TL;DR: Ransomware incidents such as St. Paul’s 2025 shutdown show that cyberattacks now create operational, public safety, and continuity impacts, according to Illumio. The practical shift for 2026 is that containment, segmentation, and accountability matter more than assuming prevention will hold.
At a glance
What this is: The article argues that 2026 security strategy will be defined by resilience, containment, supply chain verification, AI-driven attack surface growth, Zero Trust maturity, and board-level accountability.
Why it matters: This matters to IAM and security teams because the same shift toward continuous verification, least privilege, and third-party access control also applies to NHI, agentic AI, and privileged human access.
👉 Read Illumio's cybersecurity predictions for 2026 and resilience outlook
Context
Cyber resilience is shifting from an aspirational outcome to an operating assumption. The article uses the St. Paul ransomware disruption as evidence that attacks can halt services, affect public safety, and force leaders to think in terms of continuity rather than clean prevention. In identity terms, that same pressure is pushing organisations to treat access containment as a core control objective, not a secondary response capability.
The security question is no longer whether attacks will happen, but how far they can spread once they do. That makes Zero Trust, least privilege, and accountability relevant across human identity, NHI, and agentic AI programmes, because each of those domains can either contain or amplify operational blast radius. For readers managing access governance, the article reflects a typical direction of travel, not an outlier.
Breach containment discipline: The article’s core idea is that resilience becomes measurable when organisations can limit spread after initial compromise. That has direct relevance to NHI and privileged access governance because unmanaged credentials and broad trust boundaries create the same expansion path attackers exploit in human-driven incidents.
Key questions
Q: What breaks when cyber resilience is not built into access governance?
A: When resilience is missing from access governance, compromise can spread faster than teams can isolate it. Broad privileges, weak segmentation, and unclear ownership let one intrusion become a service outage, data exposure, or operational shutdown. The failure is not only technical. It is the inability to contain blast radius before the business absorbs the loss.
Q: Why do third-party connections increase operational risk in Zero Trust environments?
A: Third-party connections increase operational risk because they extend trust outside the organisation’s direct control. If those connections are broad, persistent, or poorly monitored, an attacker can use them as a path into production systems. Zero Trust reduces that risk only when access is continuously verified and tightly scoped.
Q: How can security teams know whether containment controls are actually working?
A: Containment controls are working when a compromised segment can be isolated quickly without taking down unrelated services. The strongest signals are reduced lateral movement, shorter recovery times, and the ability to keep critical functions running during an incident. If teams still need widespread shutdowns, the control design is failing.
Q: Who is accountable when AI systems act on behalf of users and cause security impact?
A: Accountability should rest with the organisation that granted the AI system access and approved the control model around it. Human ownership, machine execution, and delegated authority must be separately recorded, or responsibility becomes unclear when the agent performs an action that causes harm. That governance gap becomes a real risk when AI uses credentials or tokens to operate.
Technical breakdown
Why cyber resilience is now a containment problem
Cyber resilience is the ability to keep critical operations functioning while an attack is being absorbed, investigated, and limited. The technical change here is that security teams are increasingly judged on blast-radius control, segmentation, and recovery sequencing rather than on the promise of perfect prevention. When systems are tightly connected, an intrusion in one area can become an outage across many. That is why containment, not only detection, has become the practical control objective.
Practical implication: map critical services to containment boundaries and test whether one compromised segment can be isolated without stopping the business.
How supply chain trust turns into shared attack exposure
Supply chain risk grows when trusted providers hold broad connectivity into customer environments. Attackers can exploit that trust by reaching multiple organisations through a single compromise, which makes verification more important than inherited confidence. The article’s emphasis is less about one vendor and more about the pattern: third-party access often becomes a multiplier for disruption when least-privilege boundaries and monitoring are weak. Shared accountability and visibility become operational requirements, not procurement language.
Practical implication: review third-party access paths as production attack paths, then limit scope, log usage, and require continuous verification.
Agentic AI expands access paths faster than governance can track
Agentic AI changes the attack surface because it can create many more machine-to-machine connections, often using credentials, tokens, and API access on behalf of people. That means identity governance has to account for delegated actions, opaque ownership, and rapidly multiplying integrations. In practice, the challenge is not just model risk. It is the governance of the access paths the agent uses to reach applications and data, especially when those paths are provisioned faster than oversight can keep pace.
Practical implication: inventory AI agent access separately from human users and apply tighter credential lifecycle controls before agent sprawl becomes ungovernable.
Threat narrative
Attacker objective: The attacker aims to convert one trusted connection into broad operational disruption, forcing the target to isolate systems and absorb business impact.
- Entry occurs when attackers exploit a trusted supplier, exposed access path, or AI-mediated connection to reach systems that were assumed to be outside the immediate attack surface.
- Escalation follows when the initial foothold is able to move laterally through broad trust relationships, shared credentials, or weak segmentation.
- Impact is operational disruption, service outage, and business or public-safety degradation when containment fails and affected systems must be taken offline.
NHI Mgmt Group analysis
Cyber resilience is becoming an identity governance problem as much as a security one. The article is right to move the conversation away from prevention-only thinking, because most organisations now operate with assumed compromise. For IAM and PAM teams, that means resilience depends on whether access can be contained quickly, revoked cleanly, and scoped narrowly enough to preserve operations. The practical conclusion is that access governance must be measured by blast-radius reduction, not just policy coverage.
