AI, identity weakness, and attack complexity now drive most breaches

At a glance

What this is: Unit 42’s 2026 incident response report says AI, identity weakness, and multi-surface complexity are now the dominant breach accelerants.

Why it matters: IAM, NHI, and autonomous identity programmes all have to account for faster attacks, broader attack paths, and identity-led initial access.

By the numbers:

• Identity weaknesses were exploited in 89% of investigations.
• 87% of attacks involved multiple attack surfaces.

👉 Read Palo Alto Networks’ 2026 Unit 42 incident response report on AI and identity-driven breaches

Context

AI-assisted attack speed is compressing the window in which defenders can detect, triage, and contain credential abuse. At the same time, identity is becoming the main entry point into enterprise environments, which means conventional perimeter thinking no longer matches how breaches now unfold.

For IAM and NHI practitioners, the meaningful shift is not simply that attacks are faster. It is that identity weakness, SaaS tokens, browser sessions, and cloud access now operate as a connected attack surface, which pushes governance, detection, and response into the same operational lane.

Key questions

Q: How should security teams handle identity-led attacks across cloud, SaaS, and browsers?

A: Security teams should treat identity-led attacks as chained intrusions, not isolated login events. The priority is to correlate browser sessions, SaaS tokens, cloud permissions, and endpoint activity into one investigation path, then revoke the identities and delegated grants that connect those systems. Control ownership should follow the attack path, not the product boundary.

Q: Why do identity weaknesses create more breach risk than many technical vulnerabilities?

A: Identity weaknesses create breach risk because they often provide valid access rather than forcing an exploit. Once an attacker has a real credential, token, or session, they can move through trusted systems faster and with less noise. That is why identity compromise frequently outruns vulnerability-based defence in modern environments.

Q: What breaks when teams manage SaaS, cloud, and endpoint access separately?

A: What breaks is the defender’s view of the intrusion. Separate teams may each see a normal event, while the attacker is chaining those same events into a single path. That disconnect allows token reuse, session abuse, and cross-platform movement to continue until the damage is already done.

Q: How can organisations reduce the impact of AI-accelerated attack chains?

A: Organisations should pre-stage containment decisions so they can act at machine speed. That means having session revocation, account isolation, and delegated access removal ready before an incident unfolds, because human approval cycles are too slow when attacks can progress from access to exfiltration in minutes.

Technical breakdown

Identity-led initial access now beats traditional perimeter assumptions

The report says 65% of initial access comes from identity-based techniques such as social engineering and credential misuse, while vulnerabilities account for 22%. That matters because identity compromise is often cheaper and faster than exploit chaining, especially when credentials already exist across SaaS, cloud, and browser sessions. In practice, the attacker does not need to defeat every control boundary. They only need one valid identity path that still carries trust across systems.

Practical implication: review where identity trust is still broad, especially for browser sessions, SaaS tokens, and human-to-machine delegation.

Multi-surface attacks create chained identity exposure

Unit 42 reports that 87% of attacks span two or more attack surfaces, with activity tracked across as many as 10 fronts simultaneously. This is the core operational problem for identity security: access is no longer contained inside one system, one control owner, or one telemetry source. OAuth tokens, API keys, endpoint access, and cloud permissions can all become linked steps in the same intrusion path. Identity governance has to be read as attack-path governance, not just entitlement administration.

Practical implication: map identity dependencies across SaaS, cloud, endpoint, and browser control planes before relying on any single visibility source.

The browser has become an identity control point

The report says 48% of attacks involve the browser, which reflects how routine web sessions are being used to harvest credentials and bypass local protections. The browser now sits between users, SaaS, and unmanaged devices, so it has become both an authentication surface and a theft surface. For defenders, that means session protection, token handling, and exposure monitoring matter as much as endpoint policy. The browser is no longer just the place where work happens; it is often where identity is captured.

Practical implication: treat browser session security, token exposure, and unmanaged-device access as identity controls, not only endpoint concerns.

Threat narrative

Attacker objective: The attacker aims to turn one trusted identity foothold into rapid cross-environment access and data exfiltration before defenders can contain the intrusion.

1. Entry begins with identity-based techniques such as credential misuse or social engineering, which account for most initial access in the report. Attackers use AI to increase the speed and reliability of those entry attempts.
2. Escalation follows through abuse of OAuth tokens, API keys, browser sessions, and other trusted credentials that let the attacker move across cloud and SaaS surfaces without needing a vulnerability exploit.
3. Impact occurs when the attacker chains multiple surfaces together, compressing the path from access to exfiltration to as little as 72 minutes in the fastest cases.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity trust debt is now the real breach multiplier. When 89% of investigations involve identity weakness, the problem is not a missing point control but accumulated trust that outlives its original context. Credentials, browser sessions, and delegated access now persist as reusable breach paths across environments. Practitioners need to treat inherited trust as a governance liability, not an operational convenience.

