Last week imper.ai was at the Gartner Security and Risk Management Summit in National Harbor. A lot of conversations, a few themes that kept repeating.
The one that came up most: organizations that thought they had the identity problem covered are realizing they have the authentication problem covered. Those are not the same thing. The gap between them is where the breaches have been happening.
Noam Awadish, imper.ai’s co-founder and CEO, was on stage Tuesday with Allison Miller, former CISO of UnitedHealth Group, for a session titled “Your Next Breach Will Probably Start With a Fake Employee.” The conversation covered why help desk recovery and remote hiring have become the most exploited entry points in enterprise security. Several attendees told us after the session it was the most directly useful conversation they had at the conference. Allison brought practitioner stories from healthcare and financial services. Noam brought threat research from a live DPRK IT worker detection earlier this year. Neither of them needed a slide full of statistics to make the point land.
What Gartner published the same week
The timing was notable. Gartner’s “Cybersecurity Threat: Identity Abuse” report, by Akif Khan and James Hoover, published May 28. It classifies identity abuse as a structural threat, names Scattered Spider, ShinyHunters, and LAPSUS$ targeting IT service desk recovery at MGM, Harrods, and M&S, and names DPRK hiring fraud as the second major vector. The recommended control is specific: remove human decision-making from account recovery by implementing workforce identity impersonation detection tools.
That framing matters. Not identity verification. Impersonation detection. The distinction is deliberate. Document-plus-selfie verification confirms a face matches an ID at one moment in time. It does not tell you whether the person on the video call is operating from AnyDesk, routing through Astrill VPN, or exhibiting latency that contradicts their stated location. Gartner’s Predicts: Identity report from January made this precise observation: conventional IDV tools face severe challenges around workforce deployment and adoption, and mandatory biometrics will be a barrier for many organizations. The same report flags growing interest in tools that aggregate device and network signals without requiring the caller to explicitly identify themselves. That is a different control category from identity verification. It is identity impersonation detection.
The “Cybersecurity Threat: Identity Abuse” report also named the dynamic that keeps coming up in sales conversations. Gartner writes that the rise of phishing-resistant MFA is pushing attackers toward credential management and account recovery through vishing, deepfakes, and help desk manipulation. Stronger perimeter authentication increases the pressure on the recovery workflow. This is not an argument against FIDO2. It is a description of where the attack surface shifts when FIDO2 works.
On deepfakes: Gartner’s companion report, “Cybersecurity Threat: Deepfake Identity Impersonation,” published the same day, tells security leaders not to rely on deepfake detection as a control. The reasoning is about signal durability. Deepfake detection inspects what an attacker produces. The accuracy of that inspection degrades as models improve. Infrastructure-layer impersonation detection inspects what an attacker must control: the device, the network, the session environment. Astrill VPN does not become harder to detect because a new generative model ships.
Three attack patterns, one detection gap
The conversations at the summit, and the Gartner research, kept arriving at three attack patterns.
Help desk vishing: an attacker calls in, impersonates an employee, and gets a credential reset before authentication is ever relevant. Voice phishing was the top initial access vector for cloud compromises in 2025, at 23% of Mandiant cloud investigations. Second overall, at 11% of all Mandiant investigations. (Mandiant M-Trends 2026, each figure separately.)
Hiring fraud: a proxy candidate operates a live interview session from attacker-controlled infrastructure. FAMOUS CHOLLIMA’s fraudulent employment activity doubled in 2025. (CrowdStrike 2026 Global Threat Report.) In Q1 2026, imper.ai identified four candidates across 600 remote interviews carrying overlapping infrastructure indicators: Astrill VPN, AnyDesk, multi-hop proxy routing, latency inconsistent with any US location. No background check surfaces those signals.
Shadow workforce: a legitimate credential, consistently operated by someone who is not the authorized user. Point-in-time verification does not see it. Session-layer impersonation detection does.
All three share the same gap. None of the attacks require a technical exploit. All three bypass controls that operate at the authentication layer. All three are resolved by the same detection surface: infrastructure and behavioral signals at the session layer, not document inspection after the fact.
Where things stand
The summit confirmed that awareness of this gap is fairly widespread among security leaders. Purchase decisions are a step behind. That is a normal position for a control category that is still being named in analyst research for the first time. The Gartner report sequence over the past six months, four separate workforce identity reports culminating in an explicit recommendation to deploy impersonation detection tools, is moving this from emerging guidance toward audit expectation. The organizations putting a control in place now will have documentation and operational data when the question comes from an auditor. The ones that wait will have a finding.
Source notes: Mandiant M-Trends 2026; CrowdStrike 2026 Global Threat Report; Gartner “Cybersecurity Threat: Identity Abuse,” May 2026 (Akif Khan, James Hoover); Gartner “Cybersecurity Threat: Deepfake Identity Impersonation,” May 2026; Gartner “Predicts: Identity,” January 2026; Gartner “Protect Your IT Service Desk Against Social Engineering Attacks,” January 2026; imper.ai Threat Research Q1 2026.
