Credential misuse at scale is now the default identity risk

At a glance

What this is: This is Delinea Labs’ February 2026 threat outlook, showing that credential misuse through valid identities, tokens, and service accounts is now a routine attack path.

Why it matters: It matters because IAM, PAM, and NHI programmes now have to detect and contain authenticated abuse faster than traditional perimeter and endpoint controls can react.

By the numbers:

• Of the 1,870 CVEs reported industry-wide, 360 were identity-related.

👉 Read Delinea's February 2026 outlook on credential misuse at scale

Context

Credential misuse is now the more reliable path into production environments than many traditional exploit chains. When attackers can authenticate with valid credentials, OAuth tokens, or service accounts, the security problem shifts from perimeter defence to identity containment across NHI, IAM, and privileged access estates.

Delinea’s outlook argues that January’s incidents were routine rather than novel, which is the real warning sign. The issue is not a single technique but the growing normality of authenticated abuse across automation platforms, SaaS integrations, and ransomware intrusions, where initial access already looks legitimate to many controls.

Key questions

Q: What breaks when service accounts and tokens are treated as low-risk identities?

A: Detection and containment fail because attackers can use valid credentials to look like normal system activity. Service accounts, OAuth tokens, and embedded secrets often bypass interactive checks, so compromise can spread through SaaS, cloud, and automation paths before anyone notices. The result is a large blast radius from what initially appears to be legitimate access.

Q: Why do non-human identities complicate identity security programmes?

A: Non-human identities complicate security because they authenticate without the human signals many controls rely on, such as MFA prompts, user behaviour baselines, and session challenge. They also tend to be over-connected across applications, which makes stolen or misused credentials easier to reuse later. That creates delayed impact rather than immediate visible compromise.

Q: How should teams govern automation platforms that hold secrets and tokens?

A: Treat them as privileged identity surfaces. Inventory every connector, workflow, and community node that can read or distribute secrets, then limit scope to the smallest set of systems needed. Revoke unused integrations quickly and monitor for cross-platform pivots, because automation can become an identity broker when access is not tightly bounded.

Q: Who is accountable when credential misuse is discovered after the initial compromise?

A: Accountability usually spans identity, platform, and application owners because the failure is often in trust boundaries, token handling, and lifecycle governance rather than one control alone. IAM and PAM teams must own scope and revocation, platform teams must secure connectors, and security operations must detect authenticated abuse early.

Technical breakdown

Why valid credentials are now the preferred entry path

Attackers increasingly avoid endpoint exploitation and instead use already-authorised identity artefacts. OAuth tokens, service accounts, and embedded secrets let them appear as legitimate traffic while moving through SaaS and cloud environments. That changes the control problem: detection now depends on identity context, token provenance, and behavioural anomaly rather than malware signatures or exploit telemetry. Automated workflows make this harder because they can move access across multiple systems without a human session to inspect. In practice, the identity layer becomes the first and most important line of containment, not just the login gate.

Practical implication: build detections around token use, service account behaviour, and cross-system identity movement, not only login failures.

How automation identities become identity brokers

Automation platforms can amplify access because they sit at the centre of multiple SaaS and cloud integrations. If a malicious node, connector, or workflow can read embedded secrets or OAuth tokens, it can pivot laterally without touching a user account. The platform then functions as an identity broker, distributing access that bypasses user-centric controls such as MFA prompts, interactive approval, and standard user risk scoring. This is why trusted automation paths are attractive to attackers: they compress the distance between initial compromise and broad access.

Practical implication: inventory automation platforms as privileged identity surfaces and review every connector that can expose secrets or tokens.

Why identity infrastructure flaws expand blast radius

Identity systems rarely fail at login alone. The bigger problem is what happens after a valid credential is accepted. Weak token validation, flawed trust relationships, and privilege escalation bugs let attackers extend access from one tenant, application, or workflow into many others. In that model, authentication is not the finish line. It is the start of a chain where authorisation logic, session handling, and scope enforcement decide whether compromise stays contained or spreads quietly across the environment.

Practical implication: test token validation, authorisation boundaries, and trust relationships as part of every identity risk review.

Threat narrative

Attacker objective: The attacker objective is to obtain legitimate-looking access that can be reused for lateral movement, persistence, and delayed monetisation across identity-connected environments.

1. Entry occurred when attackers used valid credentials, OAuth tokens, or compromised automation workflows instead of breaking in through a classic exploit chain.
2. Escalation followed when malicious community nodes, embedded secrets, or weak identity controls let those identities pivot laterally across connected SaaS and cloud services.
3. Impact emerged as the stolen or abused access supported ransomware, data theft, extortion, and delayed compromise that often went unnoticed for weeks or months.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Credential misuse at scale is now the default identity threat model: January’s incidents show that attackers no longer need to force entry when valid access is already available through tokens, service accounts, and automation paths. That means the security discipline is shifting from exploit prevention to authenticated abuse containment. The operational implication is that identity telemetry must become the primary control plane for investigation.

