Identity breaches surge as help desk hijacks expose IAM gaps

At a glance

What this is: RSA Security’s 2026 ID IQ report shows identity breaches, help desk hijacks, and passwordless friction are converging into a broader IAM governance problem.

Why it matters: IAM teams need to treat service desk controls, authentication resilience, and identity lifecycle governance as connected parts of the same risk surface, not separate programmes.

By the numbers:

• 69% of organizations experienced an identity-related breach in the last three years
• 45% of organizations said that the cost of an identity-related breach exceeded the typical cost of a breach as defined by IBM
• 65% of organizations are seriously concerned about a similar attack
• 90% of organizations reported challenges in moving toward passwordless authentication

👉 Read RSA Security's 2026 ID IQ Report on identity breaches and help desk hijacks

Context

Identity governance is only as strong as the weakest operational pathway into accounts, and help desks have become one of the easiest places for attackers to force that weakness. In this report, RSA Security ties identity-related breaches, social engineering, and stalled passwordless adoption into one picture of programme fragility that spans human identity controls and access recovery workflows.

The report is not saying passwordless is failing outright. It is showing that many organisations are still trying to modernise authentication while leaving identity recovery, support verification, and account reset processes exposed to manipulation, which turns the service desk into a governance blind spot.

Key questions

Q: What breaks when help desk recovery can override identity assurance?

A: When support staff can reset access without strong verification, the help desk becomes an attack path rather than a safeguard. Attackers use social engineering to turn recovery workflows into account takeover. That failure usually appears first in the exception process, then in privileged access, and finally in downstream data exposure.

Q: Why do passwordless programmes still fail if recovery is weak?

A: Passwordless only reduces one class of credential risk. If users can still regain access through weak fallback channels, the attacker will target those channels instead. The programme then replaces password theft with recovery abuse, which leaves the identity control environment vulnerable wherever support or manual override exists.

Q: How do teams know whether service desk controls are actually working?

A: Look for evidence that recovery actions are rare, auditable, and independently verified. A healthy control environment shows low exception rates, strong approval discipline, and clear traceability for resets or unlocks. If staff rely on speed, informal judgment, or user pressure, the control is not working as intended.

Q: Who is accountable when an identity breach starts in the service desk?

A: Accountability sits with the organisation that owns the identity recovery workflow, not just the agent who handled the call. Security, IAM, and service operations all share responsibility for the control design. Frameworks such as Zero Trust and identity governance expect verification to be enforced across the full access lifecycle.

Technical breakdown

Help desk bypass as an identity attack path

Help desk bypass attacks exploit a simple reality: service desks are often trusted to reset credentials, recover access, and approve exception handling quickly. Attackers use social engineering to impersonate users, persuade agents, and move from conversation to account takeover without defeating the primary authentication stack. The failure is not only human error. It is a workflow design problem, because recovery processes frequently rely on knowledge checks, escalation habits, and inconsistent verification steps that are easy to game under pressure.

Practical implication: treat service desk recovery as a privileged access path and harden it with stronger identity proofing and approval controls.

Passwordless adoption and the recovery gap

Passwordless reduces reliance on reusable secrets, but it does not eliminate the need for fallback and recovery mechanisms. If organisations keep passwords, reset flows, or weak recovery channels as the back door, the attack surface remains. The report’s findings suggest many teams are modernising the front door without re-engineering the exits, which creates a mismatch between authentication ambition and operational reality. That mismatch is where identity abuse often lands.

Practical implication: assess recovery and fallback flows at the same level of scrutiny as the primary authentication experience.

Why identity breach cost keeps rising

Identity breaches are expensive because identity sits upstream of data access, cloud administration, and privileged workflows. Once an attacker has a foothold through a help desk, exposed credential, or weak recovery path, the blast radius can extend across systems that were never intended to be linked. Cost grows when containment depends on manual resets, broad credential revocation, and uncertain scoping of affected accounts. That is why breach frequency and breach cost often rise together when governance is reactive rather than lifecycle-driven.

Practical implication: build incident playbooks that can rapidly scope identity exposure and revoke access without depending on manual, account-by-account cleanup.

Threat narrative

Attacker objective: The objective is to convert support trust into authenticated access that can be used for account takeover and downstream compromise.

1. Entry begins with social engineering against the IT help desk, where attackers impersonate legitimate users or staff to request recovery actions.
2. Escalation happens when the attacker persuades the desk to reset credentials, bypass verification, or grant access that should have required stronger proofing.
3. Impact follows when the attacker uses the newly granted access to reach accounts, systems, or data, turning a service desk workflow into an enterprise breach path.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Help desk trust is now a privileged access decision, not a support convenience. RSA Security’s findings show that the support workflow itself has become part of the attack surface, especially where recovery actions can override normal authentication assurance. That changes how identity teams should classify the service desk: not as an adjacent operations function, but as a control point that can authorize or expose accounts. Practitioners should treat service desk governance as a core identity risk domain.

