DBIR 2026 shows identity trust is now an attack surface

At a glance

What this is: This is Abnormal AI’s reading of the 2026 DBIR, with the key finding that attackers are combining vulnerability exploitation, third-party compromise, and contextual social engineering.

Why it matters: It matters because IAM, NHI, and human identity teams now have to govern trust relationships, permissions, and behavioural signals together rather than treating them as separate security domains.

By the numbers:

• 62% of breaches.
• Third-party compromise appeared in 48% of breaches, a 60% year-over-year increase.
• Only 26% of known exploited vulnerabilities were remediated in 2025, down from 38% the prior year.
• The median threat actor leveraged AI across 15 documented techniques.

👉 Read Abnormal AI’s analysis of the 2026 DBIR and identity trust trends

Context

The security problem here is not a single attack method but the collapse of boundaries between people, vendors, software, and infrastructure. In the 2026 DBIR, the same intrusion chain can begin with a vulnerability, move through trusted third-party access, and end with contextual social engineering that looks normal in isolation.

For IAM and identity teams, that means the control plane has expanded. Human identity, NHI permissions, OAuth connections, vendor access, and detection logic all shape whether an attacker can turn one foothold into a broader compromise.

Key questions

Q: How should security teams handle third-party access when vendors and SaaS tools are part of the attack path?

A: Treat third-party access as a governed identity perimeter, not a one-time integration. Every vendor account, OAuth grant, and SaaS connection should have an owner, a business purpose, a privilege scope, and a revocation path. If the access cannot be reassessed quickly, it is already part of your attack surface.

Q: Why do behavioural signals matter more than links in contextual social engineering attacks?

A: Because the sender, channel, and message can all be legitimate while the request is still malicious. Behavioural signals reveal anomalies in timing, sequence, approval flow, and relationship context, which are harder for attackers to fake consistently than a convincing email or link. That makes workflow monitoring a stronger control than static indicators alone.

Q: When should organisations prioritise remediation of known exploited vulnerabilities over routine patch work?

A: When a vulnerability is publicly exploited, internet-facing, or connected to high-value identity paths, it should move ahead of routine backlog work. The goal is to reduce the attacker’s viable window, especially when third-party access or privileged identities could turn that exposure into lateral movement. Prioritisation should reflect exploitability and blast radius, not patch age alone.

Q: What should teams do when trusted workflows start looking slightly unusual?

A: Escalate it as a governance signal, not just a helpdesk issue. Unusual approval chains, unexpected payment requests, or vendor behaviour that deviates from normal history can indicate pretexting or account abuse. Teams should verify the business context, inspect linked identities, and preserve evidence before the workflow completes.

Technical breakdown

Why vulnerability exploitation now coexists with identity abuse

The DBIR’s shift from credential abuse to vulnerability exploitation does not mean identity is less important. Attackers often use exposed systems for entry, then rely on stolen identities, service access, or over-permissioned integrations to move laterally and stay persistent. That is why identity compromise still appears in a large share of breaches even when the first step is technical exploitation. The mechanism is chained access: infrastructure weakness creates the opening, while identity and permissions determine how far the attacker can go.

Practical implication: teams need to correlate patch exposure with identity exposure instead of treating them as separate remediation queues.

How third-party compromise extends the identity perimeter

Third-party compromise turns external trust into internal reach. SaaS integrations, vendor mailboxes, OAuth grants, and cloud-linked accounts can all become a pathway from one compromised organisation to many others. The key technical issue is not just supplier risk, but delegated authority that outlives close supervision. Once a trusted connection is abused, the attacker often inherits the partner’s normal access patterns, making malicious activity harder to distinguish from legitimate business flows.

Practical implication: map every external identity and integration to its business owner, privileges, and revocation path.

Why behavioural signals outperform links and indicators

Pretexting inside legitimate workflows is difficult to catch with static indicators because the message, sender, or channel may all be valid. The anomaly is usually relational or temporal: a request arrives from the right account but at the wrong moment, in the wrong sequence, or with an unusual payment or approval pattern. That makes behavioural baselining more reliable than relying only on known-bad links, hashes, or domains. Detection has to understand context, not just content.

Practical implication: tune detection around communication patterns, approval flow deviations, and unusual identity activity.

Threat narrative

Attacker objective: The objective is to turn trusted access into durable reach across the organisation and its connected partners.

