Identity breaches and help desk risk are outpacing IAM controls

At a glance

What this is: RSA Security’s 2026 ID IQ Report shows identity-related breaches, help desk bypass risk, and passwordless friction are all worsening at once.

Why it matters: For IAM teams, the report reinforces that identity risk now spans human authentication, service desk processes, and governance controls, not just login security.

By the numbers:

• 69% of global organisations experienced an identity-related breach in the last three years, a 27-percentage-point increase year-over-year.
• 45% of global organisations said that the cost of an identity-related breach exceeded the typical cost of a breach as defined by IBM.
• 65% of organisations are seriously concerned about a similar attack, and 51% consider service desk bypass attacks their most significant risk.
• 90% of organisations globally reported challenges in moving toward passwordless authentication.

👉 Read RSA Security’s 2026 ID IQ report on identity breaches and help desk risk

Context

Identity security fails when organisations treat authentication, help desk recovery, and access governance as separate problems. In practice, attackers chain them together, using social engineering, account recovery, or weak identity workflows to move from a single point of trust to broader compromise.

RSA Security’s report is primarily about the gap between perceived identity maturity and operational reality. The findings matter because they show that human IAM, NHI governance, and support processes are all part of the same attack surface, especially when passwordless adoption stalls and service desk controls remain vulnerable.

The pattern is not isolated to one sector or one country. British organisations appear to be feeling the strain more sharply, but the underlying issue is broader: identity controls are being measured against threats they were not designed to absorb.

Key questions

Q: What breaks when service desk recovery is treated as routine support?

A: The recovery path becomes a privileged entry point for attackers who can impersonate legitimate users or manipulate support staff. When reset and verification steps are weaker than production authentication, the attacker does not need to beat the login system. They only need to convince the organisation to reissue trust on their behalf.

Q: Why do passwordless programmes still leave organisations exposed?

A: Passwordless reduces password dependence, but it does not remove recovery, enrolment, fallback, or exception handling. Those paths often remain more weakly governed than primary authentication, which gives attackers a way in even when the main login flow is stronger. A passwordless programme is incomplete if fallback identity is still easy to abuse.

Q: How can security teams tell whether help desk controls are actually working?

A: Look for verification quality, escalation rates, recovery approval consistency, and the number of resets that rely on manual overrides. If a small number of staff can bypass normal checks under pressure, the process is functioning as a convenience layer rather than an identity control.

Q: Who is accountable when identity-related breaches start in support workflows?

A: Accountability sits with both identity governance and service operations because recovery channels are part of the identity control surface. Frameworks such as NIST CSF and Zero Trust expect access decisions to be governed, logged, and reviewable, which includes the support processes that recreate access.

Technical breakdown

Why service desk bypass attacks succeed

Service desk bypass works because support processes often rely on partial identity verification, pre-existing knowledge, or procedural shortcuts under pressure. Attackers exploit that trust boundary by impersonating legitimate users, resetting credentials, or redirecting recovery steps. Once the help desk is convinced, the attacker inherits the same access path the real user would use. This is not a failure of authentication alone. It is a failure of identity recovery governance, where the control plane for restoring access becomes the easiest route to taking it over.

Practical implication: tighten recovery verification, not just login policy, and treat service desk workflows as privileged identity controls.

Why passwordless stalls despite strong intent

Passwordless programs usually stall at the junction of enrollment, device readiness, fallback options, and user support. Even when organisations want to reduce password dependence, they still need recovery paths, exception handling, and compatibility across legacy systems. That creates a transitional period where passwords remain the default escape hatch. The result is a programme that improves security in pockets but does not yet remove the systemic dependency attackers rely on. Passwordless fails when it is treated as an authentication feature rather than an end-to-end identity operating model.

Practical implication: map passwordless rollout against fallback and recovery controls, because those paths decide whether the migration actually reduces risk.

How breach costs rise when identity is the entry point

When identity is the first compromised layer, attackers often avoid noisy malware and go straight to account abuse, privilege escalation, and long-dwell exfiltration. That makes the breach more expensive because detection arrives late, containment is broader, and recovery touches more systems. The cost profile changes from one incident to a programme-level failure in identity assurance. In governance terms, the issue is not only incident severity. It is the fact that compromised identity creates downstream access that looks legitimate until the damage is already done.

Practical implication: track identity breach cost separately from generic breach metrics so you can justify stronger controls around access assurance and recovery.

Threat narrative

Attacker objective: The attacker wants to turn trusted identity processes into a shortcut for account takeover and broader organisational compromise.

