The State of Play

Identity and access anomaly detection is a proven, operationally mature practice with persisting deployment challenges at scale. ML-driven behavioral analytics—flagging impossible travel, privilege escalation, and credential misuse—have been standard across major SIEM and identity platforms since the early 2020s, with Forrester TEI studies documenting ROI above 240%. Hyperscale deployment validates the approach: Microsoft alone analyzes 38 million identity risk detections daily (2026), and tier-1 vendors (CrowdStrike, Palo Alto, Sentinel, Exabeam) ship mature anomaly detection as core capability. Yet organizational breach rates continue climbing (69% globally, 92% in Australia per RSA 2026), revealing the core tension: the practice's technology viability is settled; the question is operational adoption quality. Real-world barriers persist—false positive fatigue, tuning overhead, and critical coverage gaps for non-human identities that now vastly outnumber human users. Organizations deploying identity-centric controls (behavioral anomaly detection + governance + response automation) show measurable improvement (Docker achieved 85% YoY false positive reduction through disciplined tuning; Exabeam customers report 50% investigation time savings); those deploying without sustained engineering investment face alert saturation that erodes SOC trust. The practice is firmly good-practice—capable and broadly available—but adoption velocity is constrained by operational execution, not technical readiness.

The vendor ecosystem has fully consolidated around platform-integrated behavioral analytics with accelerating non-human identity coverage in June 2026. CrowdStrike achieved ITDR Overall Leader status in KuppingerCole's 2025 Leadership Compass and Frost & Sullivan's Company of the Year (May 2026), validating cross-domain correlation (identity + endpoint + cloud + SaaS) as the standard detection architecture. Exabeam extended Agent Behavior Analytics to Google Cloud (1,100+ deployments with 50% investigation time reduction), and Ping Identity GA-launched Identity for AI with runtime behavioral monitoring for autonomous agents (April 2026). LogRhythm-Exabeam merger (finalized January 2026) consolidated SIEM with AI-driven behavioral analytics; Microsoft Sentinel UEBA behavior layer (GA January 2026) and Entity Analyzer (GA April 2026) introduced explainable AI-driven identity risk analysis. CrowdStrike extended Falcon Identity Protection to Microsoft Entra ID (May 2026). Market consolidation: $25B Palo Alto/CyberArk, Okta/Axiom, Delinea/StrongDM deals (May 2026) all targeting unified identity threat detection and AI agent governance. Market momentum sustained: 95% of organizations plan increased cybersecurity budgets (74% double-digit growth), 44% driven by AI expansion; UEBA market forecast 47.2% CAGR (USD 4.35B 2025 → USD 65.1B 2032); ITDR market projected 20.3% CAGR (USD 5.6B 2025 → USD 29.4B 2034).

The capability-outcome gap persists despite operational maturity. RSA 2026 survey (2,100 professionals, June) shows 69% of organizations globally (92% in Australia) experienced identity breaches with 45% facing costs exceeding $10M—despite widespread UEBA availability. SANS 2026 ITDR survey reveals detection-response gap: 68% detect identity attacks within 24 hours but only 55% contain within 24 hours. Operational friction documented: Docker achieved 85% YoY false positive reduction after disciplined Okta/CloudTrail tuning, confirming that consistent engineering investment produces results but remains resource-intensive. Sophos survey (5,000 IT leaders, June 2026): 14% unable to detect/stop most significant identity breaches timely, with smaller organizations disproportionately affected. False positives remain a critical barrier: practitioners report 30-day baselines generating 200 daily anomalies with only 5 worth investigating, Microsoft's impossible travel detection triggers false alerts from Microsoft infrastructure, and analysts face choice between alert fatigue or detection gaps. Deployment practice maturity is increasing—Google Cloud published UEBA methodology guide (June 2026), Netwrix identified tuning and organizational ownership gaps as adoption barriers—but organizations continue deploying without discipline: Panther analysis (May 2026) found 42% of teams deploy UEBA without baseline tuning, leading to behavioral drift.

