By NHI Mgmt Group Editorial TeamPublished 2026-04-24Domain: Governance & RiskSource: Fudo Security

TL;DR: Ransomware victims rose 53% year over year to more than 7,960 in 2025, while 46% of compromised systems with corporate logins were unmanaged devices and leaked secrets took 94 days on median to remediate, according to Check Point and Verizon. Continuous privileged access control, not project-based security, is now the resilience baseline.


At a glance

What this is: This is an analysis of why cyber resilience in 2026 depends on continuous security principles, with privileged access management positioned as the operational control that keeps dormant accounts, unmanaged credentials, and third-party access from widening the blast radius.

Why it matters: It matters because IAM, PAM, NHI, and lifecycle teams all have to manage access as an always-on risk surface rather than a periodic audit activity.

By the numbers:

👉 Read Fudo Security’s analysis of cyber resilience, PAM, and continuous access control


Context

Cyber resilience is the discipline of keeping the business running when attacks, failures, and control gaps inevitably occur. In this article, the primary keyword is cyber resilience, and the core argument is that it cannot be treated as a one-off project because privileged access, dormant accounts, exposed secrets, and third-party relationships remain live risk surfaces across the enterprise.

The article ties that argument to NIS2, DORA, PAM, and identity management, which makes it relevant to IAM, NHI, and governance teams rather than only security operations. Its central claim is that resilience comes from continuous control application, not from passing a compliance checkpoint and moving on.

The operating assumption is straightforward: if access is broad, stale, or poorly attributed, the organisation will absorb more damage when an incident arrives. That is a typical enterprise problem, not an edge case.


Key questions

Q: How should security teams reduce the risk from dormant privileged accounts?

A: Security teams should inventory every privileged account, confirm a current owner and business need, and remove access that no longer serves an active process. The main goal is not just cleanup. It is reducing the amount of access that can be abused during an incident before response teams can contain it.

Q: Why do leaked secrets and unmanaged devices matter so much for resilience?

A: They matter because they let attackers use valid access instead of forcing a noisy exploit. Once credentials leave a managed device or sit exposed in code or logs, defenders are racing a reuse window. Resilience depends on shortening that window with detection, revocation, and device controls.

Q: What do organisations get wrong about cyber resilience programmes?

A: They often treat resilience as a separate initiative instead of a condition created by everyday identity controls. If access reviews, secret rotation, and offboarding are inconsistent, the programme may look mature on paper while still leaving durable paths for abuse and disruption.

Q: Who is accountable when privileged access failures lead to an incident?

A: Accountability should sit with the owners of the access process, the security leadership that defines the control standard, and the board where regulation requires oversight. Under NIS2 and DORA, access governance is not just an operational issue. It is part of formal resilience accountability.


Technical breakdown

Why privileged access becomes a resilience control

Privileged access management is not just about administering administrator accounts. It is the control layer that determines who can reach critical systems, how long access persists, whether activity is recorded, and whether dormant entitlements can be reactivated during an incident. In resilience terms, PAM reduces the probability that a single credential, forgotten account, or over-broad contractor grant turns a local issue into enterprise-wide disruption. The article’s focus on centralized control reflects a real operational truth: when access is fragmented, incident response becomes slower and attribution becomes weaker. Resilience depends on knowing which identities can act, when they can act, and whether that authority can be curtailed fast enough.

Practical implication: map privileged entitlements to a central control point and treat orphaned access as a recovery risk, not just an audit finding.

How unmanaged devices and leaked secrets expand attack windows

The article links attack success to two common exposure paths: credentials on unmanaged devices and secrets left exposed long enough to be reused. In practice, these are not separate hygiene issues. They create a compounded trust problem in which identity proof, device posture, and secret lifetime drift apart. Once a credential is copied, sold, or cached outside the corporate boundary, the attacker no longer needs a noisy exploit path. The attack becomes a time problem, not a complexity problem, because the defender must detect, attribute, and revoke before reuse. That is why credential lifetime and device governance belong in the same resilience conversation.

Practical implication: pair device governance with secret detection and rotation so exposed credentials do not remain valid long enough to be operationalised.

Why NIS2 and DORA turn resilience into governance

NIS2 and DORA do more than add compliance pressure. They formalise the expectation that cyber resilience is governed, measurable, and owned at board level. That changes identity work from a technical back-office function into a control discipline tied to continuity, supplier risk, access policy, and incident readiness. The article is right to connect resilience with regulation because the strongest programmes already use those obligations to enforce consistent access review, supplier oversight, and recovery planning. In other words, regulation is not the resilience model, but it is often the mechanism that forces the model to exist.

Practical implication: align access governance, supplier oversight, and incident recovery metrics to the controls explicitly referenced by NIS2 and DORA.


Threat narrative

Attacker objective: The attacker wants to turn weak identity governance into durable access that survives detection, enabling disruption, extortion, or stealthy persistence.

  1. Entry occurs through leaked secrets, exposed credentials, or compromised unmanaged devices that provide valid initial access without forcing an exploit chain.
  2. Escalation follows when the attacker finds dormant, over-privileged, or poorly attributed access that lets them move from ordinary entry to privileged system control.
  3. Impact is achieved by holding access long enough to disrupt operations, exfiltrate data, or accelerate ransomware activity before the organisation can contain the session.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Continuous resilience is really continuous access governance. The article correctly rejects project-based security because cyber resilience fails when privileged access is treated as a static administrative problem. In identity terms, the real issue is not whether controls exist, but whether they are continuously enforced across humans, service accounts, and external access paths. That makes PAM, lifecycle governance, and recertification operational controls rather than periodic compliance artefacts. Practitioners should read this as a mandate to run access governance as a live discipline.

