Cloud Security 2026 – Why your digital identity is the last line of defence against AI attacks

Imagine this: it is a Thursday afternoon in the spring of 2025. At a medium-sized engineering firm based in the Rhineland, the head of the finance department is taking part in a video conference called at short notice. The CEO, the CFO and an external solicitor appear on the screens. The subject is a confidential takeover. A payment of 8.4 million euros must be transferred to an escrow account today, otherwise the deal will fall through. Every voice sounds the same as always, every face is familiar. The transfer is initiated.

An hour later, the real CFO gets in touch. He knew nothing about any video conference. None of the people on the call were real. Three seconds of audio from a public interview had been enough to clone the voices to sound deceptively real. The 8.4 million is gone.

This case is fictional – the mechanics are not. Last year, this exact attack pattern hit several companies hard, from SMEs in the DACH region to global corporations, causing losses running into tens of millions.

This is precisely where the new reality of cloud security lies. Attackers no longer hack their way through firewalls and VPN tunnels. They log in. With fake voices, cloned faces and AI agents that act faster than any Security Operations Centre can react. When human trust can be undermined on a massive scale and the traditional perimeter is collapsing in multi-cloud environments anyway, one final real line of defence remains: digital identity.

In this first part of the series, you’ll learn why traditional identity and access management concepts will no longer suffice by 2026, what an Identity Security Fabric achieves, and what concrete steps you should take now.

The most important points first

• Attacks have become dramatically faster. In the fastest breaches, the time from initial access to data exfiltration has shrunk from 4.8 hours to 1.2 hours. In AI-assisted simulations, it takes barely half an hour.
• Multi-factor authentication alone no longer provides protection. Over 60 per cent of successful phishing attacks bypass traditional MFA using adversary-in-the-middle tactics.
• Machine identities dominate. For every human account, there are now an average of 144 non-human identities in the cloud – often with admin rights, frequently without MFA.
• The answer is the Identity Security Fabric. It connects isolated IAM silos and monitors identities – both human and machine – continuously and on a behaviour-based basis.

How AI completes the attack in 25 minutes

The traditional premise of protecting a corporate network with a strong perimeter of firewalls and VPN tunnels has collapsed in multi-cloud environments. The driving force behind this development is artificial intelligence – albeit on the attackers’ side.

Just how drastically the situation has deteriorated is shown by the Global Incident Response Report 2026 from Unit 42 (Palo Alto Networks). The time from initial access to data exfiltration has shrunk from 4.8 hours to 1.2 hours within a year for the fastest 25 per cent of all breaches examined. In extreme cases, attackers needed just 72 minutes. An AI-assisted attack simulation from the same report even broke the 25-minute mark.

For the defence, this means an uncomfortable truth: human response times are obsolete. Anyone who does not use automated real-time detection and response will have lost their data before the first ticket even reaches the service desk.

Deepfakes and autonomous attacker agents

Alongside this acceleration, the quality of attacks has deteriorated dramatically. Clumsy grammar in phishing emails is now a thing of the past. Far more critical are the advances in voice and image technology.

Three seconds of audio from a public interview is now enough to clone a voice so precisely that even those close to the person can no longer tell the difference by sound. Voice phishing (vishing) rose by over 1,600 per cent in the first quarter of 2025 – transfer scams such as the one in the opening example are no longer the exception.

Even more fundamental is the rise of agentic AI – autonomously operating AI systems. As Anthropic documented in late 2025, once they have gained initial access, such agents continue to breach systems independently, adapt their tactics in real time to counter defences, and require no human control. Signature-based security systems are blind to this.

When MFA crumbles and machine identities explode

As the network perimeter has crumbled, digital identity has become the new line of defence. The problem is that even traditional identity protection measures are coming under pressure.

