2026 Verizon DBIR shows identity controls still decide breach outcomes

At a glance

What this is: Verizon’s 2026 DBIR analysis argues that familiar breach patterns still dominate, with vulnerability exploitation, credential abuse, ransomware, and third-party exposure remaining the core risk clusters.

Why it matters: It matters because IAM, PAM, NHI, and emerging AI identity programmes still need to control the same access paths attackers keep using, rather than treating AI as a separate security problem.

By the numbers:

• The latest report found that 31% of breaches are tied to known vulnerabilities.
• Credential abuse was down 13% this year, dropping to third place on the breach list behind phishing (16%), but ahead of pretexting (6%).
• 48% of all breaches were ransomware-related, up from 44% the prior year.
• 67% of users access AI services from non-corporate accounts on their corporate devices.

👉 Read Delinea’s analysis of the 2026 Verizon DBIR and identity risk

Context

The 2026 Verizon DBIR reinforces a simple point: most successful attacks still begin with control failures that organisations already understand, including exposed vulnerabilities, stolen credentials, and weak third-party hygiene. For identity security teams, that means the problem is not lack of awareness, but inconsistent enforcement across human, machine, and AI identities.

In this context, AI does not replace the old breach classes. It expands the identity surface area, increases the number of credentials worth stealing, and makes poor governance easier to exploit. That puts IAM, PAM, NHI management, and Shadow AI oversight into the same operational frame rather than separate programmes.

Key questions

Q: How should security teams reduce breach risk when known vulnerabilities and credential abuse remain the main entry paths?

A: Start by treating exposure management and identity controls as one programme. Prioritise internet-facing assets, privileged systems, and partner-connected services first, then pair patching with strong MFA, secrets rotation, and privilege reduction. The goal is to remove the easiest paths attackers use to enter trusted environments, not just to increase the number of alerts you generate.

Q: Why do AI services create governance risk even when employees are just using them for productivity?

A: Because the security problem is usually account ownership and access provenance, not the model itself. If employees reach AI tools through non-corporate accounts or unmanaged credentials, governance teams lose visibility into who can access what, from where, and under which controls. That turns ordinary adoption into Shadow AI and weakens lifecycle oversight.

Q: What do organisations get wrong about credential abuse in modern breach patterns?

A: They often treat it as a phishing problem when it is really a trust problem. Once an attacker has valid credentials, the IAM stack may recognise the session as legitimate even if the activity is malicious. That is why lifecycle management, phishing-resistant authentication, and privileged access controls have to work together.

Q: Who is accountable when a third party’s weak cloud controls expose the enterprise?

A: Accountability stays with the enterprise that granted the relationship and the delegated access. Third-party gaps only become enterprise incidents because the access path was accepted, monitored, and left active. Security, procurement, and identity teams should share responsibility for partner MFA, scope, and offboarding rather than treating them as separate controls.

Technical breakdown

Known vulnerability exploitation still outruns patch discipline

Known vulnerability exploitation remains attractive because it scales: one unpatched edge device, internet-facing service, or third-party integration can provide entry without needing valid credentials. The DBIR’s shift back to vulnerability exploitation at the top of initial access reflects a long-standing truth in breach economics. Attackers prefer low-friction paths that bypass identity controls entirely when patching, exposure management, or compensating controls lag behind asset reality. For identity teams, this is a reminder that authentication strength does not matter if the entry point never reaches authentication.

Practical implication: tie vulnerability remediation to asset criticality and external exposure, not to generic patch queues.

Credential abuse remains the identity control failure mode

Credential abuse persists because valid access is still the easiest route into enterprise environments. Once credentials are obtained through phishing, pretexting, reuse, or purchase, attackers inherit the trust that IAM systems are designed to grant. This is why the authentication and authorisation layers matter so much: the attacker is not defeating identity, they are using it as intended. The fact that credential abuse still appears in 39% of breaches shows that access governance, not just perimeter detection, remains central to breach reduction across humans, service accounts, and AI-linked identities.

Practical implication: prioritize strong credential lifecycle controls, phishing-resistant MFA, and privilege reduction for all identity classes.

Shadow AI turns ordinary login sprawl into governance debt

The DBIR’s AI usage figures point to a familiar governance pattern: new tools are being accessed through old identity habits, often from unmanaged accounts and non-corporate channels. That creates a Shadow AI problem that is really an identity problem, because the issue is not only model usage but who can reach it, from where, and under what assurance level. As AI identities join human and machine identities in the attack surface, the control question becomes whether organisations can distinguish sanctioned access from accidental exposure before misuse turns into incident response.

Practical implication: inventory AI service access separately from user adoption metrics and enforce account-level governance for sanctioned tools.

Threat narrative

Attacker objective: The attacker’s objective is to gain trusted access quickly enough to exploit systems, abuse identities, and deliver ransomware or exfiltration with minimal resistance.