Supply chain exposure now behaves like delegated identity risk. When trusted providers and connected applications can reach deep into an environment, third-party access becomes an identity control issue, not only a procurement or vendor-management issue. That aligns with NIST CSF and Zero Trust principles, but the governance gap is the assumption that trust inherited at onboarding remains valid at runtime. Practitioners should treat third-party connectivity as continuously revocable access.
Agentic AI will make accountability harder before it makes it easier. The article captures an important shift: AI systems increasingly act through credentials, tokens, and APIs, which means the access pathway is often clearer than the actor behind it. That creates a governance burden for human identity teams, because delegated machine actions can bypass the review logic designed for people. The practitioner takeaway is that identity controls must distinguish human ownership from machine execution.
Zero Trust is maturing from architecture language into operational discipline. The article’s view that Zero Trust becomes invisible infrastructure is consistent with where the market is heading. Segmentation, continuous verification, and least privilege only matter if they reduce real containment time during an incident. Organisations that still treat Zero Trust as a branding exercise will miss the operational point: the control must work when the environment is already under stress.
Board accountability will force identity teams to speak in business terms. If leaders are judged on operational continuity, then access governance, containment, and recovery need to be reported as business risk controls rather than technical hygiene. That is especially relevant for NHIs and privileged access because those identities often sit directly on critical paths. The field is moving toward governance models where access failure is also an availability failure.
What this signals
Cyber resilience programmes will be judged less on declared architecture and more on whether they can limit operational impact during a live incident. That shifts the priority toward segmented trust zones, explicit access boundaries, and recovery testing that reflects how attackers actually move through environments. It also strengthens the case for reading resilience through an identity lens, especially where NHIs and delegated access create hidden failure paths.
Breach containment discipline: Organisations that still treat containment as an incident-response add-on will struggle as supply chain and AI-mediated access expand the number of possible entry points. The practical shift is to measure whether a compromised service, supplier, or agent can be isolated without collapsing adjacent operations. That is the kind of control that turns resilience from a slogan into an operating capability.
For identity teams, the next planning cycle should separate human, machine, and agent access governance more clearly. The difference matters because reviews built for employee accounts do not reliably expose delegated machine use, and that gap becomes more damaging as AI systems and third-party integrations multiply. The article’s direction of travel is clear: the access graph is becoming as important as the identity itself.
For practitioners
- Define containment boundaries for critical services Map your most important applications, data paths, and control planes into explicit isolation zones so an incident in one area does not automatically become enterprise-wide disruption.
- Review third-party access as runtime exposure List every supplier, SaaS integration, and delegated connection that can reach production systems, then reduce scope, add logging, and remove any access that is broader than operational need.
- Separate AI agent access from human access reviews Create distinct inventories for agent credentials, API tokens, and machine identities so access reviews do not hide autonomous or delegated activity inside human user records.
- Measure resilience by recovery and containment outcomes Track how quickly you can isolate a compromised service, restore essential functions, and validate that adjacent systems were not exposed during the incident.
- Pressure-test Zero Trust assumptions against real outage scenarios Run exercises that assume partial compromise, supplier disruption, or API abuse, then verify whether segmentation and privilege boundaries still hold under load.
Key takeaways
- Cyber resilience is now an operational requirement, not a secondary security objective.
- Supply chain trust, AI delegation, and weak segmentation all increase the speed at which incidents become business disruptions.
- Identity teams should focus on containment boundaries, access scope, and recovery outcomes, because those controls now define resilience.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access control sit at the centre of the resilience argument. |
| NIST Zero Trust (SP 800-207) | The article repeatedly centres continuous verification and segmentation. | |
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0040 , Impact | The article's incident pattern is about spread, disruption, and containment failure. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the strongest control family match for the article's access themes. |
| NIST AI RMF | MANAGE | AI-enabled operations need governed deployment and monitored use, not blind automation. |
Map critical access paths to PR.AC-4 and reduce broad trust relationships before incidents spread.
Key terms
- Cyber Resilience: Cyber resilience is the ability to keep essential business functions operating during and after a security incident. It focuses on containment, continuity, and recovery rather than assuming attacks can be fully prevented. In practice, it combines architecture, process, and governance so disruption stays within tolerable limits.
- Blast Radius: Blast radius is the amount of operational, technical, or business damage that a single compromise can spread across an environment. Smaller blast radius means fewer systems, identities, and workflows are exposed when an attacker gets in. It is a useful measure of whether segmentation and access control are actually working.
- Delegated Access: Delegated access is permission granted to a system, service, supplier, or AI agent to act on behalf of another entity. It is powerful because it reduces friction, but it also creates hidden trust paths that can be abused if scope, duration, and ownership are not tightly governed.
- Operational Continuity: Operational continuity is the organisation’s ability to keep critical services available when systems are degraded, attacked, or partially offline. It is not the same as full recovery. The practical question is whether essential work can continue while security teams contain the incident and restore control.
What's in the full article
Illumio's full blog covers the operational detail this post intentionally leaves for the source:
- Expert commentary on how boards are changing the way cyber risk is measured and reported.
- Illustrative examples of how Zero Trust is being operationalised in resilience planning.
- The article's discussion of AI copilots in SOC workflows and the limits of automation under pressure.
- Context on why supply chain exposure is becoming a front-line operational issue.
👉 Illumio's full blog expands on the board, supply chain, AI, and Zero Trust themes in more detail.
Deepen your knowledge
NHI Mgmt Group’s NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management. It is designed for practitioners who need to connect identity control to operational resilience.
Published by the NHIMG editorial team on 2026-01-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org