24.1 billion, projected to $55-90 billion by 2030-2035) reflects the scale of the broader transition away from password-based protocols. FIDO2/passkey vendors, cloud identity platforms, and Zero Trust architecture providers are the long-term beneficiaries. The organizations that treat NTLM elimination as a compliance checkbox rather than an architectural shift will find themselves repeatedly patching symptoms while the underlying protocol remains a liability.&lt;/p&gt;
&lt;p&gt;The honest assessment: NTLM elimination is operationally harder than any vendor marketing suggests, and Kerberos hardening introduces its own risks. But the alternative, maintaining a protocol with a demonstrated pattern of unpatchable vulnerabilities while nation-state actors exploit them within days, is no longer defensible.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;key-sources&#34;&gt;Key Sources&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Microsoft documentation:&lt;/strong&gt; NTLM Deprecation Roadmap (January 29, 2026); Windows Server 2025 Security Defaults; IAKerb and Local KDC announcements; Entra Private Access GA (July 2024); Entra Kerberos Cloud Trust documentation.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Vulnerability research:&lt;/strong&gt; Check Point Research CVE-2025-24054 analysis (March 2025); Cymulate Research Labs CVE-2025-50154 and CVE-2025-59214 bypass disclosures; Akamai BadSuccessor disclosure (April 2025); Semperis Golden dMSA disclosure (July 2025); Microsoft CVE-2024-43639 advisory.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Threat intelligence:&lt;/strong&gt; CrowdStrike 2025 Global Threat Report (583% Kerberoasting increase); IBM X-Force 2024 Threat Intelligence Index (30% identity-based breaches); Sophos Active Adversary Report (90% RDP abuse in ransomware); Mandiant NTLMv1 rainbow tables release (January 2026); CISA Known Exploited Vulnerabilities catalog.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Industry data:&lt;/strong&gt; Silverfort NTLM usage research (64% of AD accounts); Gartner estimates (50%+ organizations using NTLM); FIDO Alliance enterprise deployment survey (87% deploying or planning); Kaspersky NTLM exploitation telemetry; Ascension Health breach disclosures (May 2024).&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Government guidance:&lt;/strong&gt; Five Eyes joint advisory &amp;ldquo;Detecting and Mitigating Active Directory Compromises&amp;rdquo; (September 2024, updated January 2025); NIST SP 800-63B-4 (July 2025); CISA Zero Trust Maturity Model v2.0; CISA phishing-resistant MFA fact sheet; OMB M-22-09.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Vendor sources:&lt;/strong&gt; Silverfort NTLMv1 bypass research; CrowdStrike Falcon Identity Protection; Semperis Directory Services Protector; Cisco Duo AD authentication extension; Delinea Connection Manager Kerberos support (Q1 2025); Gartner &amp;ldquo;A Well-Run Active Directory Requires Strong Identity Controls&amp;rdquo; (May 2025).&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>The Audit Blind Spot: Why Workload Identities Escaped Review and Why That Era Is Ending</title>
      <link>https://www.20-100.net/research/the-audit-blind-spot-why-workload-identities-escaped-review-and-why-that-era-is-ending/</link>
      <pubDate>Wed, 08 Apr 2026 00:00:00 &#43;0000</pubDate>
      <guid>https://www.20-100.net/research/the-audit-blind-spot-why-workload-identities-escaped-review-and-why-that-era-is-ending/</guid>
      <description>&lt;p&gt;&lt;strong&gt;Independent Research Note | April 2026&lt;/strong&gt;&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;bottom-line&#34;&gt;Bottom Line&lt;/h2&gt;
&lt;p&gt;Most organizations cannot pass a rigorous audit of their non-human identity (NHI) controls today. PCI DSS 4.0.1, DORA, and NYDFS now explicitly require service account access reviews, inventory, and credential hygiene, yet the average enterprise still has 60% of its AWS IAM access keys older than one year (Datadog, State of Cloud Security 2024). The tooling market is real but immature. The AI agent identity problem is arriving faster than the standards to govern it. Security and risk management leaders who treat NHI governance as a 2027 initiative will find themselves remediating audit findings and incident response gaps simultaneously.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;key-findings&#34;&gt;Key Findings&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;PCI DSS 4.0.1, effective March 2025, introduced the first explicit requirements for application and system account access reviews, password management, and interactive login prevention.&lt;/strong&gt; QSAs report these controls were not explicitly covered in version 3.2.1, catching many organizations unprepared (Intersec Worldwide, Schellman).