Subscribe to the Non-Human & AI Identity Journal

Why do tabletop exercises often fail to improve incident response?

They often fail because the scenario is too clean and the goal is to look prepared. When an exercise rewards smooth discussion, participants hide uncertainty and avoid surfacing weak ownership or broken recovery paths. Effective exercises should make it safe to identify problems, because the point is to learn what breaks before a real incident forces the answer.

Why This Matters for Security Teams

Tabletop exercises are supposed to expose decision gaps, unclear ownership, and recovery friction before a real incident does. Too often, though, they become polished discussions that reward confidence instead of truth. That is a problem because incident response depends on what people can do under pressure, not what they can describe in a conference room. ENISA’s ENISA Threat Landscape repeatedly shows that real attacks move fast and exploit ambiguity, while NHIMG research on 52 NHI Breaches Analysis shows how identity failures become operational failures when teams have not tested the messy parts of containment and recovery. In practice, many security teams discover their exercise was performative only after the first live incident exposes missing contacts, untested tooling, or a recovery path nobody actually owns.

How It Works in Practice

The exercises that improve incident response are the ones that force evidence, time pressure, and imperfect information. A useful tabletop should not just ask, “What would you do?” It should require participants to show who can isolate systems, revoke access, communicate decisions, and verify recovery in real time. The most effective facilitation style is structured but adversarial enough to surface hidden assumptions without turning the session into blame.

Current best practice is to anchor scenarios in the workflows that routinely fail: identity compromise, secret exposure, cloud control-plane abuse, supplier access, and ransomware with partial restoration. That means testing whether the right person can actually execute the playbook, whether escalation paths work outside business hours, and whether the team can distinguish containment from eradication. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now is useful here because many incident paths now involve non-human identities, secrets, and automation, not just endpoints and user accounts. When AI-driven or automated workloads are in scope, the exercise should also reflect how quickly an attacker can chain a leaked token into lateral movement, as highlighted in Anthropic’s first AI-orchestrated cyber espionage campaign report.

A strong tabletop usually includes a short list of concrete validation tasks:

  • Require live lookup of the incident commander, backups, and executive approvers.
  • Ask participants to name the exact systems or identities that would be disabled first.
  • Insert incomplete data so the team has to decide under uncertainty.
  • Test whether evidence collection and containment can happen at the same time.
  • Confirm that recovery owners know what “good” looks like before restoration begins.

These controls tend to break down when the exercise is overly scripted and the environment depends on undocumented tribal knowledge, because the team rehearses the narrative rather than the actual response.

Common Variations and Edge Cases

Tighter facilitation often increases discomfort and prep time, requiring organisations to balance psychological safety against the need for honest failure discovery. That tradeoff matters because some teams use the term “tabletop” to mean very different things: executive decision rehearsal, technical incident simulation, or compliance evidence gathering. Current guidance suggests those should not be conflated. A governance-focused session may be useful for leadership alignment, but it will not reveal whether log access, privilege revocation, or restoration sequencing actually works.

There is no universal standard for how adversarial a tabletop should be. For high-risk environments, best practice is evolving toward injects that mimic real attacker behaviour, including missed notifications, conflicting signals, and delayed approvals. For lower-risk teams, even a modest change can help: stop rewarding the fastest answer, and instead require proof that the answer is executable. NHIMG’s The 52 NHI breaches Report is a reminder that repeat compromise patterns usually reflect repeat control failures, not rare one-off events. The key exception is regulated crisis testing, where the exercise must also satisfy audit and board expectations; in those cases, document the learning goals separately so compliance does not suppress realism.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 RS.RP-1 Tabletops should validate whether response plans are actually executable.
NIST AI RMF AI RMF emphasizes governance, monitoring, and incident preparedness for AI-enabled systems.
OWASP Non-Human Identity Top 10 NHI-03 Tabletops should surface weaknesses in secret rotation and compromise handling.
CSA MAESTRO MAESTRO-IR Agentic and automated workflows require incident response drills that reflect runtime behavior.

Exercise runtime containment and rollback for autonomous workloads, not just user-facing systems.