Non-human identity anomaly detection remains the acknowledged frontier, limited by governance architecture more than technology. Netwrix survey (June 2026): organizations where AI expanded identities experienced 43% breach rate versus 11% baseline, with 76% lacking visibility into non-human identities—quantifying the expansion-detection gap as AI agent adoption accelerates. Orchid Security telemetry (April 2025–March 2026): 67% of non-human accounts created directly in applications (invisible to centralized IAM), 57% of enterprise identity invisible to IAM, 70% of applications overprivileged, 40% of accounts orphaned. Machine identities now outnumber humans 100-500:1 with only 12% automated lifecycle management (ManageEngine Q1 2026). Vendor frameworks announced at RSAC 2026 but gaps persist: dynamic scope creep, non-deterministic audit trails, cross-agent context poisoning, governance model misalignment. Cloud Security Alliance argues the architectural problem: machine identities operate as "autonomous trust executors"; single-token compromise cascades across systems differently than user compromise, requiring behavioral detection models fundamentally distinct from user-centric baselines. The practice's scaling barrier is organizational (governance, ownership, tuning discipline) more than technical (vendors ship mature, credible tools), but non-human identity anomaly detection remains structurally immature.

A critical detection blindspot emerged in June 2026: the Meta AI Support Bot case study demonstrated that authorized agent compromise is structurally invisible to behavioral anomaly detection. When HTS (the automated chatbot) was manipulated to reset 20,225+ Instagram passwords including accounts of Barack Obama and the US Space Force Chief Master Sergeant, the attack generated no anomalous login spikes, no behavioral deviations—from the detection layer's perspective, the HTS agent was an authorized actor executing legitimate password recovery operations. This exposure reveals that behavioral anomaly detection's foundational assumption—that deviations from normal behavior signal compromise—fails when legitimate actors (human or agent) become compromised or over-privileged. Vendor responses signal practice adaptation: Exabeam announced Agent Behavior Verification (ABV) extending anomaly detection upstream to pre-deployment verification of agent authorization scope; SANS analysis argues agents break existing detection models altogether (intent validation at execution layer, not behavioral baselines); Daylight AI documented a complementary structural limitation in human user anomaly detection itself—UEBA's false positive epidemic stems from class imbalance in model training (representing users by statistical mean rather than distribution), creating an actively unsolved research problem of simultaneous false positive/false negative reduction. These documented gaps—authorized agent blindspot, UEBA modeling class imbalance, behavioral signature ineffectiveness against agent-speed execution—position the practice at a critical juncture: technological maturity is unquestioned (68% of Fortune 1000 CISOs prioritize real-time identity revocation; market forecast 24.1% CAGR through 2034), but operational readiness for the AI-agent era remains contingent on architectural evolution beyond behavioral baselines.

• 2018: UEBA emerged as a distinct product category with major vendor launches. Microsoft released ATA for Active Directory anomaly detection; Splunk, Exabeam, and Rapid7 released or updated UEBA platforms with machine learning for insider threat and lateral movement detection. Integration with SIEM and threat intelligence workflows became standard, and a Levi Strauss & Co deployment of Exabeam's Smart Timelines showed real-world productivity gains.
• 2019: UEBA consolidated into mainstream platforms and cloud-first architectures. Microsoft released Azure Sentinel (GA) with built-in Investigation Priority risk scoring; Splunk advanced UBA 5.0 with customizable ML models and Starbucks live production deployment. Research validated adoption: Exabeam/Ponemon found security teams waste 25% on false positives. However, production systems revealed persistent tuning challenges—Microsoft's own impossible travel alerts generated high false positives despite ML suppression, indicating the practice remained operationally intensive at scale.
• 2021: Vendors expanded UEBA capabilities into new domains while consolidation pressures emerged. Microsoft extended Azure Sentinel UEBA to SAP threat monitoring; Splunk acknowledged product lifecycle consolidation with UBA reaching end-of-sale in 2025. Market research confirmed growth: anomaly detection market forecast reached $5B+ by 2026 at 15.3% CAGR. Community implementations (Elastic, Splunk) documented practical impossible travel detection patterns, but operational challenges persisted—false positive management and model tuning remained labor-intensive for large deployments.
• 2022-H1: UEBA moved into mainstream enterprise deployment with measurable ROI and analyst validation. Forrester TEI study reported 245% ROI for UEBA-integrated SIEM across BFSI, manufacturing, and retail; Obsidian Security documented January 2022 customer deployment detecting phishing-triggered account compromise via impossible travel alerting. Analyst recognition (GigaOm Radar) validated vendor differentiation on agent efficiency and risk scoring. However, deployment challenges remained visible: practitioners reported frequent false positives from Microsoft identity protection despite 14-day learning periods; Microsoft Sentinel experienced UEBA feature enablement bugs requiring backend fixes. Operational burden of tuning and suppressing false positives persisted despite broader adoption.