1. Entry often begins through exploited infrastructure or a trusted third-party relationship that gives the attacker an initial foothold.
2. The attacker then abuses identity, OAuth, or vendor access to blend into normal workflows and expand reach across connected systems.
3. Impact follows when the attacker uses that legitimate-looking access for data theft, fraud, or broader intrusion activity.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity trust is now part of the attack surface. The DBIR’s numbers show that breaches are no longer cleanly separable into “identity” problems and “infrastructure” problems. Vulnerability exploitation, third-party compromise, and pretexting now reinforce one another across the same intrusion path. Practitioners should treat trust relationships, not just credentials, as governed security assets.

Third-party compromise is a lifecycle failure, not only a supplier risk. A vendor account, OAuth grant, or SaaS integration becomes dangerous when its access outlives the business context that justified it. That is a joiner-mover-leaver problem for non-human identities as much as for people. The control gap is lifecycle visibility across external access, not simply more monitoring.

Behavioral anomaly detection is becoming the decisive control layer. When attackers operate through legitimate workflows, the old assumption that malicious activity will look obviously malicious no longer holds. This is where context, relationship history, and sequence matter more than static indicators. Security teams need to govern how normal business communication behaves before they can spot the deviations.

AI is amplifying known techniques, not replacing them. The report’s finding that the median actor uses AI across 15 techniques suggests industrialisation, not novelty. That means defenders should expect faster execution of familiar playbooks rather than entirely new categories of threat. The implication is that existing controls must work against higher-volume, better-contextualised abuse.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap makes the Ultimate Guide to NHIs a useful next step for teams rebuilding their identity governance model.

What this signals

The DBIR reinforces a programme-level shift that many IAM teams are still underweighting: trust relationships need the same governance discipline as credentials. Once third-party access, OAuth grants, and human workflows become part of the attack path, identity programmes have to measure ownership, revocation, and behavioural drift together rather than in separate workstreams.

A practical concept emerging from this report is identity trust perimeter drift: the gap between where access was originally approved and where it can now be abused. As the number of external integrations grows, that drift becomes harder to see without dedicated lifecycle and workflow controls. Teams should expect more breaches to begin with legitimate access that was never fully revalidated.

For organisations maturing NHI governance, the signal is clear: the strongest controls will be the ones that tie external access, privileged identity, and anomaly detection into a single operating model. That is the difference between seeing isolated alerts and understanding how a breach actually unfolds across the identity stack.

For practitioners

• Unify vulnerability and identity remediation queues Track exposed assets, privileged accounts, OAuth grants, and vendor access in the same risk workflow so one finding cannot be remediated while the other remains exploitable.
• Inventory external trust paths end to end Map every SaaS integration, contractor account, and third-party OAuth connection to an owner, privilege scope, and revocation route, then review those relationships on a fixed cadence.
• Tune detection for workflow anomalies Prioritise signals such as unusual request timing, approval path changes, vendor impersonation patterns, and identity behaviour that deviates from established baselines.
• Shorten the exposure window for known exploited vulnerabilities Build operational SLAs that force rapid closure of KEVs on internet-facing systems and track exceptions separately from routine patch backlogs.

Key takeaways

• The 2026 DBIR shows that attackers are combining vulnerability exploitation, third-party access, and social engineering inside the same intrusion chain.
• The scale matters: 62% human involvement, 48% third-party compromise, and only 26% remediation of known exploited vulnerabilities show a widening exposure window.
• Security teams need to govern trust relationships, privileged access, and behaviour-based detection together if they want to shrink attacker dwell time.

Key terms

• Third-Party Compromise: A security incident in which an external supplier, SaaS platform, contractor, or integration becomes the path into a target environment. In identity programmes, the risk comes from delegated trust that can be abused at scale, especially when access is broad, persistent, or poorly reassessed.
• Behavioural Anomaly: A pattern of activity that deviates from how a user, account, vendor, or workflow normally behaves. In identity security, behavioural anomalies are valuable because they expose abuse even when messages, credentials, or access paths look legitimate on the surface.
• Known Exploited Vulnerability: A vulnerability that is actively being used in real attacks, not just disclosed or ranked as severe. For identity and security teams, KEVs matter because they compress the response window and often become the first step in a broader intrusion chain.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: analysis of the 2026 Verizon DBIR and breach trends. Read the original.