Standing privilege is the resilience liability this article exposes. Dormant accounts, broad contractor grants, and stale third-party access all extend the attacker’s usable window after initial compromise. The breach pattern is not subtle: if access outlives the business need, it also outlives the risk review. That is why the most damaging failures are usually governance failures, not just malware events. Practitioners should treat every persistent entitlement as potential recovery debt.

Identity resilience is now a board-level continuity issue, not a tooling choice. NIS2 and DORA matter because they force accountability for how access, supplier relationships, and incident response are governed. The field is moving toward a model where access policy, monitoring, and offboarding are evaluated as resilience controls with measurable outcomes. Practitioners should expect identity governance to be judged by operational continuity, not by policy volume.

Unmanaged credentials create identity blast radius. This article shows how leaked secrets, unmanaged devices, and broad access combine into a larger exposure zone than any single control failure suggests. The concept is useful because it names the operational consequence of weak identity boundaries: once credentials escape the managed environment, the blast radius is no longer defined by the system of record. Practitioners should frame remediation around reducing blast radius, not just closing individual gaps.

From our research:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
  • That confidence gap makes Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs the right next step for teams that need to operationalise governance, not just discuss it.

What this signals

Identity resilience is converging on lifecycle discipline. As organisations move from periodic checks to continuous control, the strongest programmes will be the ones that can prove who owns each privilege, when it expires, and how quickly it can be revoked. That is especially important for contractors, service accounts, and external access paths that often fall outside normal review rhythms.

The practical signal for readers is that resilience metrics will increasingly be judged by identity outcomes, not tool counts. If your programme cannot show reduced standing privilege, faster offboarding, and fewer unmanaged credentials, it will struggle to demonstrate continuity value even if policy coverage looks broad.

The governing concept here is identity blast radius, which is the amount of operational damage an exposed or over-privileged identity can create before containment. The more fragmented the access estate, the larger the blast radius becomes, so teams should expect PAM, secret management, and supplier access controls to be evaluated together rather than separately.


For practitioners

  • Centralise privileged access enforcement Consolidate privileged access, session control, and audit logging so dormant entitlements cannot sit outside a governed workflow. Review external employee and subcontractor access separately from internal access and remove broad grants that lack a named business owner.
  • Treat exposed secrets as active incidents Build a process that detects leaked API keys, tokens, and certificates, then revokes and replaces them before attackers can reuse them. Tie secret discovery to rotation and owner notification so remediation does not depend on manual follow-up.
  • Close the unmanaged device gap Identify corporate logins used from unmanaged endpoints and remove assumptions that BYOD or personal-device use is low risk. Add device posture checks and conditional access review to accounts with sensitive or privileged entitlements.
  • Use regulations to force control consistency Map NIS2 and DORA obligations to concrete identity controls such as access review cadence, supplier oversight, recovery playbooks, and board reporting. Make those controls measurable so resilience is auditable rather than aspirational.

Key takeaways

  • Cyber resilience fails when privileged access is managed as a project instead of a live control.
  • The evidence points to a widening exposure window created by leaked secrets, unmanaged devices, and delayed remediation.
  • The most effective response is continuous identity governance tied to continuity, supplier oversight, and board accountability.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 set the technical controls, and NIS2 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Covers rotation and lifecycle of non-human credentials exposed in the article.
NIST CSF 2.0PR.AC-4Access permissions and least privilege are central to the resilience argument.
NIS2The article ties resilience to board accountability, supplier oversight, and access policy.

Align identity governance and continuity controls to NIS2 accountability expectations.


Key terms

  • Cyber Resilience: Cyber resilience is the ability of an organisation to anticipate, withstand, recover from, and adapt after cyber incidents. It goes beyond prevention by assuming attacks and failures will happen, then focuses on continuity, recovery speed, and the identity controls that keep critical access manageable during disruption.
  • Privileged Access Management: Privileged Access Management is the governance and control of high-risk access to critical systems. It typically covers approval, session oversight, credential protection, and removal of excess privilege so administrative access remains attributable, limited, and recoverable when conditions change.
  • Dormant Account: A dormant account is an identity that still exists but no longer serves an active business purpose. In practice, dormant accounts are dangerous because they often retain privileges, evade normal attention, and can be reactivated or abused long after the original need has ended.
  • Identity Blast Radius: Identity blast radius is the amount of damage an exposed or over-privileged identity can cause before the organisation contains it. The concept helps teams think about access not just as permission, but as potential operational impact when credentials, roles, or trust relationships are mismanaged.

What's in the full article

Fudo Security's full article covers the operational detail this post intentionally leaves for the source:

  • The article expands the ransomware and attack-volume trends by sector and region, which is useful if you need the raw evidence behind the resilience argument.
  • It walks through the specific compliance implications of NIS2 and DORA, including board responsibility, supplier oversight, and continuity requirements.
  • It describes the operational framing of privileged access management in more detail, including session control, dormant account removal, and access policy enforcement.
  • It includes the vendor's own product-context examples for how these controls are applied in practice across remote access and third-party access scenarios.

👉 The full Fudo Security article covers the ransomware trends, compliance context, and operational resilience framing in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org