Handling the Identity Supply Chain Risk

Welcome back to the SEB Tech Blog. This time we will dig into the importance of handling identity supply chain risk. 

Introduction 

Over the past decade, security practices have increasingly shifted toward treating identity as the new perimeter, a dynamic boundary where risk levels can be continuously assessed and applied. This shift enables organizations to build adaptive risk profiles around both human users and their devices as the threat landscape evolves. 

In today’s hybrid world, where applications are developed or consumed as cloud services, identity is no longer a single boundary but a distributed mesh of human and non-human entities. These include workload identities, service accounts, virtual machines, and scripts. Taken together, this mesh can be thought of as an identity supply chain: a network of interdependent identities connected through trust relationships. 

Those trust relationships take many forms, such as OAuth consents, API keys, session or refresh tokens, and federations via SAML or OIDC. By viewing them as a supply chain, organizations gain a consistent framework for governing complex identity ecosystems across workloads. 

What to Consider

To effectively manage the identity supply chain, organizations first need visibility. Credentials that never expire, such as long-lived session tokens or personal access tokens, represent one obvious risk if they are not properly secured. Another is transitive trust, for example, where one application holds privileges into a second, which in turn connects to a cloud service. In such cases, a compromise in one place can cascade across several environments. 

Lifecycle management also matters. Without clear processes and ownership for onboarding and offboarding, credentials and secrets may be left behind in places no one monitors. Each of these gaps increases exposure. 

Why It Matters

Every OAuth grant, SCIM job, service account, or SaaS-to-SaaS integration creates a dependency. If neglected, these dependencies can be compromised, replayed, or misused. Recent breaches have demonstrated how a single compromised access token can become the linchpin of an attacker’s success, creating ripple effects throughout the supply chain of identities. This is where AI becomes relevant. In an earlier piece, “AI Agents – The Future of Integration in Cybersecurity and Beyond,” we explored their strategic potential. Applied to identity supply chains, AI Agents could continuously scan for over-permissioned integrations and flag silent API-level exfiltration attempts that evade traditional controls. 

The Threats in the Identity Supply Chain 

The identity supply chain faces a range of emerging threats. Consent phishing, where users unwittingly grant excessive OAuth privileges to rogue apps, can bypass multi-factor authentication because tokens themselves become the keys. Token replay and session theft remain a constant risk, with credentials often leaking through logs, support files, or infostealer malware. SaaS-to-SaaS chaining enables attackers to exploit a single integration and pivot into multiple tenants or cloud services. Over time, zombie identities, like unused service accounts or never-rotated tokens, accumulate and expand privilege scope. And the growing use of low-code automation introduces another layer of risk when non-developer workflows run with elevated privileges but lack proper auditing. 

SEB’s Position 

To operationalize security in this context, we emphasize a few guiding principles. Maintaining an inventory of all identities, scopes, and their ownership is the foundation for governance. Authentication for administrative and sensitive roles must be hardened with phishing-resistant MFA. Token management needs to move toward proof-of-possession or mTLS-bound approaches wherever possible, and ephemeral tokens with short lifespans and automatic expiry should become the standard rather than the exception. 

Support processes must also evolve, ensuring tokens are redacted from logs and never shared in live form. We also see a strong role for AI Agents. These can provide real-time monitoring and incident response, automatically detect unused or risky OAuth grants, and enhance layered integration models where APIs provide structure and AI delivers adaptive intelligence. Automation at this scale can improve security posture while maintaining compliance and operational efficiency. Importantly, we view AI Agents not as replacements for human decision-making, but as tools that enhance it. 

Final Thoughts 

The identity supply chain is already complex, and its risks are likely to grow as new technologies emerge. AI-driven workloads are changing how integrations happen today, and future innovations such as quantum computing may expose vulnerabilities we cannot yet foresee. Dependencies on third-party providers, federated identity systems, and APIs will remain systemic weak points. 

Novel attack surfaces will appear, just as they have in every previous technological shift, and human behaviour will continue to adapt in ways that sometimes undermine identity safeguards. While we cannot predict every future threat, we can prepare for them. Building resilience means designing systems with redundancy and fail-safes, ensuring continuous visibility across the supply chain, and investing in rapid response and recovery capabilities. 
As the saying goes, “Risk is what is left over when one has thought of everything.” The best way forward is to cultivate resilience, adapt continuously, and focus on learning as new threats materialize. 

Ulf Larsson, SEB Group Security CTO 
Predrag Mitrovic, Information Security Officer SEB Group