Multi-surface attack paths expose the collapse of single-domain governance. The report’s 87% multi-surface figure shows that endpoint, cloud, SaaS, and identity cannot be governed as separate programs when attackers combine them in one intrusion. This is where traditional ownership models fail: each team sees a partial truth, while the attacker sees one continuous path. Practitioners should align control ownership to attack paths, not tool categories.

Browser-mediated identity is becoming a distinct control plane. With 48% of attacks involving the browser, the session itself has become a high-value identity object. That means visibility into authentication events alone is insufficient if the browser can still expose tokens, cookies, and delegated sessions. The implication is clear: treat browser session exposure as part of identity architecture, not just user experience.

AI has compressed the time available for human review, not the need for governance. The 4x acceleration in attack speed means manual response loops are now structurally late in many incidents. This does not make governance less important; it makes delayed governance less effective. Practitioners should assume that any control depending on long human review cycles will lose to machine-paced intrusion.

Unified identity governance is now a field requirement, not an architectural preference. The report points to human, machine, and agentic identities as part of the same defensive problem set. The named concept here is cross-surface identity drift: trust that moves from one environment to another faster than governance can reclassify it. That drift is what attackers exploit, so programmes must manage identity continuity across systems.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• That is why the governance conversation has to move beyond isolated identity events and toward lifecycle control, as described in Ultimate Guide to NHIs.

What this signals

Cross-surface identity drift: the next wave of governance work will focus on credentials, sessions, and delegated grants that move faster than ownership models can track. Programmes that still separate browser, SaaS, cloud, and endpoint identity control will keep losing the attack-path view.

The practical signal for IAM and NHI teams is that response timing now matters as much as entitlement scope. With 72% of organisations already reporting or suspecting NHI breaches according to our ESG report on non-human identities, the category is already operational, not theoretical.

Identity programmes should also expect tighter alignment with Zero Trust language and controls because AI-assisted attacks are compressing the available decision window. For the reader’s programme, that means proving session control, delegated access review, and cross-domain telemetry are working together before the next intrusion path forms.

For practitioners

• Map cross-surface identity paths Trace how a single credential, token, or session can move from browser to SaaS to cloud to endpoint. Prioritise the paths that cross multiple control owners because those are the ones attackers can chain fastest.
• Tighten governance around delegated access Review OAuth grants, API keys, and service tokens for standing trust that was created for convenience and never revisited. Focus on where delegated access still works after the original business need has changed.
• Treat browser sessions as identity assets Monitor session lifetime, token exposure, and unmanaged-device access as part of IAM operations. Browser-level compromise is now a common route into cloud and SaaS environments, so it needs identity-centric telemetry.
• Align response playbooks to speed Build containment paths that assume exfiltration can happen in under an hour in fast-moving cases. That means pre-approving the actions needed to revoke sessions, isolate accounts, and cut cross-surface access before escalation completes.

Key takeaways

• AI is not replacing breach fundamentals, but it is making identity-led attacks faster and harder to interrupt.
• The strongest evidence in the report is the convergence of identity weakness, multi-surface spread, and browser-based exposure.
• Practitioners should govern identity as an attack path across human, machine, and agentic access rather than as separate control silos.

Key terms

• Identity trust debt: Identity trust debt is the accumulation of access, delegation, and session trust that remains active after the original business need has changed. It matters because attackers often abuse old trust faster than teams can discover it, especially across cloud, SaaS, and browser-mediated access paths.
• Cross-surface identity drift: Cross-surface identity drift is the movement of identity trust across endpoints, browsers, SaaS, cloud, and service layers faster than governance can track ownership. It becomes dangerous when one valid credential or token can be reused to progress through multiple control domains without reauthorization.
• Browser-mediated identity: Browser-mediated identity is access that is established, maintained, or abused through the web session rather than only through a traditional login boundary. It matters because cookies, tokens, and session state can become attack assets, especially when unmanaged devices and SaaS applications are involved.

Deepen your knowledge

Identity-led breach response and cross-surface governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a programme around faster attacks and shared identity risk, it is worth exploring.

This post draws on content published by Palo Alto Networks: the Unit 42 2026 Global Incident Response Report. Read the original.