Identity breaches surge as help desk hijacks raise IAM risk

At a glance

What this is: RSA Security’s 2026 ID IQ Report says identity breaches, help desk bypass attacks, and costly incidents are rising across organisations.

Why it matters: It matters because identity controls now shape resilience across NHI, autonomous, and human identity programmes, not just login security.

By the numbers:

• 69% of organisations experienced an identity-related breach in the last three years, a 27-percentage-point increase year over year.
• 45% of organisations said that the cost of an identity-related breach exceeded the typical cost of a breach as defined by IBM.
• 24% of organisations said costs exceeded $10M, a three-percentage-point year-over-year increase since the previous year’s survey.
• 91% of organisations plan to implement AI in their tech stack this year, marking a 12-percentage-point increase year-over-year.

👉 Read RSA Security’s 2026 ID IQ Report on identity breaches, help desk hijacks, and passwordless adoption

Context

Identity security fails when access, recovery, and authentication controls are treated as separate problems. This report shows those boundaries are collapsing in practice: breach frequency is rising, help desk bypass is now a mainstream concern, and passwordless adoption is still not where many programmes expected it to be.

For IAM leaders, the message is not that one control failed, but that the operating model around identity is too weak for current attack pressure. When social engineering, authentication friction, and administrative recovery paths all become entry points, the entire identity programme becomes part of the threat surface.

Key questions

Q: How should security teams reduce help desk takeover risk in identity programmes?

A: They should treat support workflows as part of the identity perimeter. That means identity proofing, strong escalation checks, detailed logging, and restricted override rights for every reset or bypass. If the help desk can restore access too easily, attackers will target that route instead of the primary authentication flow.

Q: When do passwordless programmes fail to reduce identity risk?

A: They fail when organisations keep weak fallback and recovery paths. If users can still rely on low-friction resets, informal help desk exceptions, or poorly governed device recovery, attackers still have practical ways to obtain access. Passwordless only lowers risk when the entire access lifecycle is controlled.

Q: What do security teams get wrong about identity breach prevention?

A: They often focus on login security and ignore the recovery chain. Real attacks frequently exploit the people and processes that restore access, not the primary authentication factor. If those recovery controls remain under-governed, the organisation still has a high-risk identity bypass path.

Q: Who is accountable when help desk bypass leads to an identity breach?

A: Accountability should sit with both IAM governance and the operational teams that own recovery workflows. Identity recovery is a security control, not just a service task, so policy, training, approval paths, and audit evidence must be owned and reviewed like any other privileged access process.

Technical breakdown

Identity breach frequency and cost growth

Identity-related breaches are not just more visible, they are becoming more expensive because they sit on top of valid trust relationships. Once an attacker reaches identity infrastructure, they can often move through authentication, self-service recovery, and access provisioning without needing malware-heavy tradecraft. That is why the report links breach frequency with escalating costs. Cost grows when identity compromise affects multiple systems at once, forces broad resets, and disrupts both users and administrators. The practical question for practitioners is whether identity controls are limiting blast radius or simply recording compromise after the fact.

Practical implication: map identity failure paths to business impact, not just authentication events.

Help desk hijack as an identity control failure

Help desk attacks work because service teams are often allowed to override identity friction in the name of restoring access quickly. That creates a privileged recovery path that sits outside normal user authentication, and attackers target the human process rather than the technology stack. The report’s concern is not limited to one vendor or one sector. It reflects a broader governance weakness: recovery workflows are treated as operational support, even though they are high-risk identity controls. In mature IAM programmes, recovery is part of the security boundary, not a back-office exception.

Practical implication: put help desk recovery under the same governance, logging, and verification standards as privileged access.

Passwordless adoption is a governance problem, not just a rollout problem

Passwordless stalls when organisations focus on deployment mechanics but ignore the surrounding account lifecycle, device trust, and recovery design. If users can still fall back to weaker paths too easily, the programme never removes the attack surface it was meant to shrink. The report’s findings suggest that adoption barriers are as much about programme design as user preference. Passwordless only improves security when the fallback paths are controlled, the recovery rules are strict, and identity proofing is coherent across the full lifecycle.

Practical implication: govern fallback and recovery rules before measuring passwordless adoption as a success metric.

Threat narrative

Attacker objective: The attacker aims to gain trusted account access through identity support processes and then use that access to expand control and drive breach costs higher.

1. Entry begins when attackers target the help desk or recovery process instead of the primary login screen, using social engineering to appear legitimate.
2. Escalation occurs when the attacker persuades support staff to bypass identity checks, reset credentials, or approve access that should have remained gated.
3. Impact follows when compromised identity controls allow account takeover, broader access abuse, and expensive breach response across the organisation.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity recovery has become a privileged access path, not an administrative afterthought. The report’s help desk findings show that attackers are now treating support workflows as the fastest route around primary authentication. That means the real governance boundary is no longer just the login page but the entire recovery process, including identity proofing, reset approval, and escalation handling. Practitioners should treat recovery controls as part of privileged access governance.

