TL;DR: Dark Reading’s 2025 Incident Response Survey found that organisations are treating data breaches as increasingly inevitable, pushing many security programmes toward faster response and resilience across more than 20 industry sectors. The shift matters because identity governance, access containment, and recovery playbooks now have to work under breach assumptions rather than prevention-only models.
At a glance
What this is: Dark Reading’s 2025 Incident Response Survey shows enterprise IR is moving from prevention-centric planning toward faster response and resilience.
Why it matters: That shift matters to IAM, NHI, and autonomous-system teams because access governance now has to support containment, not just pre-breach control.
By the numbers:
- Dark Reading’s 2025 Incident Response Survey queried respondents from organizations across more than 20 industry sectors.
👉 Read Cyera's report on the state of enterprise incident response in 2025
Context
Incident response is the discipline of detecting, containing, and recovering from a material security event when prevention has not held. Dark Reading’s survey points to a broader operating reality: many organisations now assume breaches will happen and are rebalancing security investment toward resilience.
For identity teams, that changes the job of IAM and NHI governance. Response planning can no longer focus only on human accounts and perimeter alerts, because service accounts, API tokens, and AI-driven access paths can widen the blast radius during the first minutes of an incident.
Key questions
Q: How should security teams prepare incident response for non-human identities?
A: Security teams should prepare incident response for non-human identities by grouping secrets, tokens, certificates, and service accounts into explicit containment tiers. The goal is to revoke the identities that can still move laterally fastest, then revalidate access before restoring services. That approach reduces blast radius and prevents compromised machine access from being trusted during recovery.
Q: Why do non-human identities make incident response harder?
A: Non-human identities make incident response harder because they often outlive sessions, bypass human review cycles, and can be reused across systems. If visibility is weak, responders cannot quickly tell which tokens, certificates, or service accounts still work. That creates a containment problem, not just a detection problem, especially in cloud and SaaS environments.
Q: What breaks when incident response does not include NHI governance?
A: When incident response does not include NHI governance, teams lose control over the credentials that attackers can replay after initial access. Service accounts, API keys, and machine certificates may remain valid even after the breach is detected, which extends the incident. Effective response must therefore include revocation, rotation, and ownership clarity for non-human access.
Q: Who is accountable when a compromised service account expands a breach?
A: Accountability sits across security operations, IAM, and the application or platform owner that depends on the service account. If no team owns revocation, rotation, and recovery validation, the credential becomes a persistent breach pathway. Frameworks such as NIST CSF and zero-trust models both expect clear access responsibility, especially when compromise affects business-critical systems.
Technical breakdown
Why incident response is becoming an identity problem
Incident response has always depended on knowing which identities can act, but modern environments make that question harder to answer. Human users, service accounts, API keys, certificates, and AI agents all create distinct access paths, and each path behaves differently under stress. When a breach starts, the first operational question is no longer just how to isolate a host. It is which identities can still authenticate, which secrets can still be replayed, and which privileges must be revoked before the incident spreads. That is why IR is increasingly tied to identity governance rather than only SOC workflows.
Practical implication: build incident playbooks around identity classes, not just systems, so responders can isolate the right credentials first.
Why prevention-centric controls do not contain breach spread
Prevention-centric designs assume the first control failure is also the last one. In practice, attackers often move from one exposed credential or over-privileged account into broader access long before traditional containment steps begin. That makes access scope, secret age, and delegation paths part of incident response readiness. The less visibility teams have into NHI sprawl, the harder it is to answer what is still trusted once a compromise is suspected. In other words, IR maturity is partly a visibility problem and partly a privilege-boundary problem.
Practical implication: inventory and segment non-human access so responders can revoke only the identities that expand breach reach.
How resilience changes the identity governance model
Resilience in incident response means limiting the business impact of compromise, not pretending compromise can always be prevented. For identity programmes, that shifts emphasis toward short-lived credentials, tighter privilege scope, and faster revocation paths for both human and machine identities. It also changes recovery sequencing, because restoring access too quickly can reintroduce compromised identities into the environment. A mature model therefore treats access reactivation as a controlled step in recovery, not an afterthought. That is especially important where service-to-service trust has accumulated over time.
Practical implication: align recovery runbooks with access revalidation so restored identities are checked before they are trusted again.
Threat narrative
Attacker objective: The objective is to turn one compromised identity into broader access and lasting operational impact before defenders can contain the incident.
- Entry begins when attackers exploit a breached account, exposed secret, or other initial access path that bypasses preventive controls.
- Escalation follows when the compromised identity has enough privilege to access additional systems, data, or delegated credentials.
- Impact occurs when the breach expands into material disruption, data exposure, or wider operational recovery work that incident response must contain.
