Home
Blog
Identity-investigations
October 16, 2025
7
min read

Shadow Identities: The Common Attack Target You Can't See

Shadow identities represent a critical security blind spot, with 80% of enterprise SaaS logins invisible to IT and security teams. Unlike shadow IT, which focuses on unauthorized applications, shadow identities are unmanaged user accounts, service principals, OAuth tokens, and API keys that exist outside your identity provider. These hidden credentials create three major risks: security blind spots from unmonitored authentication, compliance violations from untracked data access, and forensic black holes during incident investigations. Security teams need systematic discovery of application registrations, service principals, personal access tokens, and third-party integrations across their infrastructure. Command Zero provides the visibility and investigation capabilities to identify shadow identities across Microsoft Entra, Okta, GitHub, AWS, and other systems, enabling rapid correlation of identity activity during security incidents when response time is critical.

identity investigations
Microsoft EntraID
password spray attacks
Okta
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

Introduction

80% of enterprise SaaS logins are invisible to IT and security teams (Source: The LayerX "2025 Identity Security Report). These aren't rogue applications—they're unmanaged identities quietly accumulating access to your most sensitive systems. And attackers only need one way in.

When a laptop gets stolen, IT wipes it remotely. Problem solved. But what happens to the service account created in that forgotten CI/CD pipeline three years ago? Or the legacy VM still running in a stale AWS region? Or unused admin privileges sitting on a Salesforce account?

Those are shadow identities. Silent threats that don't need malware—just credentials.

Shadow IT vs shadow identities: why the distinction matters

Shadow IT focuses on unauthorized tools and user devices (aka BYOD). Shadow identities zero in on the human access footprint—the accounts, credentials, and digital personas that exist outside your identity provider.

We're talking about:

  • Service accounts created by third-party SaaS tools never placed in a management system
  • OAuth tokens granted to browser extensions or generative AI assistants
  • Developer credentials stored in Git repositories
  • API keys and tokens that aren't monitored as closely as they should be

As of early 2025, the data shows shadow AI now costs enterprises $4.63 million per breach—16% above the average breach cost. Even more concerning, 97% of breached organizations lack basic AI access controls. (Source: IBM Cost of a Data Breach Report 2025)

The triple threat of shadow identities

Shadow identities create three overlapping risks:

Security blind spots. When employees create accounts outside your identity provider, they reuse passwords across platforms. They skip MFA setup. They use weaker, compromised credentials. You have no visibility, no control, and no security oversight for four out of five logins happening in your environment right now.

Compliance nightmares. These untracked identities lead to violations of data protection regulations. Sensitive information becomes accessible through unmanaged accounts. Your compliance posture is only as strong as your weakest link—that unmonitored account nobody knows exists.

Forensic black holes. During an incident, you need to know what applications a user logged into, what actions were taken, what device and location they used. Shadow identities eliminate that visibility. When something goes wrong, you can't see how the breach occurred or how it spread.

Nearly half of organizations expect Shadow AI incidents within the next 12 months, yet most security teams have no systematic way to discover or manage these identities.

What shadow identities look like in practice

Here's a real life scenario: A developer sets up a GitHub personal access token to automate deployments. The token has organization-wide repo access. Six months later, the developer moves to a different team. The token? Still active. Still has full access. Nobody knows it exists.

Or consider this: A sales team member authorizes a third-party integration to access your CRM data. The integration creates its own service principal with read access to customer records. The sales person leaves the company. The integration keeps running. The service principal keeps accessing data.

These aren't theoretical risks. I've seen organizations discover hundreds of active OAuth tokens granted to applications they've never heard of. API keys with production database access sitting in public repositories. Service accounts with domain admin rights that haven't authenticated in years but still have valid credentials.

Why traditional tools miss shadow identities

Your SIEM doesn't see the account creation if it happened outside your IdP. Your EDR doesn't flag it because there's no endpoint activity. Your CASB might catch some SaaS usage, but it won't see the service-to-service authentication happening behind the scenes.

The problem compounds with AI. Organizations now manage 45 times more machine identities than human ones, with total identities expanding 240% annually. Each AI agent, each automation script, each integration creates new identities that operate beyond traditional IAM controls.

Getting visibility into shadow identities

The starting point is knowing what exists. You need to answer questions like:

  • What application registrations exist in your environment?
  • What service principals are active across your infrastructure?
  • Which GitHub users have requested or granted personal access tokens?
  • What personal access tokens have access to organization-owned resources?
  • Which third-party integrations and GitHub apps are authorized to access your repositories?

These questions reveal the shadow identity footprint in your environment. But asking them manually across different systems takes hours or days. By the time you've compiled the data, it's already stale.

How Command Zero addresses shadow identities

Command Zero provides the visibility and investigation capabilities that security teams need to tackle shadow identities systematically. The platform leverages both hunting and lead-based questions to surface these hidden access points across your infrastructure.

Rather than forcing analysts to write complex queries across multiple consoles, Command Zero delivers expert-level questions that can be executed immediately:

  • What application registrations exist across your identity providers?
  • What service principals are currently active, and which haven't authenticated recently?
  • What GitHub users have requested or granted access to personal access tokens?
  • What personal access tokens have access to organization-owned GitHub resources?
  • Which third-party integrations and GitHub apps have been authorized to access organization-owned resources?

These questions—plus dozens of others built into the platform—provide the deep visibility your organization needs in a central location. When an incident occurs, you don't have time to figure out which systems to check or how to correlate data across them. You need answers immediately.