&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;DORA&amp;rsquo;s Regulatory Technical Standards are the most prescriptive NHI governance mandate globally,&lt;/strong&gt; requiring financial entities to maintain service account inventories with documented owners, purposes, and periodic reviews at the same frequency as human privileged accounts. Early supervisory examinations in the Netherlands, Germany, and Ireland are requesting these artifacts now.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Every quantitative survey on NHI ownership gaps is vendor-sponsored.&lt;/strong&gt; The widely cited &amp;ldquo;51% have no clear NHI ownership&amp;rdquo; figure comes from a CSA/Oasis Security survey (n=383, August 2025) where the vendor co-designed the questionnaire. We found no independent data to contradict it, but the number should be treated as directional, not definitive.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;AI agent identity governance is arriving before the standards to support it.&lt;/strong&gt; NIST&amp;rsquo;s CAISI initiative launched in February 2026 but will not produce finalized standards until 2027 at earliest. Meanwhile, analyst projections suggest 40% of enterprise applications will embed task-specific AI agents by end of 2026.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;The CyberArk-Venafi integration is a sales success but not yet a product reality.&lt;/strong&gt; Venafi appeared in 9 of CyberArk&amp;rsquo;s top 10 deals in Q1 FY2025. But the technology has had three owners in two years (Thoma Bravo, CyberArk, now Palo Alto Networks), and practitioners at Venafi&amp;rsquo;s own Machine Identity Summit in 2024 were still requesting &amp;ldquo;one dashboard, please&amp;rdquo; (Kraft Heinz CISO Ricardo Lafosse).&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Credential rotation remains the most common source of self-inflicted NHI outages.&lt;/strong&gt; Cloudflare suffered a 67-minute global write outage in March 2025 because a rotation script deployed new credentials to dev instead of production. Microsoft paused key rotation after a previous outage, which contributed to the Storm-0558 signing key compromise. Fear of breaking production is the primary reason organizations do not rotate credentials, and it is not irrational.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id=&#34;forward-looking-assumptions&#34;&gt;Forward-Looking Assumptions&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By 2028, 60% of enterprises subject to PCI DSS, DORA, or NYDFS will receive audit findings specifically citing inadequate NHI access reviews,&lt;/strong&gt; up from fewer than 15% in 2025. The control language is now unambiguous. Auditor interpretation will catch up to the text.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By 2027, fewer than 20% of organizations deploying AI agents will have implemented agent-specific identity governance controls.&lt;/strong&gt; Standards lag is the root cause. Most will retrofit governance after incidents or audit pressure, not before.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By 2029, the standalone NHI governance market will consolidate into three categories: cloud-native platform features (Microsoft, AWS, Google), PAM-adjacent suites (Palo Alto/CyberArk, BeyondTrust), and pure-play NHI posture management for multicloud.&lt;/strong&gt; Two of the five current pure-play vendors (Astrix, Oasis, Clutch, Entro, Token Security) will be acquired or fail to reach scale.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Through 2028, the majority of NHI governance programs will be owned by platform engineering or DevOps teams, not IAM or GRC.&lt;/strong&gt; This is a problem. Platform teams optimize for velocity; they do not naturally build compliance artifacts. Organizations that do not create a federated governance model with IAM policy oversight will fail audits even if their technical controls are adequate.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;By 2027, at least one G7 financial regulator will issue enforcement action explicitly naming NHI management failures as a contributing cause.&lt;/strong&gt; The pattern is set: the OCC&amp;rsquo;s own service account breach (disclosed April 2025), the SEC&amp;rsquo;s SolarWinds victim penalties (October 2024), and DORA&amp;rsquo;s supervisory cycle all point to enforcement, not just guidance.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id=&#34;analysis&#34;&gt;Analysis&lt;/h2&gt;
&lt;h3 id=&#34;1-the-audit-gap-is-no-longer-interpretive&#34;&gt;1. The Audit Gap Is No Longer Interpretive&lt;/h3&gt;
