2026 DBIR shows credential abuse and AI risk still drive breaches

At a glance

What this is: The 2026 DBIR says breach patterns still hinge on basic control failures, with exploitation, third-party access, and credential abuse doing most of the damage.

Why it matters: IAM teams should read this as a reminder that identity controls, patching, and third-party governance remain the fastest ways to shrink breach blast radius across human, NHI, and AI-adjacent access paths.

By the numbers:

• Third-party risk spiked in this year’s report, and breaches involving third parties rose to 48% of total breaches, a 60% increase from the prior dataset.

👉 Read 1Password's analysis of the 2026 Verizon DBIR and identity risk

Context

The 2026 Verizon DBIR reinforces a familiar but uncomfortable point: most breaches still succeed because baseline controls are unevenly applied. In practice, that means patch latency, credential reuse, weak third-party access, and poor account governance remain enough to turn routine exposure into broad compromise, especially where human access and machine access overlap.

For identity and access teams, the message is broader than password hygiene. The report ties breach outcomes to how organisations govern authentication, authorization, third-party access, and service or machine accounts, which makes it directly relevant to human IAM, NHI governance, and the access controls that will be tested as AI usage expands.

Key questions

Q: What should security teams do when vulnerability exploitation becomes the main breach entry point?

A: They should treat remediation speed as an access-control priority, not only an infrastructure metric. The practical response is to inventory internet-facing systems, rank them by exploitability, and shorten the time between disclosure, validation, and patching. Where patching cannot happen quickly, teams need compensating controls that reduce exposure until the asset is fixed.

Q: Why do third-party identities create so much breach risk?

A: Third-party identities expand the trust boundary beyond what most organisations can fully control. When vendor accounts lack MFA, rotation, or scoped permissions, attackers can move through trusted access paths instead of fighting internal controls. That is why third-party lifecycle governance matters as much as internal identity governance.

Q: How do service and machine accounts complicate future AI governance?

A: They already have the characteristics that make AI-era abuse easier: persistent permissions, embedded secrets, and weak attribution. If organisations cannot owner-map, scope, and revoke those identities today, they will struggle to govern AI-driven access later. The problem is not only volume, but the absence of control boundaries.

Q: What frameworks should teams use to tighten breach-resistant identity controls?

A: Teams should map this problem to NIST Cybersecurity Framework access governance, Zero Trust principles, and NHI-specific controls for credentials, rotation, and lifecycle oversight. For machine and service identities, the core objective is to reduce standing access and make every account attributable, reviewable, and revocable.

Technical breakdown

Vulnerability exploitation now outruns classic credential abuse

The DBIR’s main operational shift is that vulnerability exploitation has become the dominant initial access vector. That means attackers are increasingly entering through exposed, unpatched, or slowly remediated systems before identity controls even come into play. The report’s remediation figures show why this matters: if critical vulnerabilities linger for weeks, attackers do not need sophisticated identity bypasses to get a foothold. Once inside, they can pivot to credentials, session tokens, and third-party trust paths. In identity terms, patch management has become an upstream access-control issue, not just an infrastructure task.

Practical implication: shorten remediation cycles for internet-facing systems before attackers can use them as the first identity failure point.

Third-party access is an identity boundary, not a procurement detail

The DBIR’s third-party findings show that many organisations still treat vendor access as secondary to internal access governance. The report points to missing MFA, weak passwords, poor credential rotation, and excessive permissions in cloud and SaaS environments. That combination creates a persistent identity boundary problem: the organisation no longer fully controls the account lifecycle, yet it still bears the breach impact. OAuth-connected apps, dormant integrations, and unmanaged service accounts all widen the same attack surface. In practical terms, third-party identity must be governed as if it were part of the core estate.

Practical implication: inventory third-party identities and enforce lifecycle, rotation, and authorization controls on the same cadence as internal accounts.

Service and machine accounts are becoming the pressure point for AI-era access

The report’s warning about service and machine accounts is especially relevant for teams planning for agentic AI. These identities often have standing permissions, embedded secrets, and limited attribution, which makes them attractive for abuse once attackers or automated systems reach them. The key issue is not only whether the credential exists, but whether the organisation can bound its use, observe it, and revoke it quickly enough. As AI systems and automation expand, the old assumption that machine access is static and well understood becomes less reliable.

Practical implication: map service and machine accounts to owners, scopes, and revocation paths before AI-driven access sprawl makes them harder to govern.

Threat narrative

Attacker objective: The attacker’s objective is to turn a single weak entry point into broader access that supports data theft, ransomware, or company-wide disruption.

1. Entry begins when attackers exploit an exposed or unpatched system, which the DBIR identifies as the leading initial access pattern. That gives them a foothold without first defeating identity controls.
2. Escalation follows when they move from the initial vulnerability to credential abuse, third-party access, or over-permissioned accounts that expand the blast radius beyond the original system.
3. Impact occurs when attackers use that access to encrypt data, exfiltrate information, or persist across business systems through weak identity and authorization boundaries.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Control foundations still fail before advanced attacks begin: The DBIR is less a warning about novelty than a reminder that identity programmes still lose on basics. If patching, credential rotation, and third-party access are weak, attackers do not need exotic tactics to achieve breach outcomes. The field should stop treating basic hygiene as maturity theater and instead recognise it as the control layer that prevents downstream identity compromise.

