TL;DR: Identity-related breaches rose sharply in RSA’s 2026 ID IQ Report, with 69% of organisations affected in the last three years and 24% reporting breach costs above $10M, while 90% said passwordless adoption still faces challenges. The data shows identity governance, service desk controls, and recovery discipline are now board-level security issues, not narrow IAM concerns.
At a glance
What this is: RSA’s 2026 ID IQ Report says identity-related breaches, help desk hijacks, and passwordless adoption problems are all worsening.
Why it matters: It matters because IAM teams must treat identity as an enterprise attack surface across human, NHI, and governance workflows, not just an authentication layer.
By the numbers:
- 69% of organisations experienced an identity-related breach in the last three years.
- 24% of organisations said identity-related breach costs exceeded $10M.
- 90% of organisations reported challenges in moving toward passwordless authentication.
👉 Read RSA Security's 2026 ID IQ Report on identity breaches and help desk hijacks
Context
Identity security now fails in more than one place at once: authentication, help desk workflows, and recovery processes are all being targeted as entry points. In practice, that means the identity programme is no longer just a control plane for login, but a live attack surface that can be used to reach accounts, reset credentials, and move into privileged workflows.
RSA’s report is a broad signal for IAM leaders, because it ties together breach frequency, cost impact, and the operational friction slowing passwordless adoption. The core issue is not whether identity matters. It is whether current identity controls can absorb social engineering, support-channel abuse, and the governance gaps that follow when access fails at scale.
Key questions
Q: How should security teams defend against help desk hijacking in identity workflows?
A: They should treat the service desk as part of the identity perimeter. That means strong caller verification, step-up checks for access changes, strict approval for resets, and logging that ties every support action to a reviewed identity event. If the recovery path is easier to abuse than the login path, the identity programme remains exposed.
Q: Why do passwordless programmes stall even when organisations want stronger authentication?
A: They stall because passwordless removes the password but not the surrounding operational dependencies. Organisations still need enrolment, device replacement, recovery, exception handling, and support workflows. If those paths are weak, the programme shifts risk rather than reducing it, and attackers target the fallback instead of the primary factor.
Q: What breaks when identity recovery is easier than primary authentication?
A: The trust model breaks. Attackers stop trying to defeat the strongest control and instead target the process that can reissue access with less scrutiny. That creates a control gap where account takeover, credential reset abuse, and privilege changes become possible through support interactions rather than direct authentication attacks.
Q: Who is accountable when identity breaches originate in the service desk?
A: Accountability sits with identity governance, not only with the support team. IAM, security operations, and business owners all share responsibility for recovery controls, approval design, and auditability. If the programme allows access to be reset without strong proof, the breach reflects a governance failure as much as a procedural one.
Technical breakdown
Why help desk hijacks bypass identity assurance
Help desk hijacking works because service desk processes often sit outside the strongest authentication path. Attackers do not need to defeat MFA if they can persuade support staff to reset credentials, alter recovery factors, or approve access changes. That makes the support function part of the identity perimeter. In mature programmes, the service desk should be treated as an access-authorisation control, not a simple customer service layer. The key failure mode is trust transfer without strong verification, especially when the request is urgent, plausible, or tied to a senior user.
Practical implication: tighten identity proofing and step-up checks for every credential reset, recovery, and privilege change handled by the service desk.
Why passwordless stalls even when organisations want it
Passwordless adoption stalls when organisations try to replace passwords without resolving recovery, device trust, exception handling, and account lifecycle dependencies. A passwordless workflow still needs a fallback path, and that fallback can become the weakest link if it is easier to abuse than the primary control. The report’s numbers suggest many organisations understand the goal but cannot yet remove the operational friction that comes with re-enrolment, device changes, and support escalation. Passwordless is therefore not just an authentication project. It is an identity lifecycle and support design problem.
Practical implication: map every recovery path and exception flow before expanding passwordless beyond pilot groups.
How breach cost turns identity governance into resilience work
Identity-related breaches become expensive because the compromised identity often unlocks multiple downstream systems, forcing wider containment, account resets, forensics, and business interruption. Once an identity is abused, the cost is not only the initial intrusion but the operational blast radius that follows. That is why the identity programme has to be measured by recovery speed and scope control, not only by login success rates. The more fragmented the identity stack, the more expensive each failure becomes.
Practical implication: build containment playbooks that limit blast radius across authentication, privileged access, and service desk recovery paths.
Threat narrative
Attacker objective: The attacker wants to turn trusted identity processes into an access path that unlocks broader account takeover and operational disruption.
- Entry begins with service desk bypass or social engineering, where the attacker convinces support staff to reset access or change recovery details.
- Escalation follows when the newly obtained access is used to take over the target identity, defeat normal authentication barriers, or reach adjacent systems.
- Impact lands in account takeover, breach expansion, and higher recovery costs as teams reset credentials, investigate exposure, and contain downstream compromise.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity assurance is now being defeated at the support layer, not only at the login layer. The report’s help desk findings show that organisations still treat service desk workflows as lower-risk than authentication, even though they can be used to reset trust itself. That mismatch matters because the attacker only needs one socially engineered support interaction to change the identity state of the account. Practitioners should treat support-channel verification as part of the control plane.