Help desk bypass is a control failure that exposes assumption debt in IAM programmes. The assumption that support staff can safely restore access on request was designed for lower-volume, lower-adversary conditions. That assumption fails when social engineering is targeted, repeatable, and able to turn human assistance into an attack primitive. The implication is that organisations must rethink where trust is placed in recovery chains, not simply add more checks.

Passwordless does not reduce risk if fallback paths remain weak. The report shows adoption pressure, but also persistent reliance on non-passwordless primary authentication and recovery routes. That tells us the attack surface has shifted rather than disappeared. Security teams should evaluate passwordless as a system of controls, not a single factor replacement, and measure whether legacy recovery paths still dominate real-world access outcomes.

Identity cost is now a governance metric, not just an incident metric. When nearly half of organisations say breach cost exceeds the typical benchmark, identity failures are affecting board-level risk, not only security operations. This strengthens the case for linking IAM controls to loss containment, recovery resilience, and auditability. Practitioners should manage identity as an economic exposure area, not an authentication utility.

AI adoption will widen the identity governance gap unless it is paired with stronger control design. The report’s high AI adoption intent matters because more AI in the stack means more machine identities, more integrations, and more support complexity. That does not make AI the root problem. It means identity programmes will face more surfaces where trust, support, and privilege intersect, and must be governed accordingly.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That governance gap is why Ultimate Guide to NHIs , Why NHI Security Matters Now is the right next resource for teams rethinking identity risk.

What this signals

Identity support workflows are becoming a core control surface for IAM teams. The practical lesson for readers is that incident response now has to include help desk procedure review, escalation limits, and recovery-path monitoring. Programmes that still treat support as operationally separate from IAM will keep discovering that attackers do not respect that boundary. Use the 52 NHI Breaches Analysis to compare how access abuse and recovery misuse recur across incidents.

Help desk bypass creates a governance blind spot because it bypasses the ordinary evidence trail. Once an attacker wins support trust, the organisation may lose the clean authentication artefacts it normally depends on for detection and audit. Teams should expect to rework approvals, escalation logging, and review cadence so that recovery actions are observable, not merely possible. The Ultimate Guide to NHIs is useful where programmes need a lifecycle view of identity control failures.

Passwordless adoption will keep stalling if fallback identity paths remain soft. With 91% of organisations planning to implement AI in their tech stack this year, the surrounding identity environment is getting more complex, not less. That raises the value of a sharper control model for recovery, support, and privilege. Teams looking at this transition should pair it with the MITRE ATLAS adversarial AI threat matrix to anticipate how identity abuse and AI-enabled workflows may combine.

For practitioners

• Treat help desk recovery as privileged access Require strong identity proofing, approval logging, and escalation controls for every reset, override, and account recovery workflow. Remove informal exceptions that let support staff bypass verification during urgent cases.
• Measure identity breach cost by control failure path Track which identity paths most often lead to incident response, forced resets, or business disruption. Use those patterns to prioritise investment in recovery controls, access governance, and support workflow hardening.
• Harden fallback paths for passwordless programmes Review every alternate route that remains when passwordless is unavailable, including service desk resets, device recovery, and temporary bypasses. If those paths are weaker than the primary method, the programme still carries legacy risk.

Key takeaways

• Identity breaches are now a business cost problem as much as a security problem, because support workflows and recovery paths can be abused to reach privileged access.
• The report’s strongest signal is that help desk bypass has moved from edge case to mainstream attack concern, which means recovery governance must be treated like privileged access governance.
• Security teams should harden fallback paths, tighten proofing, and measure the real cost of identity failure paths rather than assuming passwordless or login controls solve the problem.

Key terms

• Help Desk Bypass: A help desk bypass occurs when an attacker uses support or recovery processes to gain access without passing the normal authentication flow. It is a governance failure as much as a social engineering problem, because the organisation has allowed a secondary path to override stronger primary controls.
• Passwordless Authentication: Passwordless authentication removes the need for a password as the primary login secret and relies on stronger authenticators such as device-bound keys or biometrics. Its security value depends on how well the organisation governs fallback, recovery, and account restoration paths across the full lifecycle.
• Identity Recovery Workflow: An identity recovery workflow is the process used to restore access after lockout, lost credentials, or account compromise. In mature programmes, it is treated as a high-risk control boundary with proofing, logging, approvals, and review, not as a simple service task.
• Identity Breach Cost: Identity breach cost is the total operational and business loss caused when compromised identity controls let attackers take over accounts or privileges. It includes response effort, downtime, resets, fraud exposure, and downstream disruption, making it a useful measure of governance failure.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: 2026 RSA ID IQ Report findings on identity breaches, help desk hijacks, and passwordless adoption. Read the original.