By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: SecureframePublished November 12, 2025

TL;DR: Cybercrime losses are projected to reach $15.63 trillion by 2029, third-party involvement in breaches has doubled to 30%, and data exfiltration appears in 80% of attacks, according to Secureframe’s roundup of 210 plus cybersecurity statistics. The data points to a threat environment where visibility, supply chain control, and identity governance matter more than perimeter assumptions.


At a glance

What this is: This is a cybersecurity statistics roundup that highlights rising attack frequency, expanding supply chain risk, and the growing role of data theft and AI-driven exposure.

Why it matters: It matters because identity, access, and governance teams increasingly have to control human, non-human, and third-party trust paths inside a threat landscape defined by scale, speed, and data exfiltration.

By the numbers:

👉 Read Secureframe’s 210 plus cybersecurity statistics roundup for 2026 planning


Context

Cybersecurity statistics are most useful when they show where governance is failing, not just how noisy the threat landscape has become. In this case, the primary issue is not only higher attack volume, but the way identity, vendor access, data movement, and AI adoption expand the number of paths an attacker can abuse.

For IAM, PAM, NHI, and related governance teams, the key question is whether the organisation can still see, classify, and constrain access fast enough to match the pace of modern attack activity. The statistics in this roundup point to a programme problem, not a tooling problem: visibility, entitlement discipline, and third-party control are now central security controls.


Key questions

Q: What breaks when third-party access is not governed as part of identity lifecycle management?

A: Access can outlive the business relationship that justified it, which leaves external identities active after need has ended. In healthcare, that failure can expose claims systems, patient data, and connected devices. The practical problem is not just excessive access, but access that no longer has an accountable owner.

Q: Why do service accounts and automation tokens increase breach impact when they are over-privileged?

A: Because they can move data and trigger actions at machine speed without the friction that often limits human accounts. If those identities have broad scopes or standing credentials, attackers can use them to scale theft or disruption quickly. Least privilege and short-lived access reduce the blast radius when compromise occurs.

Q: How do security teams know whether AI tools are creating unmanaged access paths?

A: Look for AI systems that can reach data stores, code repositories, or operational tools without a clear owner, expiry, or approval trail. If the organisation cannot answer what the tool can access, which identity it uses, and how that access is revoked, the AI workflow is functioning as an unmanaged identity path.

Q: Who is accountable when a compromised machine identity causes a breach?

A: Accountability should sit with the team that owns the identity lifecycle, not with the last person who touched the system. If no owner can explain why the identity exists, what it can access, and when it expires, the control model is already failing.


Technical breakdown

Why attack volume now matters more than raw alert counts

Weekly attack counts only become operationally meaningful when they are mapped to control coverage and dwell time. At this scale, attackers do not need exotic techniques to succeed. They only need a small set of weak points, such as exposed credentials, insufficient segmentation, or delayed detection. That is why cyber statistics should be read as governance indicators rather than headline noise. The important signal is whether the organisation can prevent repeated probing from turning into valid access, lateral movement, or exfiltration.

Practical implication: teams should connect attack telemetry to control gaps, not just to SOC workload.

How supply chain exposure changes identity governance

Third-party involvement in breaches is a governance problem because vendor access often sits outside normal lifecycle, review, and monitoring processes. The control failure is usually not the vendor itself, but the lack of tight entitlement scope, offboarding discipline, and continuous validation of what the vendor can reach. In identity terms, this includes shared accounts, service integrations, and delegated access that outlive their business need. When supply chain risk rises, identity becomes the enforcement layer that determines how far a partner can move if compromised.

Practical implication: review third-party access as a lifecycle issue, not a one-time onboarding event.

What data exfiltration means for NHI and AI governance

When data theft appears in most attacks, the sensitive control boundary is no longer the perimeter, it is the identity layer around systems that can read, move, or transform data. That includes service accounts, automation tokens, API keys, and AI workflows that can reach repositories or data stores. If these identities have standing access, broad scopes, or weak auditability, exfiltration becomes a routine outcome rather than a rare event. This is where NHI governance intersects directly with AI and data security: the same credentials that accelerate automation can also accelerate theft.

Practical implication: constrain machine and agent access to the minimum data scope required for the shortest possible duration.


Threat narrative

Attacker objective: The objective is to turn legitimate access into scalable theft, disruption, or operational leverage before defenders can contain the intrusion.

  1. Entry begins when attackers exploit exposed credentials, vendor access, phishing, or weak third-party controls to obtain a valid foothold.
  2. Escalation follows when the initial identity has excessive scope, standing privilege, or weak segmentation, allowing access to more systems and data.
  3. Impact occurs through exfiltration, disruption, ransomware, or abuse of trusted workflows, often with the attacker using legitimate access paths.

NHI Mgmt Group analysis

Cybersecurity statistics are now identity governance statistics. Once breach frequency, supply chain involvement, and data exfiltration dominate the picture, access control stops being a back-office IAM concern and becomes a front-line security metric. That means organisations need to read statistics as evidence of whether identity controls are constraining real attack paths. The practitioner conclusion is straightforward: if your identity layer cannot absorb these trends, your security programme is under-governed.

Standing access remains the core failure mode behind most modern breach statistics. A high attack count only matters because attackers can convert one weak path into persistent access, and persistent access into data movement. That is why PAM, NHI lifecycle control, and third-party entitlement governance sit at the center of breach reduction. The practitioner conclusion is that access permanence, not just attack volume, is what needs to be reduced.

