Most IT budgets still spend the most on endpoint security, but modern breaches now start with compromised identities, not compromised devices. That mismatch between where the money goes and where the risk actually lives is the subject of a recent TrustedTech webinar featuring the company’s own security and Microsoft 365 advisors. The short version: identity, not the endpoint, has become the primary control point for security.
During the session, a live poll asked attendees where they spend the most on IT security. Endpoint took the top spot, ahead of identity, network perimeter, and data security combined. It’s a common answer, and it made sense a decade ago. As TrustedTech’s Edwin Manlapaz, a frontline leader for the company’s M365 and Azure teams, explained during the session, most modern attacks no longer originate outside the organization. They start with compromised credentials, risky access, session hijacking, or the misuse of privileges. The attacker doesn’t break in. They log in.
Why Traditional Perimeter Security Doesn’t Hold Anymore
Traditional security models assumed users worked inside the corporate network, infrastructure was centralized, and devices were managed internally. Almost none of that describes a typical organization today.
Applications live everywhere. Data lives everywhere. Users move across multiple devices, locations, cloud platforms, SaaS applications, and increasingly AI-driven workflows, often at the same time. The perimeter that endpoint security was built to defend has effectively dissolved, and what’s left in its place is identity and access, now widely considered the weakest point in cloud security: the credential, the session, the access request.
TrustedTech’s Rick Belzer sees this pattern repeatedly when he steps into a new customer environment. He maps risk across four areas: overshared and poorly governed data, visibility gaps around sensitive information, identity and access misalignment, and weak compliance monitoring. Only one of those four areas has anything to do with the device.
Why AI Makes This Worse, Not New
AI didn’t create the identity risk problem. It’s speeding it up. As Mlapas put it, AI increases two things at once: productivity and exposure. The technology itself isn’t the vulnerability. The problem is that AI dramatically increases the speed at which information can be surfaced, searched, and shared, so any existing weakness in governance or access control compounds faster than it used to.
Belzer’s team sees overshared SharePoint, Teams, and OneDrive permissions constantly, and it’s rarely malicious. Someone shares a file with a colleague for convenience and doesn’t think twice about the access trail it leaves behind. An AI tool doesn’t understand intent. It only understands that it has access. What used to be a low-risk convenience shortcut becomes a much faster path to exposure once AI is layered on top.
That’s why TrustedTech’s advisors ask one question before any Copilot rollout conversation goes further: how much is the organization already using Microsoft Purview, the Microsoft 365 platform for classifying, protecting, and governing data across its lifecycle? In most cases, the honest answer is very little. Copilot doesn’t create new risk out of nothing. It moves faster through whatever governance gaps already exist, which is exactly what a Copilot Readiness Assessment is built to catch before rollout instead of after.
Why Identity Failures Rarely Look Malicious Until They Are
One story from the webinar makes this concrete. Belzer described challenging a client’s assumption that employees weren’t writing down passwords. They picked ten desks at random. Six had a password sitting in plain view. That wasn’t a security team failing to enforce policy. It was ordinary human behavior colliding with an authentication model that was never built to account for it.
The same gap shows up in conditional access. An organization might have strong multi-factor authentication in place, such as Microsoft Authenticator or passkeys, but if re-attestation only happens every 30 days, a compromised account has a full month to operate before anyone notices. In practice, TrustedTech’s assessments find that most organizations set these intervals once during initial deployment and never revisit them as risk profiles change. Strong tools configured with weak intervals still leave the door open.
To put a number on the scale of this: a representative mid-market organization with 500 users often has thousands of stale sharing links accumulated over several years, most from ordinary collaboration, not malicious intent. Multiply that by however many former employees, vendors, and contractors touched files along the way, and the exposure surface for a single compromised account gets large fast.
What Identity-First Security Looks Like in Practice
Shifting budget toward identity doesn’t mean abandoning endpoint protection. It means treating identity, behavior, and data access as the primary signal, with continuous verification instead of a one-time login check. In practice, that means:
Conditional access policies tied to real risk signals rather than fixed calendar intervals. Visibility into where sensitive data lives, who can access it, and whether that access still makes sense, which is the baseline a Microsoft 365 Tenant Assessment is built to establish. Monitoring for behavioral anomalies, such as unusual download volume or access from unmanaged devices, before they escalate into incidents. And a governance foundation in Microsoft Purview that exists before AI tools like Copilot are introduced, not after.
Microsoft’s own licensing roadmap reflects this same shift. Microsoft 365 E3 covers a productivity and compliance baseline. E5 adds advanced threat protection and automation. E7, still early in adoption, signals where Microsoft believes the market is headed next: governing AI agents, automation, and machine-driven identity at scale, at a $99 per user, per month premium over E5. The direction is consistent across all three tiers. Identity, not the device, is becoming the control point.
The Takeaway
Endpoint security still matters. But if it’s absorbing the largest share of a security budget while identity, access governance, and data visibility go underfunded, the spending no longer matches where the risk actually lives. TrustedTech is a Microsoft Solutions Partner, and its advisors see this gap most often in organizations that haven’t revisited their security spending since before hybrid work and AI adoption reshaped what a “perimeter” even means. Getting ahead of it isn’t necessarily about spending more. It’s about spending on the right layer.
Find Hidden Waste in Your Microsoft 365 Stack
What kind of M365 admin are you? Uncover ways to reduce costs, simplify management, and improve security.
Frequently Asked Questions
Why is identity considered the new security perimeter?
Most modern breaches now start with compromised credentials, risky access, or session hijacking rather than a network intrusion. Once a user’s identity is compromised, an attacker can often move through cloud platforms and SaaS applications without ever touching a traditional perimeter defense.
Does this mean endpoint security is no longer necessary?
No. Endpoint protection is still a necessary layer. The issue is proportion: many organizations overweight endpoint spending relative to identity governance, data visibility, and access controls, even though those areas now carry more of the actual risk.
How does AI change the urgency of this shift?
AI tools can surface overshared or poorly governed data far faster than manual search ever could. If governance gaps already exist, AI adoption, including tools like Microsoft Copilot, exposes them more quickly rather than creating new ones.
What should come before a Copilot rollout?
A clear-eyed assessment of how data is classified, shared, and governed, typically through Microsoft Purview. Rolling out AI tools before establishing this foundation tends to expose existing gaps rather than prevent them.
How often should conditional access policies re-verify identity?
There’s no universal number, but relying on infrequent intervals, such as 30-day re-attestation, gives a compromised account significant time to operate undetected. Continuous or risk-based verification is a stronger model than a fixed calendar check.
Ready to See Where Your Environment Stands?
TrustedTech’s Threat Protection & Visioning Workshop is built around exactly this shift: mapping where risk actually lives in an environment, not just where it traditionally has. Schedule a consultation with TrustedTech’s security advisors to find out where your identity, data, and access posture stand today.
Insights in this article are drawn from TrustedTech’s live security webinar, featuring Heath Madison (Senior Director, Professional Services), Rick Belzer, and Edwin Manlapaz (frontline leader, M365 and Azure teams).