&lt;p&gt;The compliance landscape shifted in 2024 and 2025. Where frameworks previously used vague language about &amp;ldquo;all accounts&amp;rdquo; or &amp;ldquo;system users,&amp;rdquo; the latest revisions name service accounts, application accounts, and machine identities with specificity that leaves little room for creative interpretation.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;PCI DSS 4.0.1&lt;/strong&gt; (effective March 31, 2025) introduced Requirement 7.2.5.1, which requires periodic review of all access by application and system accounts and related access privileges, with management attestation that access remains appropriate. The review frequency is determined through a Targeted Risk Analysis, but the requirement is mandatory. Requirement 8.6.1 goes further: interactive login for system accounts must be prevented unless needed for an exceptional circumstance, and that circumstance must be documented and time-limited. Requirement 8.6.2 prohibits hardcoded passwords in scripts, configuration files, or source code. QSA firm Intersec Worldwide noted these controls were not explicitly covered in version 3.2.1, which left enforcement to individual QSA discretion. That discretion is gone.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;CIS Controls v8.1 Safeguard 5.5&lt;/strong&gt; requires organizations to establish and maintain an inventory of service accounts with department owner, review date, and purpose, and to perform reviews at a minimum quarterly. The CIS Assessment Specification enforces this with a gating metric: if the last review was more than three months ago, the control automatically fails. This is the most operationally specific NHI requirement in any major framework.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;NIST SP 800-53 Rev 5&lt;/strong&gt; addresses NHI through IA-4 (Identifier Management) and IA-5 (Authenticator Management), both of which explicitly list &amp;ldquo;service&amp;rdquo; alongside &amp;ldquo;individual, group, role, and device.&amp;rdquo; Control enhancement IA-5(7) prohibits embedding unencrypted static authenticators in applications or scripts. Control IA-9 (Service Identification and Authentication) requires unique identification and authentication of system services before establishing communications. These are not new to Rev 5, but their presence gives auditors a direct citation.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;ISO 27001:2022&lt;/strong&gt; Annex A 5.15 applies access control to &amp;ldquo;humans and non-human entities on a network.&amp;rdquo; Annex A 8.2 restricts privileged access for &amp;ldquo;users, software components, and services.&amp;rdquo; Lead auditors are now interpreting this to include integration accounts, automation scripts, and backup agents (Stuart Barker, ISO 27001 Lead Auditor, HighTable.io).&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;SOC 2&lt;/strong&gt; remains principles-based. The AICPA Trust Services Criteria do not include a named service account control. But if an organization&amp;rsquo;s system description states it manages &amp;ldquo;all accounts,&amp;rdquo; auditors will test that claim against service accounts. The trend among Type II auditors is to expand access review testing to include NHIs, particularly under CC6.1 through CC6.3. Organizations whose policies say &amp;ldquo;all accounts&amp;rdquo; but whose reviews cover only human users are creating their own audit findings.&lt;/p&gt;
&lt;p&gt;We believe the Big 4 audit firms are approximately 12 to 18 months behind the control text in their examination rigor. KPMG published &amp;ldquo;The Rise of Machine Identities&amp;rdquo; in 2025, the most visible public statement from any Big 4 firm. A 30-year financial industry veteran writing for the NHI Management Group reported that Big 4 auditor focus on NHI has increased substantially over the last 2-3 years and warned that organizations without NHI programs could face scrutiny soon. But we have not seen standardized Big 4 audit procedures for NHI controls. That gap will close.&lt;/p&gt;
&lt;h3 id=&#34;2-ai-agents-are-a-new-identity-category-and-nobody-is-ready&#34;&gt;2. AI Agents Are a New Identity Category, and Nobody Is Ready&lt;/h3&gt;
&lt;p&gt;AI agents are not service accounts with better marketing. They are fundamentally different: non-deterministic, capable of requesting permission escalation at runtime, able to spawn sub-agents, and designed to operate across multiple systems simultaneously. A service account calls a fixed API with fixed permissions. An AI agent decides at runtime which APIs to call based on reasoning. This distinction matters for identity governance because every assumption about static privilege assignment breaks down.&lt;/p&gt;
&lt;p&gt;SailPoint&amp;rsquo;s 2025 survey found that 80% of organizations using AI agents observed them acting unexpectedly or performing unauthorized actions. That number should alarm anyone building agent-based workflows without identity controls.&lt;/p&gt;