1. Entry begins with social engineering or help desk impersonation, where the attacker targets support workflows rather than the login page.
2. Escalation follows when the attacker uses the service desk to reset credentials, bypass recovery checks, or obtain a fresh access path tied to a trusted identity.
3. Impact arrives as account takeover, broader identity breach, and expensive remediation across systems that accepted the compromised identity as legitimate.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity recovery is now part of the control plane. The report shows that attackers do not need to defeat authentication if they can persuade the organisation to restore access for them. That shifts the problem from login security to recovery governance, where help desks, reset flows, and exception handling become privileged trust points. Practitioners should treat identity recovery as a high-risk access path, not an administrative afterthought.

Help desk bypass is a governance failure, not a user awareness issue. The article’s 65% concern figure is a warning that organisations recognise the threat, but concern alone does not harden the underlying process. The failure mode is predictable: support teams are asked to balance speed, usability, and trust, and the attacker exploits that trade-off. Security leaders need to reclassify service desk workflows as identity infrastructure with direct breach impact.

Passwordless stalled because fallback identity still exists. The report shows that 90% of organisations face challenges moving to passwordless, which means legacy recovery and exception paths continue to carry risk. The real issue is not whether passwordless is desirable. It is whether the organisation can eliminate the old trust model instead of simply layering a new one on top. Practitioners should measure the security of fallback paths as carefully as the primary login method.

Identity breach cost is becoming a board-level governance signal. When 45% of organisations say identity-related breaches cost more than a typical breach, identity is no longer a narrow IAM concern. It is a resilience and business continuity issue because the compromised object is the control that grants access everywhere else. Security leaders should use breach cost as evidence that identity assurance failures propagate faster and wider than traditional perimeter incidents.

The named concept here is recovery-channel privilege. Help desk processes often inherit more trust than production authentication controls, even though they can create the same access outcome. That assumption was designed for a world where humans and support staff were the only actors in the loop. It fails when the recovery channel itself becomes the attacker’s primary entry point, and practitioners must rethink which identity path is truly privileged.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed, 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For a broader control lens, see Ultimate Guide to NHIs , Key Challenges and Risks for the visibility and over-privilege patterns that make identity abuse persistent.

What this signals

Recovery-channel privilege: identity programmes should now treat help desk resets, fallback factors, and exception handling as part of the privileged access estate. If those paths are weaker than production authentication, the organisation has merely moved the breach surface, not reduced it.

With 69% of global organisations reporting an identity-related breach in the last three years, the issue is no longer whether identity fails. The question is whether governance teams can identify which path failed first and whether the evidence is good enough to change control design.

The next maturity step is to connect human IAM, service desk operations, and identity governance into one operating model, because attackers increasingly exploit the handoffs between them rather than any single control.

For practitioners

• Reclassify help desk recovery as privileged access Map password reset, MFA reset, and account recovery workflows into the privileged access model and apply stronger approval, verification, and audit requirements to each step.
• Test support workflows with adversarial scenarios Run social engineering exercises against service desk staff, including impersonation and recovery abuse, to identify where process speed overrides identity assurance.
• Measure fallback-path risk during passwordless rollout Track how often users depend on password-based exceptions, recovery codes, or manual overrides so the programme reflects real exposure rather than adoption claims.
• Separate identity breach metrics from generic breach reporting Report identity-related incidents, recovery abuse, and account takeover outcomes as their own category so governance teams can see where control failures originate.

Key takeaways

• Identity breaches are rising because attackers now target recovery, support, and trust workflows, not just primary authentication.
• The report’s figures show that identity failures are both common and expensive, which makes recovery-channel governance a resilience issue, not a niche IAM problem.
• Organisations should harden support workflows, measure fallback-path exposure, and treat service desk access as privileged identity infrastructure.

Key terms

• Service Desk Bypass: A social engineering path that convinces support staff or recovery workflows to reissue access without the legitimate user proving control under the same conditions as normal login. It is dangerous because the recovery channel often inherits authority from the identity system it is meant to repair.
• Passwordless Fallback Path: Any alternative route used when passwordless authentication cannot be completed, including reset codes, manual verification, temporary passwords, or help desk intervention. These paths matter because attackers often target the weakest recovery mechanism rather than the primary authentication method.
• Recovery-Channel Privilege: The level of trust and authority granted to identity recovery processes, support staff, and exception handling workflows. In practice, these channels can recreate or override access, so they must be governed like privileged access rather than treated as ordinary administration.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: UK reports worse data breaches and greater concern for IT help desk risk in the 2026 RSA ID IQ Report. Read the original.