1. Entry occurs through exploitation of known vulnerabilities, with the 2026 DBIR placing this path ahead of credential abuse as the leading initial access vector.
2. Escalation often follows once attackers obtain valid credentials through phishing or pretexting, then reuse them to move through trusted identity channels.
3. Impact includes ransomware, data theft, and third-party compromise, with the report showing that these older attack classes continue to drive breach outcomes.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity security is still being lost at the point of trust, not the point of detection. The 2026 DBIR shows that attackers keep using the same few access paths because those paths still work against inconsistent controls. That is a programme failure, not a tooling mystery, and it spans human, machine, and emerging AI identities. Practitioners should treat access trust as the breach boundary, not the alert queue.

Shadow AI is an identity governance problem before it is an AI governance problem. If employees are accessing AI services through non-corporate accounts on corporate devices, the core issue is who owns the account, who can revoke it, and whether the access is visible to governance teams. That links IAM, NHI oversight, and acceptable use into one operational control plane. The implication is that AI adoption cannot be governed through policy statements alone.

Credential abuse remains the clearest signal that authentication is not the same as authorisation. Attackers do not need to defeat controls when valid credentials already carry trust into sensitive systems. This is why PAM, lifecycle governance, and phishing-resistant authentication have to be evaluated together rather than as separate projects. The practical conclusion is that identity programmes should measure how often trusted access becomes unauthorised use.

Third-party risk is still identity risk in a different trust domain. The DBIR’s third-party findings show that a gap in a partner’s cloud posture becomes a gap in the enterprise’s own control boundary. That means vendor access, cloud MFA, and offboarding discipline belong in the same review cycle. Practitioners should stop treating third parties as adjacent risk and start treating them as delegated identity exposure.

Fundamentals now include AI identities, not just human and workload identities. The report’s message is not that AI replaces established breach patterns, but that it inherits them. The governance model that already struggles with service account sprawl will struggle again if AI identities are allowed to proliferate without ownership, scope, and lifecycle discipline. The conclusion is straightforward: extend existing identity governance before the new identity class becomes another old problem.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For a deeper breach-pattern view, read The 52 NHI breaches Report after this article to compare how identity failures recur across incidents.

What this signals

Identity blast radius: once trust is granted to a human, machine, or AI-linked identity, misuse can travel far beyond the original login event. The programme response is to shrink standing access, not to assume detection will catch the issue after the fact.

With 67% of users accessing AI services from non-corporate accounts on corporate devices, the governance gap is already visible in day-to-day usage patterns. Security teams should expect AI adoption to expand shadow access unless they tie approval, ownership, and revocation to identity records.

The next phase of identity security will be measured by how well organisations can connect vulnerability exposure, credential lifecycle, and third-party access in one review cycle. That is where operational risk turns into repeatable breach reduction.

For practitioners

• Rebuild vulnerability prioritisation around exposure and trust paths Map internet-facing and partner-connected assets to business criticality, then remediate the vulnerabilities that open direct access to identity-bearing systems first. Include identity providers, remote access gateways, and exposed admin interfaces in the same queue.
• Tighten credential lifecycle controls across all identity classes Review how secrets, passwords, tokens, and certificates are issued, rotated, and revoked for humans, service accounts, and AI-linked access. Focus on places where credentials outlive the use case or the owner relationship.
• Separate sanctioned AI usage from unmanaged Shadow AI Inventory which AI services are approved, which accounts can access them, and which devices are using non-corporate logins. Require governance ownership for each approved service so access can be reviewed and removed.
• Fold third-party identity posture into access reviews Add partner MFA status, cloud access scope, and offboarding evidence to vendor risk reviews. A third party with weak identity controls should be treated as a direct extension of your own exposure.
• Test PAM and phishing resistance together Validate whether privileged workflows still depend on reusable credentials or weak second factors. Prioritise phishing-resistant authentication for elevated access and make sure privileged sessions are time-bound and attributable.

Key takeaways

• The 2026 DBIR shows that old breach classes still dominate because the underlying identity and exposure controls remain inconsistent.
• Credential abuse, vulnerable systems, ransomware, and third-party gaps continue to produce breaches because attackers still prefer the easiest trusted path.
• AI adoption now belongs inside identity governance programmes, not beside them, because unmanaged AI access behaves like any other identity trust problem.

Key terms

• Credential abuse: Credential abuse is the use of valid usernames, passwords, tokens, or remote access accounts by an attacker to gain trusted access. In identity programmes, it is dangerous because the session often looks legitimate to controls unless privilege, provenance, and behaviour are checked together.
• Shadow AI: Shadow AI is the use of AI services or agents that are not fully known, approved, or governed by the organisation. The risk is not only unsanctioned tool usage, but also unmanaged accounts, unclear ownership, and missing revocation paths that leave access outside normal identity control.
• Third-party identity exposure: Third-party identity exposure is the risk created when vendors, contractors, or partners hold access that is not governed to the same standard as internal accounts. It becomes a direct enterprise issue when external credentials, MFA gaps, or incomplete offboarding can be used as an entry path into internal systems.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Delinea: 2026 Verizon DBIR: Why cybersecurity fundamentals still matter. Read the original.