Passwordless adoption is being constrained by the recovery problem, not by authentication theory. The report suggests many organisations understand the value of passwordless but have not resolved how users regain access when something goes wrong. That means the limiting factor is not the login method alone, but the surrounding identity lifecycle, assurance, and exception handling design. Teams that focus only on primary authentication will keep carrying legacy risk through the back door.

Identity-related breach cost is rising because identity remains the upstream control plane. Once identity is compromised, the attacker does not need to break every system separately. They inherit access pathways that already exist, which is why costs spike when recovery, revocation, and containment are slow or inconsistent. The lesson for practitioners is that identity governance must be measured by how quickly it can limit blast radius after a support-channel compromise.

Help desk bypass attacks expose a human IAM failure mode that most zero trust plans still underweight. Zero Trust assumes continuous verification, but many support processes still rely on trust shortcuts when users claim urgency or lost access. That creates a policy exception channel that attackers actively target. The practical conclusion is that verification rigor must extend into the support desk, not stop at the primary authentication layer.

Passwordless programmes need lifecycle-aware design, not just stronger authenticators. RSA Security’s report shows that organisations are still struggling to move users onto passwordless primary methods, which means fallback paths and recovery governance remain decisive. A passwordless strategy that does not redesign account recovery simply shifts the weak point. Practitioners should judge maturity by how well the programme controls failure, not only normal login success.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That gap is why lifecycle discipline matters across both human recovery paths and machine credentials, as described in 52 NHI Breaches Analysis.

What this signals

Help desk governance is becoming a frontline identity control, not a back-office support issue. As service desk bypass attacks gain attention, IAM leaders need to extend verification, approval, and audit requirements into recovery workflows that were historically treated as operational conveniences. The right response is to measure whether a support action can change access without independent assurance, because that is where attackers now concentrate effort.

With 96% of organisations storing secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, per Ultimate Guide to NHIs, identity risk is no longer confined to login events. The programme implication is that authentication, support recovery, and secrets hygiene need to be governed together. Teams that separate those domains will keep discovering the same failure pattern in different places.

Recovery design is the named gap here: support-channel assurance debt means the organisation has not paid down the trust it extends to help desk actions. That debt shows up when passwordless is rolled out faster than fallback controls are redesigned. Practitioners should assume attackers will probe the weakest supported recovery path first and align IAM, service management, and PAM controls accordingly.

For practitioners

• Harden help desk identity verification Require stronger proofing for any reset, recovery, or exception request. Replace informal knowledge checks with documented verification steps, and restrict who can approve high-risk account actions.
• Separate support access from privileged approval Make sure service desk agents can initiate recovery workflows but cannot complete high-risk changes without independent approval or step-up verification for the affected identity.
• Review fallback paths in passwordless programmes Map every route a user can take when passwordless fails, including backup factors, recovery contacts, and manual overrides. Remove any path that is easier to abuse than the primary login.
• Measure identity containment speed Track how quickly your team can identify affected identities, revoke access, and invalidate recovery pathways after a suspected support-channel compromise.

Key takeaways

• Identity breaches are rising because support workflows, not just logins, can be turned into access paths.
• The report’s numbers show the cost problem is now as serious as the frequency problem, especially where recovery and revocation lag behind compromise.
• Teams should harden service desk verification, redesign passwordless fallback, and measure how quickly identity exposure can be contained.

Key terms

• Help Desk Bypass: A help desk bypass is an attack in which a threat actor manipulates support staff or support workflows to reset credentials, approve access, or override normal verification. It matters because recovery channels often carry enough trust to become a direct route into accounts and privileged systems.
• Passwordless Recovery Gap: The passwordless recovery gap is the weakness that appears when an organisation removes or reduces password reliance but leaves fallback access paths poorly designed. In practice, the user experience may improve while the attacker’s preferred route shifts to backup factors, manual overrides, or service desk recovery.
• Identity-related Breach: An identity-related breach is an incident where compromised authentication, access recovery, or identity governance enables unauthorised access to systems or data. The issue is broader than credential theft alone, because it includes abuse of support processes, permissions, reset flows, and identity lifecycle controls.
• Support-Channel Assurance: Support-channel assurance is the level of confidence that a service desk can verify a person’s identity before changing access or granting recovery. Strong assurance depends on consistent proofing, auditable approvals, and restricted exception handling, especially when support staff can affect privileged accounts.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: Help Desk Hijacks & Soaring Costs: RSA ID IQ Report Unveils Top Identity Threats. Read the original.