The platform integrates with your existing infrastructure: Microsoft Entra, Okta, GitHub, AWS, CrowdStrike, Proofpoint, and other data sources. This means you can investigate shadow identities alongside other security events, correlating identity activity with endpoint telemetry, email events, and cloud infrastructure changes.

For instance, when investigating a suspicious login, Command Zero automatically:

  • Identifies all service principals and OAuth tokens associated with that identity
  • Shows recent authentication patterns across all integrated systems
  • Reveals what resources were accessed and when
  • Correlates activity with other security events in your environment
  • Builds a complete timeline without manual log aggregation

This investigation depth is critical because shadow identities rarely exist in isolation. A compromised personal access token might lead to lateral movement through multiple systems. An orphaned service account might have access to resources across AWS, Azure, and SaaS applications. Command Zero connects these dots automatically, giving you the complete picture during investigations when time matters most.

What security teams should do now

Start with discovery. You can't protect what you can't see. Map every identity across your cloud environments, SaaS applications, and development platforms. This includes human users, service accounts, API keys, and OAuth tokens.

Establish ownership. Every identity needs an owner responsible for its lifecycle. Service accounts shouldn't be "owned" by former employees or shared distribution lists. When someone leaves, you should know exactly which identities to revoke.

Implement least privilege. A service account doesn't need domain admin rights to read a configuration file. An OAuth token doesn't need full repository access to trigger a deployment. Scope permissions as narrowly as possible.

Monitor for anomalies. Even legitimate shadow identities can be compromised. Watch for unusual authentication patterns, new locations, or access to resources that don't match the identity's historical behavior.

Build investigation workflows. When an alert fires, your team needs to quickly determine scope. Did this identity access other systems? What data was touched? Are there related identities that should be investigated? Having pre-built investigation paths dramatically reduces response time.

The stakes are high

Attackers know that identity is the new perimeter. They're not breaking through your firewall—they're authenticating with legitimate credentials they obtained from shadow identities you didn't know existed.

When you have no visibility into 80% of logins, you're operating blind. Every shadow identity is a potential entry point. Every unmanaged service account is a persistence mechanism. Every forgotten OAuth token is a lateral movement path.

The question isn't whether you have shadow identities. You do. The question is whether you'll discover them before an attacker does.

Book a demo today to see how Command Zero can help identify and investigate shadow identities in your environment.

Eric Hulse
Director of Security Research

Continue reading

Identity-investigations
Highlight

Microsoft Teams Becomes the New Vishing Battleground

Microsoft Teams has recently emerged as a critical attack vector for sophisticated ransomware campaigns, with threat actors weaponizing enterprise communication platforms through coordinated vishing operations. This strategic analysis examines the three-stage attack methodology—email flooding, social engineering via Teams calls, and remote access tool deployment—that has enabled groups like Black Basta, Storm-1811, and Midnight Blizzard to achieve unprecedented operational success. Recent intelligence reveals over 15 documented incidents in three months, with attack frequency accelerating significantly. The exploitation centers on default Microsoft Teams configurations that permit external communications, creating opportunities for attackers to impersonate IT support during manufactured crises. Command Zero's post-Black Hat platform enhancements deliver comprehensive investigative capabilities across Microsoft Teams, Entra, and Graph environments, providing security teams with advanced detection and response tools. Organizations must implement systematic defense frameworks combining technical infrastructure controls with human-centric security operations to address this paradigmatic shift in adversarial methodology that blurs traditional boundaries between technical exploitation and social engineering mastery.
Eric Hulse
Sep 23, 2025
5
min read
Identity-investigations
Highlight

Command Zero & Okta Identity Threat Protection: Level-up Identity Investigations

The integration between Command Zero and Okta Identity Threat Protection (ITP) delivers a transformative solution for security operations teams facing evolving identity-based threats. This powerful partnership connects Okta's real-time identity risk signals with Command Zero's comprehensive investigation capabilities, creating a unified workflow that dramatically enhances threat response. Security teams gain the ability to instantly launch investigations from Okta alerts, correlate identity events across their security stack, leverage automated investigation workflows, and access comprehensive user risk profiles. The integration transforms how organizations respond to identity threats—including phishing, credential stuffing, and session hijacking—which the 2025 Verizon DBIR identifies as central to 22% of breaches. By operationalizing Okta ITP within Command Zero's platform, security teams accelerate response times, investigate complete user journeys, and implement targeted remediation based on comprehensive intelligence. This integration serves as a force multiplier for SecOps teams, reducing mean time to respond while providing the contextual insights needed to counter modern identity-based attacks efficiently.
Eric Hulse
May 21, 2025
4
min read
Identity-investigations
Highlight

Investigating Risky Sign-ins: Getting to the right answers fast

Entra risky sign-ins—suspicious login activities that can often indicate account compromise. We examine the sophisticated detection mechanisms that identify authentication anomalies, from impossible travel scenarios to password spray attacks, and reveal the critical investigation challenges security analysts face. The post showcases how Command Zero's integrated platform transforms these investigations through cross-product visibility, facet-based investigation frameworks, and identity correlation capabilities. By combining an encoded knowledge base with expert language models and strategic automation, security teams can dramatically accelerate threat response times, standardize investigation quality, and gain comprehensive visibility across fragmented technology stacks—ultimately transforming how organizations detect and respond to potential identity compromises.
Natalie Dean
Mar 26, 2025
6
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All