Beyond headline-grabbing ransomware, the early months of 2026 point to a fast-growing concern: insider-driven identity exposure, now increasingly amplified by AI-enabled attack techniques.

Recent news that Singapore’s four major telcos, Singtel, StarHub, M1 and Simba Telecom, were targeted by the advanced persistent threat group UNC3886, shows how even well-defended organizations remain exposed when identity systems lack continuous monitoring, privileges are overextended and attackers use AI-driven automation to escalate access at speed.

UNC3886 exploited zero-day vulnerabilities and credential access in their sophisticated espionage campaigns. Whether through privilege misuse, stale access rights or anomalous behavior, insider-related incidents can expose sensitive data and weaken core identity systems such as Active Directory and Entra ID.

AI further complicates. Increasingly, the challenge lies not in sophistication of malware but in the speed and stealth enabled by AI-assisted tactics. CybersecAsia discussed this issue – and more – with Sean Deuby, Principal Technologist, Semperis.

Why have identity systems become a primary target, and how are attackers increasingly using insider access and AI-driven automation as force multipliers?

Deuby: It is often said that people are the weakest link in cybersecurity, but in practice, attackers are increasingly focused on the systems that sit behind people, particularly identity. You hear the maxim “identity is the new perimeter” but at Semperis, we would say that identity has always been the perimeter.

When attackers can compromise identity infrastructure, they move beyond a single point of entry and gain broad access across systems, users and privileges. In that sense, identity is not just a target, but also a weapon.

This aligns closely with the economics of cybercrime: maximize payout, move quickly, and avoid detection for as long as possible. Compromising identity systems can enable ransomware, data exfiltration, lateral movement and persistence, all from a position of trusted access.

Insider access fits this model particularly well because it can dramatically accelerate the attack path. Whether it involves privileged access, assistance in bypassing controls such as multi-factor authentication, or activity from within an administrative environment, insider involvement can reduce the time, cost and effort required to compromise an organization.

AI is increasingly acting as a force multiplier in this process. At this stage, attackers are using AI and automation to scale tasks such as phishing, password spraying, reconnaissance and vulnerability discovery more efficiently. While the underlying tactics may be familiar, AI allows them to execute faster and at greater volume, which increases pressure on defending attacks.

This combination of identity compromise, insider-enabled access and AI-driven automation is making attacks more efficient and harder to contain. That is why strengthening identity security and overall cyber resilience has become increasingly important.

With early 2026 already showing signs of rising insider-driven identity exposure, what emerging trends, such as privilege creep, misconfigurations and delayed remediation, should organizations be most concerned about?

Deuby: Many of the biggest risks are not new but are becoming more dangerous because organizations are now layering AI, automation and faster deployment cycles onto longstanding weaknesses. Issues such as privilege creep, over-permissioning, weak governance, misconfigurations and delayed remediation, which have existed for years are being exploited at scale and speed.

Privilege creep remains a major concern because excess access often accumulates over time without being properly reviewed or removed. In many environments, users, service accounts and applications end up with more access than they need, creating unnecessary exposure across the identity estate. Threat actors can easily exploit permissions that were never tightened in the first place.

Misconfigurations are equally significant. In many cases, organizations are compromised not because of a sophisticated breakthrough, but because basic controls were left incomplete, inconsistently applied or poorly governed.

Common examples include weak segmentation, gaps in privileged access hygiene, incomplete enforcement of multi-factor authentication, and administrative credentials being exposed through routine operational practices such as administrative tiering.

Delayed remediation is another serious issue. Even when weaknesses are known, they are not always addressed quickly because security improvements often compete with operational priorities, change control processes and resource constraints. As a result, vulnerabilities can remain open long after they are identified, giving attackers ample opportunity to exploit them.

AI is increasing the urgency of these problems. As organizations experiment with AI agents and AI-enabled workflows, governance is often lagging deployment. In some cases, these tools may be granted excessive permissions, poorly managed secrets, or no meaningful time limits on what they can do. That creates a growing risk that organizations will continue to encounter familiar identity and access problems in a much more scalable and dynamic environment.

Organizations should be less focused on hypothetical edge cases and more focused on tightening governance, reducing unnecessary privilege, correcting known misconfigurations and fixing issues before they become persistent attack paths.

What operational and regulatory consequences can organizations face when identity systems are compromised?