Third-party access without lifecycle discipline is now a core breach pattern: Vendor, contractor, and SaaS access has become part of the identity perimeter whether organisations admit it or not. The DBIR’s focus on missing MFA, poor rotation, and excessive permissions shows that the real governance gap is not merely visibility, but lifecycle control over identities the organisation does not fully own. Practitioners should treat offboarding and entitlement review as breach containment controls, not administrative cleanup.

Machine accounts are the bridge between today’s NHI risk and tomorrow’s agentic risk: The report’s note on service and machine accounts is a signal that NHI governance is becoming strategic, not optional. These identities already carry persistent permissions and weak attribution, and they will be the easiest way to convert AI-driven automation into abuse if governance stays static. Teams should align identity governance now before AI adoption turns existing machine-account weakness into a larger operational exposure.

Shadow AI and unmanaged access are converging on the same control failure: When users access external AI services with non-corporate accounts, organisations lose visibility into both the data path and the identity path. That is not just a data security issue. It is an identity governance failure where access, attribution, and policy enforcement all break at once. Practitioners should view AI usage governance as part of the same control fabric as SaaS and endpoint identity oversight.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• Only 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, leaving a large share of delegated access partially or completely unseen.
• That visibility gap is why teams should pair identity review with 52 NHI Breaches Analysis when they need to understand how unmanaged access turns into real incidents.

What this signals

Identity programmes are being judged on whether they can govern access boundaries, not just authenticate users. The DBIR’s third-party and machine-account findings show that the next control failure is usually a lifecycle failure: who owns the access, who can revoke it, and whether the account still matches the relationship that created it. Teams that cannot answer those questions quickly will keep absorbing breach risk through trusted access paths.

Service accounts and AI access should now be reviewed in the same operating rhythm. The report’s warning about machine accounts is a signal that identity governance for automation is no longer separate from enterprise IAM. The practical shift is to put machine identities, SaaS integrations, and shadow AI usage into one governance inventory so reviewers see the full attack surface instead of isolated tools.

Access sprawl is becoming a board-relevant control issue, not a technical footnote. Once third-party access, dormant accounts, and unmanaged AI tools all sit outside a clear ownership model, breach containment gets harder and attribution becomes weaker. The control question is no longer whether the organisation has identity tooling. It is whether the tooling is tied to enforceable accountability across every non-human access path.

For practitioners

• Rebuild remediation priority around exploitable exposure Review internet-facing assets first, then rank them by exploitability and business impact rather than by patch queue order. The report’s remediation gap means the highest-risk systems are the ones likely to be reached first.
• Treat third-party identities as governed production access Inventory vendor, contractor, OAuth, and SaaS-linked accounts with the same ownership, rotation, and recertification standards you apply internally. Remove dormant access and document who can revoke it quickly.
• Map service and machine accounts to explicit owners Assign a human owner, business purpose, credential source, and revocation path to every service or machine account. If an identity cannot be attributed and retired quickly, it is already outside governance.
• Add AI usage to access governance reviews Inventory non-corporate AI access on corporate devices and decide which AI tools require approved accounts, managed secrets, or blocked data types. Treat unmanaged AI access as an identity control issue, not only a data policy issue.

Key takeaways

• The 2026 DBIR shows that basic failures still dominate breach entry, which keeps patching, credential hygiene, and third-party control at the centre of security strategy.
• The scale of the problem is clear in the data: vulnerability exploitation leads initial access, third-party breaches are up, and credential abuse remains embedded across the full attack chain.
• Teams that want measurable risk reduction should focus on lifecycle control for vendor access, service accounts, and AI-linked identities before attackers turn them into breach multipliers.

Key terms

• Non-human identity: A non-human identity is any credentialed account or token used by software, workloads, or automation rather than a person. In practice, this includes service accounts, API keys, certificates, OAuth tokens, and AI-driven access paths that still need ownership, scope, and lifecycle control.
• Standing privilege: Standing privilege is persistent access that remains active until someone removes it. For NHI governance, it is a common source of breach blast radius because machine and vendor identities often retain permissions long after the original use case has changed.
• Third-party identity: A third-party identity is any external account, token, or delegated access path used by a vendor, contractor, or SaaS integration. These identities matter because the organisation depends on them operationally, but often lacks full control over their authentication, rotation, and offboarding.
• Machine account: A machine account is an identity used by applications, services, scripts, or infrastructure components to access resources automatically. These identities need explicit ownership and revocation paths because they frequently carry secrets and permissions without the visibility applied to human users.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Password: analysis of the 2026 Verizon DBIR and what it means for credential and access governance. Read the original.