&lt;p&gt;The hyperscalers are responding, but unevenly. &lt;strong&gt;Microsoft Entra Agent ID&lt;/strong&gt; is the most ambitious effort: a new identity primitive for agents with blueprints, an agent registry, conditional access policies, lifecycle governance with human sponsors, and identity protection. It is also still in public preview as of April 2026 and requires a Microsoft 365 Copilot license with Frontier enabled. The vision is right. The production readiness is not there yet. &lt;strong&gt;AWS Bedrock AgentCore Identity&lt;/strong&gt; reached general availability in October 2025 with a more pragmatic, infrastructure-centric approach: existing IAM roles extended with agent-specific attributes, OAuth credential providers for third-party service access, and a Cedar-based policy engine in preview. AWS has no lifecycle governance or sponsor concepts. &lt;strong&gt;Google Cloud&amp;rsquo;s Agent Identity&lt;/strong&gt; (preview) takes the strongest credential security approach with mTLS-bound certificate tokens that prevent replay attacks, but has the least mature governance layer. None of the three platforms fully addresses sub-agent spawning, delegation chain accountability, or cross-platform identity federation.&lt;/p&gt;
&lt;p&gt;The OWASP NHI Top 10, published in 2025, was the first structured risk taxonomy for non-human identities. It ranks Improper Offboarding as the top risk, followed by Secret Leakage and Vulnerable Third-Party NHI. However, it focuses almost entirely on traditional NHIs. The OWASP Top 10 for Agentic Applications, released in December 2025, addresses agent-specific risks but does not connect them to identity governance frameworks. The two lists exist in parallel without integration.&lt;/p&gt;
&lt;p&gt;NIST&amp;rsquo;s CAISI initiative, launched February 2026, is the first U.S. government program dedicated to AI agent standards. It includes an NCCoE concept paper on AI agent identity and authorization that identifies prompt injection and accountability gaps as leading vulnerabilities. But the Request for Information comment period closed in March 2026, listening sessions are scheduled for April 2026, and finalized standards are expected in 2027 at the earliest. The majority of first-generation enterprise agent deployments will go live before any NIST agent-specific standard exists. We do not yet know what good agent identity governance looks like in practice, and honesty about that gap is more useful than a premature framework.&lt;/p&gt;
&lt;h3 id=&#34;3-the-vendor-market-is-funded-fragmented-and-early&#34;&gt;3. The Vendor Market Is Funded, Fragmented, and Early&lt;/h3&gt;
&lt;p&gt;Workload Identity Management appeared as a distinct category in the 2025 Gartner Hype Cycle for Digital Identity, the first year it was recognized. Based on available evidence, the category sits near the Innovation Trigger or early Peak of Inflated Expectations. KuppingerCole published its first Leadership Compass for Non-Human Identity Management in 2025, formally establishing NHIM as a market segment. The analyst recognition is real. The market maturity is not.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Funding is substantial but frequently overstated.&lt;/strong&gt; The &amp;ldquo;$400M+ in H1 2025&amp;rdquo; figure circulating in vendor marketing originates from a Doppler blog post (Security Boulevard, August 2025) and refers to all of 2025, not just H1. It also includes adjacent vendors beyond the NHI pure-plays. Our verified tally of pure-play NHI funding rounds through 2025: Astrix Security Series B ($45M, December 2024, Menlo Ventures), Oasis Security Series A plus extension ($75M total, 2024, Sequoia/Accel), Clutch Security Series A ($20M, 2024, SignalFire), Entro Security Series A ($18M, 2024, Dell Technologies Capital), Token Security Seed plus Series A ($27M total, through January 2025, TLV Partners/Notable Capital), and Defakto (formerly SPIRL) Series B ($30.75M, October 2025, XYZ Venture Capital). That totals approximately &lt;strong&gt;$216M in verified pure-play rounds through 2025.&lt;/strong&gt; Adding Oasis&amp;rsquo;s reported $120M Series B in March 2026 and NHI-adjacent vendors (Aembit, Veza, Natoma) pushes past $400M across 2024 through early 2026. The investment thesis is clear. The &amp;ldquo;$400M in H1 2025&amp;rdquo; framing is marketing.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Practitioner feedback is thin.&lt;/strong&gt; Astrix has the most independent validation: named a Cool Vendor by Gartner (2023), RSA Innovation Sandbox finalist, named sample vendor in the 2025 Hype Cycle, and 15.3% PeerSpot mindshare in NHIM as of March 2026. Gartner Peer Insights reviewers praise detection of leaked tokens and service account discovery but note onboarding could be smoother. Entro Security has the richest Gartner Peer Insights reviews, with users calling it an integral part of their cybersecurity strategy alongside a request for deeper AI-driven analysis capabilities. Oasis Security&amp;rsquo;s PeerSpot mindshare declined from 16.8% to 12.8% year over year, a signal worth watching for a vendor that exited stealth in January 2024. Clutch Security, Token Security, and Natoma have essentially no independent public reviews. &lt;strong&gt;CISOs evaluating these vendors are making bets on roadmaps, not proven production outcomes.&lt;/strong&gt; Discovery and posture management are the proven use cases. Lifecycle management and threat detection are emerging. AI agent governance is aspirational across the board.&lt;/p&gt;