• 2022-H2: Identity anomaly detection confirmed mainstream adoption with analyst recognition (Gartner ITDR trend, Magic Quadrant SIEM leadership for Microsoft Sentinel) and continued research innovation (fuzzy particle swarm algorithms for improved accuracy). Major vendors (Datadog, LogRhythm, Microsoft, Exabeam, IBM, Splunk) shipped or enhanced UEBA/identity threat detection capabilities. However, critical assessments revealed persistent barriers: independent deployment evaluations (Marskidata Sentinel study) documented high cost and usability complexity; security researchers warned against 'fake UEBA' relying on statistical models rather than machine learning; practitioner reports highlighted false positive alert fatigue and tuning burdens. Market expansion into cloud-native identity (AWS, Azure), entity behavior (device context), and specialized domains (SAP, Office 365) proceeded in parallel with operational challenges limiting deep adoption.
• 2023-H1: UEBA moved into full operational deployment with continued ROI validation and orchestration maturity. Forrester 2023 TEI study for LogRhythm documented 258% ROI, 90% false positive reduction, and $2.24M NPV over three years; Netskope published real-world case studies of UEBA detecting insider threats and account compromise. Vendor ecosystem matured: Exabeam released Outcomes Navigator for detection coverage visualization, Palo Alto published automated impossible travel playbooks in XSOAR, and CrowdSec released technical implementation guides. However, structural adoption barriers persisted: platform usability and cost remained friction points; operationalizing UEBA across large user populations required sustained tuning effort and analyst time investment, limiting velocity among mid-market enterprises despite leader ROI.
• 2024-Q1: Vendor product development accelerated while deployment barriers remained entrenched. Microsoft and Splunk released feature updates and security hardening for UEBA platforms; Splunk published open-source tooling (Zeppelin notebooks) for data validation and model monitoring to improve deployment scalability. A multinational insurance company conducted successful UEBA proof of concept for insider threat detection, advancing to SIEM RFP inclusion. Academic research documented persistent limitations: data quality concerns, high implementation costs, and ongoing model maintenance challenges limiting adoption velocity. Impossible travel detection matured as a methodological standard with vendor and open-source tooling, yet operational complexity—tuning false positives, managing alert fatigue—continued to constrain mid-market adoption despite strong ROI documented in enterprise deployments.
• 2024-Q2: Identity threat detection and response (ITDR) accelerated toward standardization while market demand remained constrained by adoption gaps. Cisco's acquisition and at-scale validation of Oort for identity threat detection signaled vendor consolidation in dedicated ITDR platforms. Analyst recognition (Sayers, CyberRisk Alliance IAM survey) noted ITDR tools converging on standardized detection capabilities while only 27% of organizations reported high confidence in effective access controls. Vendor ecosystem continued positioning UEBA as augmentation to major SIEM platforms (Exabeam/Sentinel), and IBM/other vendors published public tutorial guidance establishing impossible travel and credential misuse detection as standard methodologies. However, business adoption drivers remained incomplete: a Ping Identity survey found 48% of IT leaders lack confidence in defenses against AI-driven identity fraud and only 45% deploy multi-factor authentication, indicating significant adoption gaps despite mature technical capabilities.
• 2024-Q3: UEBA market growth accelerated with strong vendor consolidation momentum. Market forecasts projected USD 1.04B (2024) expanding to USD 11.22B (2031) at 40.5% CAGR, driven by rising sophisticated cyber-attacks and regulatory requirements. Exabeam and LogRhythm finalized merger (July 2024), consolidating AI-driven UEBA analytics with on-premises SIEM platforms and signaling vendor confidence in specialized identity anomaly detection tools. Vendor ecosystem remained mature: major platforms (Splunk, Sentinel, LogRhythm, Darktrace, Securonix) shipped competing UEBA capabilities with documented strengths and persistent adoption barriers (complexity, cost, implementation time). Okta and major IAM vendors continued integrating impossible travel detection and velocity-based anomaly rules natively. However, business-level adoption gaps persisted despite technical maturity—only 27% of organizations reported high confidence in access controls, indicating identity governance gaps that anomaly detection alone cannot remedy. Operational barriers (tuning, false positive management) continued limiting adoption velocity in mid-market segments despite decade-long practice maturity.
