In late 2025, Amazon publicly acknowledged that an ongoing cryptomining campaign was negatively impacting AWS accounts. Attackers gained access using legitimate logins, and their activity blended into normal operations long enough to both drive up customer costs and delay detection. Meaning, real consequences–of both the financial and governance varieties–were well underway before the organizations understood what was happening.
While “fighting identity theft” used to mean “convincing Aunt Sadie not to share her SSN,” these days it affects organizations in ways that go well beyond individual fraud. Identity Theft Awareness Week (January 26-30, 2026) has traditionally been consumer-facing, but the issue is a big problem for businesses of all sizes. Stolen and/or misused identities increasingly serve as entry points for incidents that disrupt operations, expose data, and raise uncomfortable questions about oversight and accountability.
For businesses, identity theft rarely looks like a single stolen record or a one-off scam. Employee accounts, service accounts, customer logins, and vendor access all represent potential paths into systems that power daily operations. Because the notion of “user identity” sits at the center of modern technology environments, misuse can spread not just widely.
Troublingly, it can spread very quietly. Unlike, say, a ransomware attack, systems usually remain available and transactions continue. Alerts focus on malware or network anomalies, while identity-driven activity appears to be routine. This makes identity theft harder to detect and slower to contain, particularly in cloud-based and highly distributed environments.
The result is a category of risk that feels familiar and yet behaves differently than many organizations expect.
Artificial Intelligence Raises the Stakes
AI has changed how identity theft is executed, even when the underlying techniques remain familiar. Phishing messages have become vastly more convincing, and impersonation attempts are more adaptive. Credential testing and reuse can be automated at a pace that overwhelms any attempt at manual review.
This hasn’t created a whole new class of crime–as they say, there’s nothing new under the sun. But it does compress timelines and dramatically increase the volume of identity-based attacks organizations have to contend with. Scams that once required at least some level of sustained effort can now be carried out faster, at greater scale, with minimal effort.
Organizations that rely primarily on awareness training or periodic access reviews are finding that those measures struggle to keep up with the volume and realism of modern attacks.
AI has also narrowed the margin for error. Small gaps in identity governance can now be exploited repeatedly rather than occasionally.
The Limits of Traditional Identity Controls
Most organizations have taken meaningful steps to protect identities. Multi-factor authentication has been widely deployed, and so-called “zero trust” cybersecurity is becoming increasingly common. Password policies are enforced. Access reviews are performed. These controls matter, but too often they are implemented as static requirements, rather than as parts of an evolving risk program.
Of course, the more strategies and tools that organizations implement, the more complex the environment becomes. Accounts accumulate across applications and platforms. Privileges expand. Ownership becomes less clear, and documentation lags reality.
When identity theft occurs, organizations are often forced to reconstruct access decisions after the fact, under pressure. This is where identity theft shifts from a technical concern to a business one.
What Small and Mid-Sized Firms Should Be Doing Now
Identity Theft Awareness Week is a useful moment for organizations to pause and assess whether their approaches match current risk. For many small and mid-sized firms, practical improvements are less about buying new tools and more about tightening fundamentals.
Some steps worth prioritizing:
- Clarify ownership of identity risk. Someone should be accountable for how identities are provisioned, reviewed, and retired across the organization, not just within individual systems.
- Reduce standing access. Long-lived privileges increase exposure. Regularly reassessing who needs access, and for how long, will help reduce the likelihood of credential theft and reduce its impact when (not if) it happens.
- Improve visibility into identity activity. Logging and monitoring should make it possible to identify unusual use of legitimate accounts before damage accumulates.
- Test response assumptions. Identity-related incidents often unfold quietly. Organizations should know who investigates, who decides, and how quickly action can be taken when misuse is suspected.
- Align identity controls with business priorities. Not all identities carry equal risk. Access tied to financial systems, sensitive data, or critical operations deserves additional scrutiny.
These steps are achievable without enterprise-scale budgets, but they do require attention and follow-through.
Identity Theft as a Governance Issue
As identity theft becomes more central to cyber incidents, it increasingly intersects with governance. Decisions about access, monitoring, and exception handling reflect tradeoffs between efficiency and risk. Those tradeoffs affect compliance posture, customer trust, and regulatory exposure.
Leadership teams are often asked whether identity controls exist. The more important question is whether identity risk is understood well enough to support defensible decisions when scrutiny arrives.
Identity theft remains a serious issue for individuals, it’s true. But for organizations, it has become a persistent business risk that touches technology, operations, compliance, and leadership accountability. Addressing that risk requires clear ownership, disciplined governance, and an honest view of how identities function across the organization today.
At TMG, we help organizations strengthen identity-related risk management as part of a broader cybersecurity and governance strategy. The goal is not to eliminate identity theft, but to reduce its impact and ensure leaders can explain their decisions clearly when questions arise.