TL;DR: Ransomware victims on double-extortion leak sites rose to over 7,960 in 2025, while education faced 4,352 attacks per organisation weekly and 46% of compromised systems with corporate logins were unmanaged devices, according to Check Point, Verizon, and the source article. Resilience now depends on continuous privileged access control, not project-based security.
At a glance
What this is: This is an analysis of why cyber resilience in 2026 depends on continuous privileged access control, not isolated security projects.
Why it matters: It matters because IAM, PAM, and governance teams need a resilience model that handles dormant accounts, unmanaged devices, supplier access, and board accountability together.
By the numbers:
- The number of victims shamed on double-extorsion leak sites surged to over 7,960 in 2025, a 53% year-over-year increase.
- Educational institutions faced an average of 4,352 attacks per organisation weekly, representing a 22% increase.
- The median time to remediate exposed secrets was 94 days.
👉 Read Fudo Security's analysis of cyber resilience, PAM, and privileged access control
Context
Cyber resilience is the discipline of keeping critical services operating before, during, and after attack. In this article, the primary governance gap is privileged access management, because persistent access, dormant accounts, and unmanaged credentials undermine any claim of continuous control.
The source article frames resilience as a shift from one-time security projects to ongoing operational discipline. That framing is directionally right for IAM leaders, but the real issue is whether organisations can continuously see, control, and revoke privileged access across employees, contractors, suppliers, and systems.
Key questions
Q: What breaks when privileged access is not centrally controlled in a cyber resilience programme?
A: When privileged access is not centrally controlled, resilience fails at the exact point where recovery and containment depend on it. Teams lose visibility into who can change systems, revoke access, or restore services. That makes incident response slower, supplier oversight weaker, and audit evidence incomplete. Central control is the difference between a managed disruption and an uncontrolled one.
Q: Why do dormant privileged accounts increase cyber resilience risk?
A: Dormant privileged accounts increase risk because they preserve valid access after the original need has ended. Attackers value them because they are often overlooked, still trusted by the target system, and difficult to distinguish from legitimate administration. In a resilience model, the problem is not just compromise. It is the persistence of unused power inside the environment.
Q: How can organisations tell whether their PAM programme is actually working?
A: A PAM programme is working when privileged access can be quickly explained, challenged, revoked, and evidenced across employees, contractors, and suppliers. Useful signals include fewer standing admin entitlements, faster removal of stale access, and complete session visibility for high-risk actions. If those outcomes are not measurable, the programme is mostly documentation.
Q: Who is accountable when cyber resilience controls fail under NIS2 and DORA?
A: Accountability sits with the organisation’s leadership and the teams responsible for operational risk, access governance, and incident response. NIS2 and DORA both push security beyond technical ownership into board-level responsibility, supplier oversight, and demonstrable control effectiveness. If the organisation cannot prove who owns privileged access decisions, it cannot credibly claim resilience.
Technical breakdown
Why dormant privileged accounts become resilience failures
Dormant privileged accounts are not just unused identities. They are stale trust paths that can persist long after the original business need has ended, especially where offboarding is incomplete or ownership is unclear. In practice, these accounts often retain elevated rights, session access, or system reach that is hard to detect until an incident exposes them. Once attackers obtain those credentials, the account looks legitimate to the target environment, which makes dwell time and lateral movement easier. In resilience terms, the failure is not only compromise but persistence through neglected lifecycle governance.
Practical implication: treat dormant privileged accounts as an operational resilience defect, not an inventory issue, and remove them through owned lifecycle controls.
How unmanaged devices and leaked secrets widen the attack window
Unmanaged devices and exposed secrets create a long-lived access window because neither condition depends on exploit sophistication. If corporate credentials sit on a personal or unmanaged endpoint, attackers can steal them outside the enterprise boundary and reuse them later against approved services. The same is true for leaked API keys, tokens, or passwords stored in repositories or logs. Once compromised, these credentials often remain valid until someone rotates or revokes them. That makes exposure duration a key risk variable, not just breach origin. In resilience modelling, the danger is the combination of reach and latency: access can be harvested early and weaponised much later.
Practical implication: enforce device trust boundaries and reduce secret lifetime wherever corporate credentials can persist outside managed controls.
PAM centralization is a control-plane issue, not a tooling choice
Centralized PAM matters because privilege risk is distributed across systems, suppliers, and users, while accountability is expected to remain central. A resilient control plane must answer who has access, what kind of access they have, when it was granted, and whether it is still justified. Without that central view, access policies become fragmented and incidents become harder to investigate or contain. The article’s regulatory discussion reinforces this point: compliance pressure is strongest when governance, monitoring, and response are treated as one operating model rather than separate projects. That is why PAM is a resilience control, not just an administrative layer.
Practical implication: make PAM the authoritative control plane for privileged access decisions, revocation, recording, and accountability.
Threat narrative
Attacker objective: The attacker aims to turn legitimate-looking privileged access into sustained control that supports extortion, theft, or operational disruption.
- Entry begins when attackers obtain corporate credentials from leaked secrets, unmanaged devices, or overexposed third-party access paths.
- Escalation follows when those credentials still carry standing privilege, letting attackers move through systems as trusted users instead of forcing noisy exploitation.