Identity misuse occurred long before impact because existing controls still treat authentication as evidence of trust: This is the core governance failure the month exposed. Access often looked legitimate at the point of use, so detection lagged until ransomware, extortion, or lateral movement was already underway. Practitioners should treat authenticated activity as an assumption to verify, not proof of safety.

Automation identities are now high-value attack infrastructure, not low-risk plumbing: Malicious workflow execution, embedded secrets, and connector sprawl let adversaries use automation platforms as identity brokers. That pattern sits squarely in OWASP-NHI and Zero Trust governance territory, where scope, token provenance, and session trust matter more than the application label. Teams need to govern automation as privileged identity.

Identity blast radius: the real control problem is no longer whether access exists, but how far that access can move before it is noticed. The article shows that validation flaws, trust relationships, and delayed credential reuse decide whether compromise stays local or spreads across SaaS and cloud estates. The practitioner conclusion is to measure containment range, not just initial compromise rate.

Standing access outlives the moment of compromise: Ransomware groups and credential-harvesting ecosystems benefit because service accounts and reused secrets remain valid after the original exposure. That is a governance problem across lifecycle, rotation, and offboarding, not merely a detection problem. The implication is that access duration has become a first-class risk variable.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• 46% confirmed, 26% suspected, which shows how often NHI exposure is already visible enough to be suspected but not always proven.
• For the broader breach pattern across machine identity exposure, see 52 NHI Breaches Analysis for recurring root causes and response patterns.

What this signals

Credential misuse will keep outpacing controls that were built to trust authentication events. The practical shift for teams is to move from login-centric monitoring to identity-path monitoring, where service account behaviour, token reuse, and automation pivots are the main signals. If your programme cannot explain where a credential can move next, it cannot claim containment.

Non-human identity governance is now inseparable from blast-radius management. The environments most exposed to authenticated abuse are the ones where reusable access persists across integrations and automation chains. Teams should expect audit pressure to move from entitlement counts toward revocation speed, scope reduction, and evidence of failed lateral movement.

Identity misuse occurred long before impact in January, which means response speed now depends on lifecycle discipline as much as detection engineering. The organisations that will hold the line are those that can shorten credential lifetime, prove connector ownership, and link every reusable secret to a revocation path. That is where lifecycle governance becomes a control, not a process.

For practitioners

• Map authenticated attack paths across users, tokens, and service accounts Prioritise flows where valid identities can move between SaaS, cloud, and automation platforms without interactive challenge. Focus on the identities that can reach the most systems with the fewest checks.
• Review automation platforms as privileged identity surfaces Inventory community nodes, connectors, embedded secrets, and workflow permissions that can expose OAuth tokens or API keys. Treat those platforms like high-risk identity infrastructure, not ordinary application tooling.
• Tighten token provenance and trust validation Check how your environment validates JWTs, OAuth tokens, federation trust, and session boundaries. If a token can be reused outside its intended context, the identity control plane is already too permissive.
• Shorten the lifetime of reusable credentials Reduce persistence for service accounts, API keys, and other secrets that can be harvested and reused later. Eliminate orphaned access through lifecycle reviews and offboarding that actually revoke access, not just record it.
• Measure identity blast radius, not only compromise counts Track how far a stolen credential can move laterally before detection, including cloud tenants, SaaS apps, and automation chains. That metric tells you more about containment strength than incident volume alone.

Key takeaways

• Credential misuse has become the default access pattern for modern attackers, which makes identity containment more important than exploit prevention in many environments.
• The scale of identity-related exposure in January was material, with 360 identity-related CVEs out of 1,870 total disclosures and repeated use of valid credentials in real intrusions.
• Teams that want to reduce blast radius must govern tokens, service accounts, automation platforms, and revocation speed as one identity system.

Key terms

• Non-Human Identity: A non-human identity is any machine- or software-based identity used to authenticate to systems, including service accounts, API keys, tokens, certificates, bots, and workload identities. It must be governed as an access-bearing entity because it can be over-privileged, reused, exposed, or left orphaned.
• Credential misuse: Credential misuse is the abuse of valid authentication material by an attacker who does not need to break a login flow. In practice, it includes stolen tokens, reused secrets, and compromised service accounts that allow the attacker to operate as trusted identity traffic.
• Identity blast radius: Identity blast radius is the amount of access and lateral movement a compromised identity can unlock before containment. It depends on scope, trust relationships, token reuse, and revocation speed, making it a useful measure of how far authenticated abuse can spread.
• Automation identity: An automation identity is a non-human identity used by workflows, scripts, integrations, and platform connectors to move data or trigger actions. Because it often sits between multiple systems, it can become a high-value broker for secrets, tokens, and cross-platform access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Delinea: Credential misuse at scale is now the default identity risk. Read the original.