Multi-factor authentication (MFA) – i.e. confirming a login via a second factor such as a code, push notification or hardware token – was previously considered a robust barrier. So-called Adversary-in-the-Middle (AitM) attacks are now systematically bypassing it. In such attacks, an attacker’s server interposes itself between the user and the genuine login page, intercepts login credentials and the subsequently confirmed session token, and uses the token to gain access itself – entirely without a password. According to 1Kosmos Modern Authentication Trends 2026, such tactics now bypass traditional MFA in over 60 per cent of successful phishing attacks.

At the same time, a second class of identity is growing quietly and unnoticed: non-human identities (NHIs). API keys, service accounts, AI agents, bots. The Clarity Security 2026 trend report confirms: for every human access point, there are now an average of 144 machine identities, an increase of 44 per cent compared to the previous year. These NHIs often possess admin rights, do not use MFA and are rarely consistently decommissioned once a project ends. They lie abandoned in the cloud like ticking time bombs.

Identity Security Fabric: a new architectural standard

This threat landscape cannot be resolved with yet another tool or a stricter MFA configuration. It requires a change in architecture.

Imagine traditional Identity and Access Management (IAM) as separate doormen at different club entrances – each door has its own security guard who knows nothing about the others. This is how IAM, identity governance, privileged access management and cloud permissions operate in many organisations today: side by side, without a shared situational awareness.

An Identity Security Fabric (ISF) is the alternative. It connects these silos into a unified control layer across all clouds, applications and identity classes. Instead of merely checking at login whether someone is authorised to access, the ISF continuously monitors every active session on a behaviour-based basis – a principle also known as Continuous Adaptive Trust. If an identity behaves unusually, for example by accessing from an unfamiliar location or making unusual data queries, the system can terminate the session in real time or request additional verification.

Closely integrated with the ISF is Identity Threat Detection and Response (ITDR), a discipline that Gartner now classifies as a core component of modern security architectures. ITDR complements the ISF with targeted threat detection at the identity level: Who logged in when and with what, which token was used where, and which privileges were escalated? Only the combination of ISF and ITDR provides the visibility needed to detect and contain AI-driven attacks in real time.

How an AitM attack works in practice

The typical four-step sequence of an AitM attack demonstrates just how vulnerable traditional MFA actually is.

First, the bait: a deceptively genuine, AI-generated login page, almost indistinguishable from the original – such as the login page for a Microsoft 365 environment. The user is directed there via a phishing email. Secondly, the attacker’s proxy service takes over: login credentials and the MFA prompt are forwarded in real time to the genuine login page. Thirdly, the user unwittingly confirms the second factor – and the attacker’s server intercepts the resulting session token. Fourthly, the attack uses this token to establish its own session with full access, without ever having to enter the password.

Effective countermeasures start right here. Phishing-resistant MFA methods, such as FIDO2 security keys or passkeys, cryptographically link authentication to the genuine domain – a fake proxy simply does not receive a valid response. In addition, Conditional Access, a policy engine that evaluates every access request based on context, provides a second layer of defence. Device compliance, location, risk score and application sensitivity are all factored into every login decision. Platforms such as Microsoft Entra ID Protection exemplify this approach, with other providers following suit.

Equally important is the second blind spot: machine identities. A typical scenario from consultancy projects: a service account, created three years ago for a migration, still has admin rights. The current admin team is unaware of it, nobody has rotated it, and MFA requirements do not apply in this case anyway. Such orphaned NHIs are the preferred point of entry following an initial compromise. Consistent inventory management, short-lived tokens instead of long-term credentials, and automated decommissioning are essential.

Cloud Security 2026 demands a change in architecture. Digital identity is no longer just one security discipline among many, but the very foundation. Phishing-resistant MFA, an Identity Security Fabric with continuous behavioural analysis, and good hygiene practices for machine identities are the bare minimum for a modern cloud environment. In an adesso Identity Assessment, we work with your admin team to identify the most critical gaps and prioritise concrete steps. Part two of the series shows what identities are actually meant to protect: your data – Shadow AI, Data Security Posture Management and the regulatory pressure from NIS-2.

When was the last time you honestly assessed your identity architecture against AitM and orphaned machine identities? Get in touch – we’ll help you tackle those blind spots.