- Impact occurs when ransomware, data theft, or operational disruption spreads before teams can detect the access path or revoke the identity.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Continuous resilience is a privileged access problem before it is a ransomware problem. The article correctly ties resilience to standing control, but the deeper issue is that privileged access becomes the choke point for recovery, containment, and accountability. When access is fragmented across admin tools, suppliers, and ad hoc exceptions, the organisation loses the ability to answer who can act on critical systems at any moment. That makes resilience a governance discipline, not a security project.
Identity blast radius is the right named concept for this risk pattern. A leaked secret, unmanaged device, or dormant admin account does not just create one exposure. It enlarges the set of systems an attacker can legitimately reach before any alert fires. Once privilege spreads faster than governance can contract it, incident response starts from a compromised trust base. Practitioners should treat blast radius as the operational measure of identity resilience.
NIS2 and DORA convert access governance from good practice into board-level accountability. The article’s regulatory framing is important because it recognises that resilience now includes supplier oversight, incident handling, and access policy enforcement. Those expectations expose an uncomfortable reality: many organisations still cannot prove that privileged access is current, justified, and revocable across the full environment. The implication is that governance models built for periodic audit are no longer sufficient.
Unmanaged access is the failure mode, not a supporting condition. The article shows how personal devices, leaked secrets, and broad third-party access all point to the same structural weakness: access that exists outside authoritative control. That failure is especially damaging in mixed IT and OT or hybrid environments where visibility is already thin. Resilience programmes should therefore focus on eliminating uncontrolled access paths, not only detecting them after use.
Lifecycle governance is the missing bridge between compliance and resilience. The article repeatedly returns to offboarding, monitoring, and access policies because those are the points where resilience either becomes real or remains rhetorical. If access reviews do not remove stale privilege, then audit readiness and operational safety diverge. Practitioners should align lifecycle, PAM, and incident response so that each reinforces the same control truth.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to the same research.
- For the lifecycle angle, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, which helps connect governance gaps to practical control ownership.
What this signals
Identity blast radius: the practical measure of how far a compromised credential can move before governance catches up. If an organisation cannot reduce that blast radius through lifecycle controls, PAM, and supplier access discipline, resilience remains reactive rather than engineered.
With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security, supplier trust is already one of the weakest parts of the identity perimeter. Teams should expect more scrutiny of delegated access, not less.
Resilience programmes should now be designed around identity recovery as much as infrastructure recovery. The question is no longer whether teams can restore a server, but whether they can rapidly prove who still has privileged access after an incident and whether that access should exist at all.
For practitioners
- Map privileged access to operational criticality Inventory which identities can affect production, backup, identity, and supplier-facing systems, then rank them by blast radius rather than by job title alone.
- Eliminate dormant privileged accounts Run recurring offboarding and recertification checks for admin, contractor, and service accounts, and remove accounts that no longer have an explicit owner or business purpose.
- Shorten secret exposure windows Rotate exposed API keys, tokens, and credentials quickly, and pair rotation with repository scanning, endpoint hygiene, and emergency revocation procedures.
- Centralize third-party access oversight Track supplier access from onboarding through termination, with one control plane for approval, session recording, and revocation across privileged pathways.
- Tie resilience tests to identity recovery Exercise scenarios where privileged access is revoked, rebuilt, and revalidated during incident response so recovery includes identity control, not only system restoration.
Key takeaways
- This article shows that cyber resilience fails first at the identity layer when privileged access is fragmented, stale, or unmanaged.
- The scale of risk is visible in the statistics: ransomware victims, weekly attack volume, and long secret remediation windows all leave attackers room to operate.
- The practical answer is centralised PAM, disciplined lifecycle governance, and measurable revocation so access can be contained before it becomes an incident.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 set the technical controls, and DORA define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centers on credential rotation, dormant access, and privileged account control. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions and least privilege are central to the resilience model described here. |
| DORA | The article links operational resilience to ICT risk, suppliers, and incident preparedness. |
Review privileged credential lifecycle controls and eliminate standing access where business need has ended.
Key terms
- Privileged Access Management: Privileged Access Management is the governance and control of high-risk access that can change systems, data, or security settings. It covers approval, session control, recording, rotation, and revocation so elevated access is limited, visible, and accountable across humans, service accounts, and other non-human identities.
- Cyber Resilience: Cyber resilience is the ability to keep operating, recover, and adapt after a security incident rather than only trying to prevent one. It combines people, processes, and technology so identity control, incident response, and continuity planning work together under attack.
- Dormant Account: A dormant account is an identity that still exists but is no longer actively used or properly owned. In practice, dormant accounts become risk-bearing assets when they retain permissions, because attackers can exploit their legitimacy even when no one is monitoring them closely.
- Identity Blast Radius: Identity blast radius is the amount of access, systems, and business impact that a compromised identity can reach before containment. It is a useful way to measure whether lifecycle governance, PAM, and segmentation are actually reducing the damage a stolen credential can cause.
What's in the full article
Fudo Security's full article covers the operational detail this post intentionally leaves for the source:
- The article expands on ransomware trends by sector, including education, government, and telecommunications.
- It breaks down the control failures behind unmanaged credentials, dormant accounts, and exposed secrets.
- It connects NIS2 and DORA to operational resilience, board accountability, and supplier oversight.
- It closes with product positioning and deployment context for Fudo Enterprise 6.0 and ShareAccess.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org