&lt;p&gt;The CyberArk-Venafi story deserves particular scrutiny. CyberArk acquired Venafi for $1.54 billion in late 2024. Sales integration was immediate: Venafi appeared in 9 of CyberArk&amp;rsquo;s top 10 deals in Q1 FY2025. Product integration was targeted for 2025 (CLM plus secrets management) and 2026 (unified human and machine identity platform). Then Palo Alto Networks acquired CyberArk for $25 billion, closing in February 2026. Venafi has now had three owners in two years. Documentation still lives at docs.venafi.com. A Doppler competitive analysis noted that CyberArk&amp;rsquo;s architecture leans toward static identity models, which can be a poor fit for modern environments where machine identities are constantly created and destroyed. We believe the unified machine identity platform vision is now on Palo Alto Networks&amp;rsquo; roadmap, not CyberArk&amp;rsquo;s, and should be evaluated on a 2028 or later timeline.&lt;/p&gt;
&lt;h3 id=&#34;4-credential-rotation-works-in-theory-and-breaks-in-production&#34;&gt;4. Credential Rotation Works in Theory and Breaks in Production&lt;/h3&gt;
&lt;p&gt;The operational reality of NHI governance is less about tool selection and more about a specific, uncomfortable question: do you know what will break if you rotate this credential? Most organizations cannot answer it.&lt;/p&gt;
&lt;p&gt;Datadog&amp;rsquo;s State of Cloud Security 2024, based on telemetry from thousands of organizations, found that 46% of organizations still use unmanaged users with long-lived credentials. Among Google Cloud service accounts, 62% have access keys older than one year. Among AWS IAM users, 60% have keys older than one year. Andrew Krug, Datadog&amp;rsquo;s Head of Security Advocacy, concluded that it is unrealistic to expect long-lived credentials can be securely managed. This is the most authoritative data point available because it is based on actual infrastructure telemetry, not survey self-reporting.&lt;/p&gt;
&lt;p&gt;The fear of rotation-induced outages is well-founded. Cloudflare&amp;rsquo;s March 2025 R2 outage lasted 67 minutes and caused 100% write failures globally because a rotation script omitted the &lt;code&gt;--env production&lt;/code&gt; flag, deploying new credentials to dev while old credentials were deleted from production. Microsoft paused its key rotation process after a previous outage, which contributed to the delay that enabled the Storm-0558 signing key compromise. The Oasis Security team documented a Dropbox incident in 2024 where emergency rotation of an unrotated AD service account caused partial end-user disruption. CyberArk&amp;rsquo;s own 2025 survey (n=1,200, vendor-sourced) found 72% of organizations experienced certificate-related outages in the past 12 months, up from 45% reporting weekly outages compared to 12% in 2022.&lt;/p&gt;
&lt;p&gt;The practitioner consensus, visible across Reddit, security conference talks, and vendor-neutral blogs, follows a consistent failure pattern: an identity is created for an immediate need, permissions are broadened to avoid friction, credentials persist because rotation feels risky, access reviews get rubber-stamped to avoid outages, and nobody is confident enough to remove anything. The CSA blog (February 2026) articulated the structural problem: access reviews were designed to answer a human-centric question about whether a person still needs access. That question does not translate to NHIs without dependency mapping, usage telemetry, and owner accountability.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;SPIFFE/SPIRE&lt;/strong&gt; represents the most credible path to eliminating long-lived secrets for workload authentication. Both are CNCF Graduated projects with named production adopters including Uber, GitHub, Square (Block), and Pinterest. HPE invested heavily in core development through its Scytale acquisition. But Defakto Security states that small-scale deployments take 6 to 12 months and complex deployments require 12 to 24 months with a core team of experts. Legacy systems that cannot speak mTLS remain a hard blocker. Cloud-native workload identity federation (AWS IAM Roles, Azure Workload Identity Federation, GCP Workload Identity) works within a single cloud but fragments across multicloud and hybrid environments. The secure path is clear. The migration path for legacy environments is not.&lt;/p&gt;
&lt;h3 id=&#34;5-nobody-owns-nhi-governance-and-the-surveys-proving-it-are-all-vendor-funded&#34;&gt;5. Nobody Owns NHI Governance, and the Surveys Proving It Are All Vendor-Funded&lt;/h3&gt;