Deuby: When identity systems are compromised, the consequences extend well beyond a typical cyber incident. There can be immediate financial impact, regulatory exposure and serious operational disruption, but the bigger issue is that identity failure often makes the wider crisis significantly harder to manage.

From a regulatory standpoint, organizations may face strict breach notification obligations, accelerated reporting timelines and increased scrutiny from regulators, particularly in highly regulated sectors such as healthcare, finance and critical infrastructure. In many cases, organizations are required to begin reporting before they have a complete picture of what happened, which adds pressure at an already chaotic stage of the incident. Operationally, compromised identity systems can create a “lights out” scenario where the very systems they need to respond to a breach are unavailable. Identity platforms such as Active Directory and Entra ID underpin authentication, access, administration and internal coordination. If those systems are unavailable or untrusted, organizations may struggle to communicate internally, access core systems, coordinate incident response, or even carry out basic recovery activities.

There is also a distinct recovery challenge with identity systems. Restoring identity is not the same as restoring a standard workload such as email or a database. Attackers often establish persistence in identity infrastructure so they can return even after initial access is removed. That means an organization may bring systems back online operationally, while still leaving the underlying identity environment untrustworthy.

This is why identity recovery must focus not only on returning services to operation, but on restoring trust. If backdoors, malicious changes or persistence mechanisms remain in place, the organization remains exposed to repeat compromise. For security leaders, the goal should not just be ‘return to operations’ but ‘return to trustworthiness’.

Why are continuous monitoring, behavioral analytics and proactive detection now business-critical rather than optional?

Deuby: These capabilities are now business-critical because many attacks no longer look overtly malicious at first glance. In identity-based attacks, adversaries often use legitimate credentials, valid sessions or authorized pathways, which means traditional alerts may not detect them early enough.

That is why organizations need more context around user and system activity. Continuous monitoring and behavioral analytics help security teams determine whether activity is merely valid on paper, or genuinely normal in context. For example, a login may appear legitimate from an identity perspective but still be suspicious if it comes from an unusual location, device, browser or usage pattern.

The value of behavioral analytics is that it enables organizations to assess multiple signals together rather than relying on any single indicator. Risk scoring based on factors such as location, device, access behavior and session characteristics gives defenders a stronger chance of identifying misuse before it escalates into full compromise.

Proactive detection is equally important because attackers are moving faster, and AI is helping them scale and automate familiar tactics more efficiently. As identity attacks become more adaptive and harder to distinguish from normal activity, organizations cannot afford to wait for a major disruption before responding. They need the ability to detect subtle warning signs early, investigate quickly and contain threats before they affect operations.

In that environment, continuous monitoring and behavioral analytics are no longer optional security enhancements. They are essential to maintaining visibility, reducing response time and protecting trust in the identity layer that the rest of the business depends on.

Identity systems like Active Directory and Entra ID form the backbone of enterprise access. What practical steps can security leaders take in 2026 to strengthen identity resilience without slowing business operations?

Deuby: The first priority is to focus on the fundamentals that make an organization a harder target. Security leaders do not need to make their environment perfect overnight, but they do need to reduce the clear vulnerabilities that attackers can exploit with relative ease and minimal cost.

That begins with strengthening identity hygiene and posture. Organizations should review privileged access, reduce over-permissioning, close common configuration gaps, enforce strong authentication consistently, and regularly assess the exposure of critical identity infrastructure such as Active Directory and Entra ID. In many cases, these basic steps can materially strengthen resilience without creating unnecessary friction for the business.

It is also important to take a risk-based approach. Cybercriminals tend to follow the easiest and most profitable path. If an organization can make identity compromise slower, harder and less predictable, attackers may decide the effort is no longer worthwhile and shift to an easier target. In that sense, resilience is not only about building perfect defenses, but about increasing the cost and complexity of attack.

Security leaders should also invest in ongoing identity posture assessment rather than treating resilience as a one-time project. Regular reviews of permissions, exposures, configuration weaknesses and recovery readiness can help teams address low-hanging fruit before it develops into a more serious incident.

Strengthening identity resilience will require disciplined execution of the fundamentals: reducing unnecessary privilege, tightening governance, improving visibility and remediating the conditions that make compromise easier. These measures should not be viewed as routine technical maintenance, but as foundational to cyber resilience, operational continuity and organizational trust.