• 2024-Q4: Identity and access anomaly detection reached ubiquity in vendor platforms while operational adoption barriers persisted. Microsoft Sentinel passed 25,000 customers with UEBA as core capability; Cortex XSIAM delivered 244% ROI and 85% alert reduction via behavioral analytics (Forrester TEI); market forecasts confirmed rapid expansion at 47.2% CAGR (UEBA market USD 4.35B 2025 → USD 65.1B 2032). However, SANS 2024 survey revealed 64% of SOC teams overwhelmed by false positives and 73% struggle with detection rules, perpetuating operational complexity barriers. Real-world incident showed impossible travel detection still missed in production (BEC case, Azure AD). Identity governance remained weak: 97% of orgs challenged by identity verification, only 45% deploy MFA, 69% of SOC incidents identity-related, only 27% confident in access controls. Capability maturity was firm, but adoption velocity was constrained by alert fatigue, implementation complexity, and foundational governance gaps that tooling alone could not address.
• 2025-Q1: Market growth accelerated while implementation challenges persisted. UEBA market forecast USD 3.19B (2025) expanding to USD 13.71B (2030) at 33.9% CAGR. Microsoft integrated Security Copilot with Sentinel UEBA for AI-augmented threat prioritization; Exabeam launched cloud-native Fusion SIEM/XDR with UEBA integrated (500+ organizations deployed). Real-world case study: Blue Zebra Insurance (Australia) achieved 25% reduction in incident response time and 50% improvement in resolution time after Sentinel deployment. Survey data showed 46% of organizations prioritize ITDR as top IAM goal, 78% planning increased identity security spending, 94% adopting AI-driven identity solutions. However, critical vulnerability emerged: real $3M BEC loss incident revealed that MDR providers still fail to escalate impossible travel alerts due to low confidence in IP geolocation accuracy—exposing a critical implementation dependency that vendors had not fully solved despite decade-long maturity. Capability advancement was clear, but the gap between marketing narratives and operational reliability in high-stakes deployments remained unresolved.
• 2025-Q2: Identity anomaly detection expanded scope to include machine and service identities while vendor security maintenance intensified. SailPoint's 2024-2025 report confirmed that mature identity programs achieve 87% more visibility and control of non-human identities (40%+ of total identities in most organizations); Identiverse 2025 (3,000+ attendees) highlighted industry consensus on AI-driven behavioral analytics for anomaly detection with vendor standardization around flagging abnormal access patterns and automating access reviews. However, security vulnerabilities continued: Splunk released UBA 5.4.2 (May 2025) addressing 13 CVEs, demonstrating that security maintenance complexity persisted alongside operational tuning burdens. Identity governance expansion toward machine identities and AI agents remained a critical adoption driver, but implementation challenges—alert fatigue, false positive management, and vendor security patch cycles—continued constraining velocity in mid-market deployments despite enterprise-scale ROI validation.
• 2025-Q3: Identity anomaly detection reached peak mainstream adoption with standardized capabilities across all major platforms, yet adoption barriers intensified through three mechanisms: (1) vendor lock-in deepened as enterprises contracted for bundled AI platform agreements with reduced switching flexibility (Forrester, August 2025); (2) identity security confirmed as top cloud risk with 100% organizational mandate but identity governance deficits persisted (CSA, September 2025); (3) vendor supply chain risk escalated with Splunk releasing multiple security patches across Q3 (AV25-470, July 2025) documenting ongoing CVE burden for production UEBA systems. UEBA market growth projections remained aggressive (47.2% CAGR 2025-2032) and technical scope expanded toward machine identities, yet real-world deployment velocity remained constrained by false positive fatigue, tuning complexity, and foundational IAM governance gaps that anomaly detection tooling alone could not resolve. Capability had matured from "emerging" to "pervasive," but the implementation-effectiveness gap persisted at organizational scale.
• 2025-Q4: Standalone UEBA products faded while platform-integrated anomaly detection accelerated. Splunk announced end-of-sale and end-of-support for UBA (December 2025, end-of-support December 2026), formalizing vendor consolidation toward integrated platforms; ITDR market forecast accelerated to 20.3% CAGR ($5.6B 2025 → $29.4B 2034); RSA survey revealed 69% of organizations globally and 92% in Australia experienced identity breaches (27-point YoY increase), signaling urgent market demand despite persistent deployment challenges. However, Q4 2025 operational assessments documented unresolved barriers: IT Professor analysis showed 30-day baselines generating 200 daily anomalies with only 5 real threats (40 analyst-hours/week), and systems failing to detect slow-cook attacks or lateral movement via legitimate access. SailPoint data confirmed AI-enablement multiplier effect (4x more likely to deploy advanced ITDR), yet 64% of SOC teams remained overwhelmed by false positives, 44% of organizations lacked UEBA adoption despite 64% identifying insider threats as top risk. Capability maturity remained firm across all major platforms, but operational deployment velocity persisted constrained by tuning complexity, alert fatigue, vendor consolidation lock-in, and foundational identity governance deficits that tooling alone could not remedy. The practice transitioned from decade-long "emerging to mainstream" narrative toward "plateau of mature deployment with persistent adoption gaps."