Breaches seen in the wild
- Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Enterprise incident response is now an identity governance problem as much as a SOC problem. The survey’s core message is that organisations are designing for breach inevitability, which means response success depends on knowing which identities can still act when controls fail. That includes human accounts, service identities, secrets, and any delegated access path that can widen the blast radius. Practitioners should treat identity containment as a first-class IR capability.
Standing access is the failure mode that turns an incident into a multi-system event. When credentials, tokens, and certificates remain usable long enough to be replayed during response, containment becomes slower and more expensive. This is where non-human identity governance matters most: it determines whether an incident stops at the first credential or spreads through service-to-service trust. Practitioners should map which identity types can be revoked fastest under pressure.
Identity blast radius is the right named concept for this report’s findings. A breach is no longer measured only by whether an attacker entered, but by how many identities and privileges remain trusted after entry. The survey points to a market where resilience is replacing prevention as the practical target, because recovery now depends on shrinking the scope of trusted access. Practitioners should measure response maturity by how quickly they can collapse blast radius.
Incident response plans that ignore NHI lifecycle are incomplete by design. Service accounts, API keys, and machine certificates do not wait for human review cycles, so revocation and reissue processes must be operationally immediate. The report reinforces that breach readiness now depends on lifecycle control across both human and non-human identities. Practitioners should align IR, IAM, and NHI governance around a single containment model.
From our research:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
- That breach reality is why The 52 NHI breaches Report is the natural next resource for understanding root causes and recurring failure patterns.
What this signals
Identity operations are now part of incident readiness, not just governance hygiene. As breach assumptions harden, teams will be judged on how fast they can collapse trust in compromised identities and rebuild it safely. The practical signal is clear: access revocation, secret rotation, and ownership mapping need to sit inside IR runbooks, not beside them.
The next maturity gap will be between organisations that can revalidate access during recovery and those that restore trust before containment is complete. That difference will show up first in service accounts, then in broader automation estates where access is shared and poorly attributed.
With 72% of organisations already experiencing or suspecting NHI compromise, the governance problem is no longer hypothetical. Teams that cannot trace machine identity ownership end up treating every breach as a full environment event, which slows recovery and raises operational cost.
For practitioners
- Classify identities by containment priority Group human accounts, service accounts, API keys, and certificates into separate IR revocation tiers so responders know which access paths to disable first. Use blast radius, not org chart ownership, to set priority.
- Pre-stage identity revocation playbooks Document the exact sequence for disabling high-risk credentials, rotating secrets, and invalidating delegated access before the incident has fully propagated. Make the runbook usable under pressure by assigning clear owners and fallback approvers.
- Test recovery with access revalidation Require every restoration step to confirm that the identity being brought back is still trusted, still scoped, and still needed. This is especially important for service accounts and long-lived tokens that can survive the original incident.
- Measure response by trust collapse time Track how quickly a suspected compromise can move from first detection to removal of usable access across human and non-human identities. If the answer is slow, your incident response process is still relying on prevention assumptions.
Key takeaways
- The survey shows enterprise incident response is shifting toward resilience because breach inevitability is now the operating assumption.
- Identity governance sits inside incident response once service accounts, tokens, and certificates can extend an attacker’s reach after initial compromise.
- Teams that can revoke, rotate, and revalidate non-human access fastest will contain breaches with less business disruption.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | RS.RP-1 | Response planning is central to the survey's breach-resilience focus. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Least-privilege and access verification shape how breaches spread through identities. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential lifecycle failures affect how fast compromised machine access can be revoked. |
Use NHI-03 to tighten secret rotation and revocation paths for service accounts and tokens.
Key terms
- Incident Response: Incident response is the set of actions used to detect, contain, investigate, and recover from a security event. In identity-heavy environments, it also includes revoking compromised accounts, invalidating secrets, and re-establishing trusted access without reintroducing the breach path.
- Non-Human Identity: A non-human identity is any machine- or software-based credential used to authenticate and authorise access, such as a service account, token, API key, or certificate. These identities often persist longer than sessions and require lifecycle governance, ownership, and containment planning.
- Identity Blast Radius: Identity blast radius is the amount of additional access, systems, and data an attacker can reach after compromising one identity. It is shaped by privilege scope, trust relationships, and how quickly credentials can be revoked or rotated during incident response.
- Standing Access: Standing access is privilege that remains continuously available until someone removes it. For human and non-human identities alike, standing access increases the chance that a compromise will persist long enough to be reused, moved laterally, or embedded into recovery workflows.
Deepen your knowledge
Incident response for non-human identities is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are formalising breach containment across service accounts, API keys, and certificates, it is worth exploring.
This post draws on content published by Cyera: The State of Enterprise Incident Response Report. Read the original.
Published by the NHIMG editorial team on 2026-02-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