&lt;p&gt;The CSA/Oasis Security survey (January 2026, n=383) found that 51% of organizations reported no clear ownership or accountability for NHI governance. Oasis financed the project and co-designed the questionnaire. A separate CSA/Astrix survey (September 2024, n=818) found that only 15% feel highly confident in preventing NHI attacks and only 20% have formal NHI offboarding processes. Astrix sponsored that survey. CyberArk&amp;rsquo;s 2025 Identity Security Landscape report (n=2,600) found that 88% define &amp;ldquo;privileged user&amp;rdquo; as solely human identities. CyberArk funded it. Entro&amp;rsquo;s 2025 analysis found 97% of NHIs have excessive privileges. Entro is a vendor. The Keeper Security RSAC 2026 survey (n=109) found 76% of NHIs are not governed under privileged access policies. Keeper is a PAM vendor with a convenience sample of 109 conference attendees.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;We found no fully independent, non-vendor-sponsored survey that specifically quantifies NHI governance ownership gaps.&lt;/strong&gt; The closest is the 2021 Ponemon/Keyfactor State of Machine Identity Management report (n=1,162), which used Ponemon&amp;rsquo;s independent methodology but was funded by Keyfactor and focused on certificates and keys rather than NHI governance ownership. The directional finding across all sources is consistent: NHI ownership is fragmented and unclear in most organizations. But the specific percentages should be treated as approximate. This is a data gap the analyst community has not filled.&lt;/p&gt;
&lt;p&gt;In practice, HashiCorp (now IBM) observed that platform teams are often the de facto NHI managers: the people handling cloud IAM roles for microservices and certificate rotation for service mesh are typically platform engineers, not IAM staff. GitGuardian&amp;rsquo;s analysis found that the person who can answer most questions about an NHI is the developer who created it, which does not mean they are responsible for rotation or lifecycle management. The Gartner IAM Summit in December 2025 advocated a layered identity fabric model where Access Management, IGA, and PAM are interdependent layers that must work together rather than compete for ownership or visibility. ServiceNow added Non-Human and Agentic Identity Governance as a new domain in its IAM capability map, recommending organizations start with NHI discovery and ownership attribution.&lt;/p&gt;
&lt;p&gt;Legacy PAM tools have structural limitations for NHI use cases. They are vault-centric (assuming persistent accounts), human-speed (manual checkout workflows), session-oriented (recording RDP/SSH, not API calls), and centralized (requiring vault connectivity). Ephemeral cloud workloads, serverless functions, and CI/CD pipelines do not fit this architecture. The CSA/Astrix 2024 survey found that 54% of respondents use PAM for NHI, but these tools are not specifically designed to address NHI security challenges. BeyondTrust and Delinea face similar architectural gaps. The Palo Alto Networks acquisition of CyberArk signals that PAM is becoming an infrastructure-level control rather than a standalone tool category, but the product integration timeline extends well past 2027.&lt;/p&gt;
&lt;h3 id=&#34;6-regulators-are-building-the-enforcement-case&#34;&gt;6. Regulators Are Building the Enforcement Case&lt;/h3&gt;
&lt;p&gt;No U.S. or EU regulation uses the term &amp;ldquo;non-human identity.&amp;rdquo; But the enforcement infrastructure is forming around the underlying concepts, and the gap between regulatory intent and explicit NHI language is closing fast.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;DORA&lt;/strong&gt; is the most important development for financial sector CISOs. The Regulatory Technical Standards on ICT Risk Management, effective January 2025, require financial entities to maintain an inventory of service accounts, document the purpose of each, assign a human owner, prevent interactive use where not required, and review access at the same frequency as human privileged accounts. MFA for privileged accounts is legally mandated, not optional. Early supervisory examinations in the Netherlands, Germany, and Ireland are requesting these artifacts. The service account inventory requirement is, per practitioner reports, one of the most commonly missed items in initial DORA readiness assessments.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The FFIEC&amp;rsquo;s 2021 guidance&lt;/strong&gt; on Authentication and Access remains the most NHI-explicit U.S. regulatory document. Footnote 2 defines &amp;ldquo;users&amp;rdquo; to include employees, third parties, service accounts, applications, and devices. The guidance requires authentication considerations for system-to-system communications. The irony is painful: the OCC, which issued this guidance jointly with other banking regulators, disclosed in April 2025 that its own Microsoft 365 tenant was compromised through a service account with administrative privileges that lacked MFA. The breach persisted for 20 months. It was reported to Congress as a major information security incident.&lt;/p&gt;