• 2026-Jan: Vendor platform consolidation and UEBA feature advancement continued while machine identity automation gaps and production tuning challenges emerged. Exabeam and LogRhythm announced merger (January 2026) consolidating SIEM and behavioral analytics capabilities; Microsoft Sentinel released UEBA behavior layer GA (January 2026) aggregating raw logs into structured insights; market growth projections remained strong (UEBA market $1.87B→$2.29B 2025-2026 at 23.11% CAGR; ITDR $5.6B→$29.4B 2025-2034 at 20.3% CAGR). However, ManageEngine Q1 2026 survey revealed critical adoption gaps: machine identities outnumber humans 100-500:1 with only 12% automated lifecycle management and only 7% organization-wide AI adoption, signaling immature automation infrastructure for non-human identity anomaly detection. Production deployments exposed persistent tuning challenges: Microsoft Defender impossible travel detection triggered false positives from Microsoft's own infrastructure (OneDrive/SharePoint), revealing ML algorithm limitations and alert fatigue even in major vendor implementations. The practice remained technically mature and economically justified (ROI studies documented 244-258% returns), yet operational deployment barriers—false positive management, alert saturation, machine identity automation deficits—persisted as constraints on adoption velocity, particularly for scope expansion to non-human identities.
• 2026-Feb: Critical operational barriers and architectural limitations surfaced despite peak vendor maturity. Microsoft Sentinel released UEBA behaviors layer GA with new Defender portal widget (February 2026); 95% of organizations planned increased cybersecurity budgets with 74% targeting double-digit growth, 44% driven by AI (Exabeam survey). However, negative signals emerged across multiple dimensions: RSA survey documented 69% of organizations experienced identity breaches in 2026, 45% facing costs exceeding $10M; Lumos report revealed 96% faced identity incidents with 48% unable to detect threats in real-time; critical infrastructure assessment (Curwell analysis) highlighted detection ceiling and inability to fuse multi-domain data (IT, OT, HR, physical); production deployments exposed privacy law violations, fragile baselines, and unsustainable false positive load (Doering analysis). Machine identities remained unautomated: only 12% with automated lifecycle management and 7% organization-wide AI adoption. The practice remained technically mature and economically advocated (95% budget increase plans) yet constrained by operational barriers—alert fatigue, false positive load, privacy/legal risks, multi-domain data fusion limitations—and architectural gaps preventing real-world effectiveness at scale, particularly for non-human identity expansion.
• 2026-Mar: Non-human identity anomaly detection accelerated as tier-1 funding validated market expansion while detection maturity tensions persisted. Oasis Security and Linx Security closed Series B rounds ($120M and $50M respectively) targeting machine identity governance, AI agent behavioral monitoring, and continuous anomaly detection evolution away from periodic identity reviews. MITRE D3FEND formally classified UBA/UEBA with 12 defensive subtechniques, validating anomaly detection as standardized practice category. However, critical gaps in emerging scope remained: RSAC 2026 vendors announced AI agent identity frameworks but left dynamic scope creep, non-deterministic audit trails, and cross-agent context validation unresolved. Real-world deployments demonstrated practical limitations: Constella neobank case study showed behavioral-only anomaly detection defeated by infostealer-supplied sessions (41% fraud reduction required threat intelligence integration); DuckDuckGoose report documented 868,000 synthetic media variants monthly with identity verification systems unable to keep pace with generator velocity. Vendor ecosystem signal remained positive (Exabeam Agent Behavior Analytics GA, Microsoft Sentinel UEBA production scale), but scope expansion to non-human identities and AI agents exposed fundamental detection capability gaps alongside operational barriers. Signal balance: capability maturity advancing but architectural limitations intensifying as practice expands beyond human identity baselines.