Third-party identity sprawl is the governance debt hidden inside supply chain risk. The report’s supply chain figures point to a structural problem: many organisations know which vendors they use, but not which identities, tokens, and integrations they have actually granted. That weakens review, offboarding, and segmentation. The practitioner conclusion is that vendor risk must be measured in identities, not just contracts.

Data exfiltration pressure is forcing NHI and AI programmes into the same control conversation. If 80 percent of attacks involve exfiltration, then any system identity that can query, copy, or transform sensitive data is part of the loss path. This is where AI agents, automation tokens, and service accounts become governance subjects, not just technical plumbing. The practitioner conclusion is that machine identities need the same lifecycle scrutiny as human privileged access.

Shadow AI risk is really a visibility and authorization problem at scale. The article’s AI-related statistics show how quickly organisations can create ungoverned data pathways when teams deploy new tools faster than they map access. That creates an identity gap between what the business thinks is authorised and what the environment actually permits. The practitioner conclusion is that AI adoption without access inventory is an exposure multiplier.

What this signals

Cybersecurity teams should treat this statistics roundup as a prioritisation tool, not a reference list. The useful question is which control gaps explain the numbers in your own environment, especially around third-party access, privileged accounts, and data-moving identities. A programme that cannot translate breach statistics into access decisions will keep reacting after the fact.

Shadow AI is emerging as an access governance problem before it is a model risk problem. If teams cannot inventory where AI tools connect to data and what credentials they use, they will not be able to contain exfiltration or unauthorised action reliably. This is where identity governance and AI governance now intersect in practical terms.

For identity teams, the next reporting step is to link attack trends to NHI and PAM metrics. Track standing privilege, expired vendor access, token sprawl, and machine-to-data reach alongside incident counts. That gives security leaders a clearer view of whether access governance is reducing real exposure or simply documenting it.


For practitioners

  • Map attack statistics to control gaps Translate the most relevant attack, breach, and exfiltration trends into a control-gap view across IAM, PAM, NHI, third-party access, and monitoring. Use that map to decide which identity paths are most likely to be abused first.
  • Inventory third-party identities and delegated access Identify every vendor account, token, integration, and shared access path that can reach production systems or sensitive data. Tie each one to an owner, expiry condition, and offboarding workflow so vendor access cannot persist by default.
  • Reduce standing privilege on data-bearing systems Prioritise service accounts, API keys, and automation identities that can read or export sensitive data. Move them toward least privilege, short-lived credentials, and explicit approval for high-risk scopes.
  • Add AI and shadow AI to your access inventory Treat AI tools and workflows as identity subjects when they can retrieve or move data. Record which systems they can call, which datasets they can reach, and which credential types they rely on.

Key takeaways

  • The article’s core message is that cyber risk is now a governance problem, not just an attack-volume problem.
  • The most decision-relevant evidence is the rise in third-party breach involvement, data exfiltration, and AI-related exposure.
  • Identity, privilege, and lifecycle control are the levers that change the outcome of these statistics.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access control and least privilege are central to the article’s identity and third-party risk themes.
NIST SP 800-53 Rev 5AC-2Account management supports lifecycle control for users, vendors, service accounts, and automation identities.
MITRE ATT&CKTA0006 , Credential Access; TA0010 , ExfiltrationCredential abuse and exfiltration are central threat patterns in the article’s breach statistics.
CIS Controls v8CIS-5 , Account ManagementAccount lifecycle discipline is directly relevant to vendor, service, and automation identities.

Use AC-2 to inventory, approve, review, and remove accounts across human and non-human identities.


Key terms

  • Non-Human Identity: A non-human identity is any digital identity used by software rather than a person. It includes service accounts, API keys, tokens, certificates, workloads, and AI agents. These identities often have access to production systems and data, which makes their lifecycle, scope, and monitoring a core security concern.
  • Standing Privilege: Standing privilege is access that remains active until someone manually removes it. In practice, it creates an ongoing opportunity for misuse, abuse, or lateral movement because the credential or entitlement is always available. Security programmes reduce this exposure by making access shorter lived and more task specific.
  • Data exfiltration risk: Data exfiltration risk is the possibility that sensitive information leaves approved systems and enters an environment the organisation does not control. With Shadow AI, that often happens through ordinary user behaviour, which makes identity governance and data governance tightly linked rather than separate problems.
  • Third-Party Access: Third-party access is any external vendor, partner, or contractor connectivity into an environment. It becomes a security problem when organisations cannot clearly inventory, scope, or revoke the identities involved. Weak lifecycle governance can leave access lingering long after the business need has ended.

What's in the full article

Secureframe's full blog covers the operational detail this post intentionally leaves for the source:

  • The full breakdown of 210 plus cybersecurity statistics across cybercrime, risk, breaches, healthcare, and resilience.
  • Source-by-source attribution to Check Point, Verizon, Microsoft, IBM, Pew, FBI, and other research providers.
  • Industry-specific figures for healthcare, small business, and workforce security trends that support board and programme reporting.
  • The article’s downloadable cybersecurity kit and supplementary resources for awareness and resilience planning.

👉 Secureframe’s full post includes the source breakdown, category-level trends, and supporting resources for planning.

Deepen your knowledge

NHI Mgmt Group’s NHI Foundation Level course, the industry’s only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need to connect identity controls to real security and compliance outcomes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org