&lt;p&gt;The SEC has not cited NHI by name, but its October 2024 enforcement actions against four SolarWinds victim companies penalized the minimization of credential compromise in public disclosures. Unisys paid $4 million for describing risks as hypothetical despite knowing that seven network credentials and 34 cloud-based accounts were compromised. Mimecast paid $990,000 for failing to disclose that a threat actor exfiltrated an authentication certificate used by approximately 10% of its customers. The FTC&amp;rsquo;s Drizly consent order (January 2023) explicitly cited failure to securely store AWS and database login credentials and failure to scan repositories for unsecured credentials such as usernames, passwords, API keys, secure access tokens, and asymmetric private keys. Personal liability was imposed on the CEO.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;NYDFS 23 NYCRR 500&lt;/strong&gt; merits specific attention. The amended regulation, fully effective November 2025, requires Class A companies to implement PAM solutions and mandates MFA for any individual accessing any information system. There is a carve-out for service accounts that prohibit interactive login, but this creates risk rather than eliminating it. Organizations must ensure non-interactive service accounts truly cannot be used interactively, and must implement compensating controls.&lt;/p&gt;
&lt;p&gt;The &lt;strong&gt;EU AI Act&lt;/strong&gt; (effective in stages through 2027) requires that AI systems interacting with natural persons disclose they are AI (Article 50, effective August 2026) and that high-risk AI systems be registered in an EU database. But the Act is silent on how AI agents authenticate to other systems, manage credentials, or handle privilege escalation. It addresses &amp;ldquo;is this an AI?&amp;rdquo; but not &amp;ldquo;what can this AI access?&amp;rdquo; That gap will force supplementary regulation as autonomous agents proliferate.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;recommendations-for-security-and-risk-management-leaders&#34;&gt;Recommendations for Security and Risk Management Leaders&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Inventory first, tool second.&lt;/strong&gt; Before evaluating NHI vendors, run a discovery sprint using cloud-native tools (AWS IAM Access Analyzer, Azure Entra Workload ID, GCP Policy Analyzer) and open-source scanners (GitGuardian, TruffleHog) to establish baseline counts of service accounts, API keys, OAuth tokens, and certificates. You cannot govern what you have not counted. Set a 90-day deadline for initial inventory. Do not let it become a permanent project.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Map NHI controls to the audit frameworks you face now.&lt;/strong&gt; PCI DSS 4.0.1 Requirements 7.2.5.1 and 8.6.1 through 8.6.3 are enforceable today. CIS Safeguard 5.5 requires quarterly reviews. DORA requires service account inventories with owners. Build the compliance artifact first, then automate it. If your organization is subject to DORA, treat the service account inventory as a regulatory deliverable with a named executive owner and a board-reportable status.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Adopt a federated ownership model, not a centralized one.&lt;/strong&gt; IAM or GRC sets policy and defines standards. Platform engineering implements controls in CI/CD pipelines and manages cloud-native NHIs. Application teams own their application-specific NHIs with documented accountability. A central governance function (within the CISO organization) provides visibility, risk scoring, and audit coordination. No single team can own NHI governance at scale. The question is not who owns it but whether the accountability chain is documented and enforceable.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Separate the AI agent identity problem from the NHI backlog.&lt;/strong&gt; Agent identity governance requires different controls: human sponsors, runtime behavioral monitoring, delegation chain tracking, and scope enforcement. Do not wait for the NHI backlog to be clean before addressing agent identity. Stand up an agent identity working group now that includes IAM, data science, platform engineering, and legal. Align to CSA&amp;rsquo;s AI Controls Matrix (July 2025) and NIST IR 8596 (draft) as provisional frameworks until NIST CAISI publishes finalized standards.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Evaluate pure-play NHI vendors for discovery and posture management only.&lt;/strong&gt; That is where production-validated value exists today. Lifecycle management, threat detection, and agent governance are emerging capabilities without meaningful practitioner validation. Run a 90-day proof of value focused on discovery accuracy, ownership attribution, and secrets exposure detection. Do not sign multiyear platform commitments for capabilities that are still roadmap.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Begin SPIFFE/SPIRE evaluation for net-new workloads; do not attempt a legacy migration simultaneously.&lt;/strong&gt; Workload identity federation eliminates long-lived secrets within a single cloud, but legacy systems that cannot speak mTLS remain a hard blocker. Apply secretless architectures to new Kubernetes-native and cloud-native workloads first. Use vaulted credentials with automated rotation for legacy systems. Accept that the transition will take 24 months or more and plan accordingly.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;hr&gt;