• 2026-Apr: Vendor platform advancement accelerated for both human and non-human identity anomaly detection. Microsoft Sentinel Entity Analyzer reached GA with AI-driven explainable identity/URL risk analysis; Ping Identity launched Identity for AI (GA) with Agent Detection providing runtime behavioral monitoring for autonomous agents. Exabeam extended Agent Behavior Analytics to Google Cloud ADK, achieving 1,100+ customer deployments with 50% investigation time reduction. Gartner IAM Summit 2026 established continuous context-aware behavioral monitoring for AI agents as foundational control. However, critical gaps emerged: SANS 2026 ITDR survey revealed detection-response gap (68% detect within 24h but only 55% contain), Cybersecurity Insiders survey showed 92% lack visibility into AI identities with 86% lacking formal policies, and ExtraHop documented architectural blind spot where IdP-based detection misses encrypted credential abuse. Cloud Security Alliance analysis argued NHI anomaly detection fundamentally misaligns with user-centric governance models: single compromised token cascades across systems differently than user compromise. Vendor consolidation continued with LogRhythm-Exabeam merger (January 2026) and Splunk ending UBA standalone product (December 2025, support ending December 2026).
• 2026-May: Non-human identity spending surged with SpecterOps and Omdia survey (500+ security leaders) showing 75% increased identity security spending YoY and 35% reporting full attack path management implementation—while 92% still lack visibility into AI identities and 95% doubt containment capability. CrowdStrike reached GA for Falcon Identity Protection for Microsoft Entra ID and was named ITDR Leader by GigaOm and Company of the Year by Frost & Sullivan, validating cross-domain correlation (identity + endpoint + cloud + SaaS) as the standard detection architecture. The detection-governance gap sharpened on both technical and operational fronts: Panther analysis found 42% of teams deploy UEBA without tuning (producing behavioral baseline drift), Docker achieved 85% YoY false positive reduction through disciplined Okta/CloudTrail tuning (confirming that results require sustained engineering investment), and Orchid Security enterprise telemetry (Apr 2025–Mar 2026) documented 67% of non-human accounts created directly in applications and invisible to centralised IAM—structural governance gaps that behavioural anomaly detection cannot reach. Market consolidation accelerated with $25B Palo Alto/CyberArk, Okta/Axiom, and Delinea/StrongDM deals targeting unified identity anomaly detection and AI agent governance; Netwrix analysis identified mid-market adoption barriers persisting despite technology readiness: Entra ID coverage only reached GA in 2025, per-account pricing and tuning overhead constrain deployment, and detection tools remain SOC-focused while mid-market needs governance and compliance evidence. Lyrie data quantifying 600M identity attacks per day underscored the scale mismatch between detection maturity and threat volume.
• 2026-Jun: Netwrix quantified the AI-identity expansion breach gap: organisations where AI expanded identities experienced a 43% breach rate versus 11% baseline, with 76% lacking visibility into non-human identities. CrowdStrike advanced ecosystem integration by shipping UEBA into Falcon Next-Gen SIEM with AI-driven behavioral context, and KuppingerCole confirmed CrowdStrike as ITDR Overall Leader across Detection, Investigation, Response, and Remediation dimensions—signalling practice standardisation. Microsoft published production-ready KQL detection rules for AI agent behavioral anomalies (credential injection T1098.001, impossible travel T1078.004) in Sentinel, and Google SecOps released an official UEBA adoption guide defining a dual-pillar methodology (statistical baselines + intelligence-driven rules). Sophos survey of 5,000 IT leaders found 14% unable to timely detect their most significant identity breaches, while Microsoft's own infrastructure analysis showed 38 million identity risk detections processed daily at hyperscale. The Meta AI Support Bot case study crystallised a structural detection blindspot: the HTS chatbot compromised to reset 20,225+ Instagram passwords generated no behavioral anomalies—authorised agents executing legitimate-looking actions are invisible to anomaly baselines, a failure mode Exabeam responded to by announcing Agent Behavior Verification (ABV) extending detection upstream to pre-deployment role alignment. Sekoia published five production UEBA case studies demonstrating detection advantage against valid-account attacks, MFA fatigue, and OAuth abuse where rule-based detection fails; Daylight AI documented a complementary structural limitation—UEBA's class imbalance problem (users represented by statistical mean rather than distribution) creates a simultaneously unresolvable false positive/false negative trade-off. Verizon DBIR (31,000+ incidents) confirmed credential abuse in 39% of breaches across the full attack chain, underscoring persistent demand at scale.