Passwordless adoption is being constrained by recovery design, not by the passwordless model itself. The report suggests organisations want stronger authentication but have not solved the exception handling that surrounds enrolment, device change, and fallback recovery. That is the real friction point. The programme problem is not primary login alone, but the operational trust chain that remains after the password disappears. Practitioners should evaluate passwordless as a full lifecycle design.
Identity-related breach cost is now a resilience metric, not just a security statistic. When 24% of organisations say costs exceed $10M, the issue is no longer whether identity incidents happen. It is whether the identity architecture limits blast radius before the breach becomes an enterprise event. That pushes identity governance into the same conversation as continuity, containment, and recovery. Practitioners should measure identity controls by how much business they spare when they fail.
Help desk bypass is a named governance gap, not a one-off fraud problem. The report shows a repeated failure mode: identity programmes that protect the primary factor but leave recovery and support paths easier to abuse. That pattern is visible across human identity governance and, by extension, any process that lets an operator reissue trust without enough proof. The implication is that recovery governance needs the same scrutiny as authentication governance.
Identity security is becoming an enterprise trust orchestration problem. The report connects breaches, support-channel abuse, and passwordless stagnation into one operational picture. Access is not failing in isolation. It is failing where people, processes, and recovery controls meet. Practitioners should stop evaluating identity controls as separate features and start evaluating them as one trust system.
From our research:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still cannot confidently inventory the assets they are expected to protect.
- For a broader view of how identity exposure turns into breach impact, see 52 NHI Breaches Analysis for repeated compromise patterns and control failures.
What this signals
Support-channel abuse is becoming the next identity boundary to harden. As passwordless rollouts expand, the real security question shifts to recovery, exception handling, and help desk assurance. Organisations that do not redesign those paths will simply move attack pressure from the password to the support workflow, where identity proofing is often weaker and less auditable.
Identity programmes should now be measured by blast-radius reduction, not just authentication success rates. When breach cost rises into eight figures, the control that matters most is the one that limits spread across accounts, resets, and downstream systems. The practical benchmark is whether a single identity event stays local or becomes an enterprise recovery exercise.
For teams building a stronger governance baseline, the Ultimate Guide to NHIs remains the clearest starting point for lifecycle, visibility, and offboarding discipline. It is especially relevant where recovery processes, service accounts, and shared trust pathways intersect with human support operations.
For practitioners
- Harden service desk identity proofing Require stronger verification for password resets, MFA changes, recovery overrides, and privileged account support requests. Build approval logic that distinguishes routine tickets from access-changing events.
- Map every passwordless fallback path Document what happens when a user loses a device, cannot complete enrolment, or needs emergency access. Remove weak recovery paths that are easier to social engineer than the primary control.
- Treat recovery flows as access controls Review support and recovery workflows as if they were privileged administrative functions. Where staff can reset trust, they can create exposure, so apply logging, segmentation, and dual control.
- Measure containment by identity blast radius Track how many accounts, systems, and business processes must be reset after an identity event. Use that measurement to prioritise controls that reduce spread, not just initial compromise.
Key takeaways
- RSA’s report shows that identity failures are increasingly driven by support-channel abuse, passwordless friction, and breach recovery complexity.
- The scale of the problem is material, with 69% of organisations reporting identity breaches and 24% saying costs exceeded $10M.
- Security teams need to harden recovery workflows, not just authentication, if they want identity controls to survive real attacker pressure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and recovery workflow abuse map directly to access control. |
| NIST SP 800-63 | IAL3 | Service desk resets rely on stronger identity proofing than basic authentication. |
| NIST Zero Trust (SP 800-207) | PR.AC | Zero Trust requires continuous verification across support and recovery paths. |
Apply higher assurance to account recovery and administrative changes wherever identity is reissued.
Key terms
- Help Desk Hijacking: A support-process attack in which an adversary uses social engineering or workflow abuse to convince service staff to reset access, alter recovery factors, or approve changes. The technical weakness is not the login screen alone, but the identity trust that support staff are allowed to reissue.
- Passwordless Recovery Flow: The fallback path used when a user cannot complete passwordless authentication because a device is lost, enrolment fails, or account recovery is needed. In practice, this flow often becomes the easiest path to abuse if it is less controlled than the primary authentication method.
- Identity Blast Radius: The amount of systems, accounts, and business operations affected when a single identity control fails. It is a practical measure of containment quality, showing whether one compromised account stays local or becomes a wider enterprise recovery event.
- Identity Proofing: The process of verifying that a person is entitled to a requested identity action, such as account recovery or factor reset. Strong proofing raises the cost of impersonation, while weak proofing lets attackers convert human trust into access with very little resistance.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity programme maturity, it is worth exploring.
This post draws on content published by RSA Security: the 2026 RSA ID IQ Report. Read the original.
Published by the NHIMG editorial team on 2025-11-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org