&lt;h2 id=&#34;market-outlook&#34;&gt;Market Outlook&lt;/h2&gt;
&lt;p&gt;The NHI governance market sits at a crossroads familiar to anyone who watched CASB, CSPM, or CIEM develop. There is genuine enterprise demand, validated by real audit pressure and breach history. There is real funding, with over $200 million in verified pure-play rounds through 2025. And there is significant risk of premature consolidation and vendor overreach.&lt;/p&gt;
&lt;p&gt;The cloud hyperscalers are building native workload identity capabilities that will commoditize intra-cloud NHI authentication over the next three years. Microsoft&amp;rsquo;s Entra Agent ID, if it reaches general availability, could redefine expectations for agent identity governance within the Microsoft ecosystem. AWS AgentCore Identity is already GA. But none of the hyperscalers will solve cross-cloud NHI governance, secrets posture management, or multicloud lifecycle orchestration. That is the defensible wedge for pure-play vendors, and the ones that focus there will survive consolidation.&lt;/p&gt;
&lt;p&gt;PAM vendors are rebranding around identity security. The Palo Alto Networks acquisition of CyberArk for $25 billion, combined with the prior CyberArk acquisition of Venafi for $1.54 billion, creates the largest identity security portfolio in the market. BeyondTrust exceeded $400 million ARR in June 2025 and acquired Entitle for CIEM. Delinea acquired Authomize and Fastpath. These are platform plays, not feature additions. But platform integration takes years, and CISOs should not confuse acquisition announcements with product delivery.&lt;/p&gt;
&lt;p&gt;The honest assessment is this: we are in the first inning of NHI governance as a discipline. The compliance drivers are real and accelerating. The breach history validates the risk. The tooling is early but improving. The AI agent dimension adds urgency and complexity that the market has not yet absorbed. Organizations that start now, with inventory, ownership, and framework alignment, will be positioned to adopt better tooling as it matures. Organizations that wait for the market to settle will find themselves explaining to auditors, regulators, and boards why they treated machine identities as an afterthought while those identities outnumbered their employees 82 to 1.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;key-sources&#34;&gt;Key Sources&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Compliance frameworks:&lt;/strong&gt; PCI DSS 4.0.1 (PCI SSC, 2024); CIS Controls v8.1 Assessment Specification (CIS, 2024); NIST SP 800-53 Rev 5 (NIST, 2020); ISO 27001:2022 (ISO/IEC, 2022); DORA RTS on ICT Risk Management (ESAs, 2024); NYDFS 23 NYCRR 500 (NYDFS, amended 2023); FFIEC Authentication and Access Guidance (2021).&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Data sources:&lt;/strong&gt; Datadog State of Cloud Security 2024; CSA/Oasis Security State of NHI Security Survey (January 2026, n=383); CSA/Astrix State of NHI Security Report (September 2024, n=818); CyberArk Identity Security Landscape 2025 (n=2,600); Keeper Security RSAC 2026 Survey (n=109); Ponemon/Keyfactor State of Machine Identity Management 2021 (n=1,162); SailPoint AI Agent Survey 2025.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Vendor and analyst sources:&lt;/strong&gt; Gartner 2025 Hype Cycle for Digital Identity; KuppingerCole Leadership Compass: Non-Human Identity Management 2025; Gartner IAM Summit December 2025 (Sayers coverage); Astrix Security, Oasis Security, Entro Security, Clutch Security, Token Security, Defakto funding announcements; CyberArk Q1 FY2025 earnings; Palo Alto Networks/CyberArk acquisition filings; Doppler NHI Platform Comparison (August 2025).&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Incident and enforcement sources:&lt;/strong&gt; Cloudflare R2 Outage Post-Incident Report (March 2025); OCC Major Information Security Incident Disclosure (April 2025); SEC v. Unisys, Avaya, Check Point, Mimecast enforcement actions (October 2024); FTC v. Drizly consent order (January 2023); Harvard Law School Forum on Corporate Governance analysis of SEC cybersecurity enforcement (October 2024).&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Standards and frameworks:&lt;/strong&gt; OWASP NHI Top 10 (2025); OWASP Top 10 for Agentic Applications (December 2025); NIST CAISI Initiative RFI (February 2026); CSA AI Controls Matrix (July 2025); NIST IR 8596 draft; ServiceNow IAM Capability Map 2025.&lt;/p&gt;
</description>
    </item>
    
  </channel>
</rss>
