Identity governance shrinks ransomware attack surface before the breach

At a glance

What this is: This analysis argues that IGA is the first line of defence against ransomware because visibility, entitlement review, and lifecycle control determine how far stolen credentials can travel.

Why it matters: It matters because identity teams must govern humans, contractors, and non-human identities as one attack surface if they want to reduce lateral movement and contain shutdown decisions.

By the numbers:

• The 2025 Verizon Data Breach Investigations Report confirms that credential abuse appears in 22% of all breaches.
• Third-party involvement in breaches doubled year-over-year, jumping from 15% to 30% of all incidents.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.

👉 Read Omada Identity's analysis of how IGA shrinks ransomware attack surface

Context

Ransomware becomes an identity problem when attackers use valid credentials, overprivileged accounts, or third-party access to move through an environment without tripping conventional perimeter defences. In that model, the question is not just how the malware arrived, but how much access the compromised identity already had and how quickly governance teams could see it.

For identity programmes, the issue spans human users, contractors, partners, and non-human identities because each can widen the blast radius in different ways. IGA matters here because it is the control layer that shows who has access to what, which access is still justified, and where old privileges have accumulated beyond business need.

Key questions

Q: What breaks when ransomware attackers get valid credentials instead of exploiting a vulnerability?

A: When attackers authenticate with stolen credentials, perimeter controls lose most of their value because the session looks legitimate. The real failure is unchecked access scope. If the identity can reach production, backups, or identity systems, the attacker can move laterally, escalate impact, and force shutdown decisions before defenders fully understand the blast radius.

Q: Why do third-party identities increase ransomware risk so quickly?

A: Third-party identities often have access to internal systems but are reviewed less consistently than employee accounts. If they are overprivileged, time-unlimited, or poorly offboarded, a single compromised supplier or contractor credential can become a trusted path into critical applications. That is why partner lifecycle governance is part of ransomware defence, not a procurement side issue.

Q: How do organisations know if identity governance is actually reducing ransomware exposure?

A: The strongest indicator is not how many policies exist but how quickly teams can identify, certify, and revoke high-risk access across employees, partners, and non-human identities. If access reviews still take weeks and orphaned accounts remain active, the programme has visibility but not control. Effective governance shrinks reachable systems before an attack begins.

Q: Who is accountable when a compromised non-human identity causes major outage or data loss?

A: Accountability sits with the organisation that owns the identity lifecycle, not with the attacker or the infrastructure platform. If a service account has no owner, no expiry, and no review, then the governance gap is internal. Frameworks such as OWASP Non-Human Identity Top 10 and NIST CSF make clear that access ownership and review are operational obligations, not optional extras.

Technical breakdown

How stolen credentials turn into ransomware reach

Ransomware campaigns increasingly begin with valid credentials rather than technical exploitation. Once an attacker authenticates, the environment often trusts the session as legitimate, which lets the actor enumerate systems, harvest additional permissions, and move laterally using the same identity pathways employees use. This is why identity governance matters before malware ever runs. The breach path is usually credential abuse, not code execution, and the reach of the compromise is defined by entitlements, not by the malware itself.

Practical implication: map which credentials can reach production-critical systems and remove unnecessary standing access before an attacker uses it.

Why third-party and contractor access expands the blast radius

External identities create a governance problem because they often sit outside the strongest internal review cycles while still holding access into core systems. When a supplier account, service desk user, or contractor identity is overprivileged, it becomes a trusted path into internal applications, cloud consoles, and collaboration platforms. The issue is not that third parties exist. It is that many organisations do not govern them with the same lifecycle discipline, ownership clarity, and certification rigor applied to employees.

Practical implication: bring partner, supplier, and contractor access into the same review and offboarding process as internal identities.

Why non-human identities create hidden privilege pathways

Non-human identities such as service accounts, sync accounts, and automated credentials often have elevated permissions, weak ownership, and limited review. They are attractive to attackers because they can bridge on-premises and cloud systems, often without MFA or a human approver watching the session. When these identities are unmanaged, they can support lateral movement, data theft, infrastructure destruction, and shutdown decisions that look disproportionate to the original entry point.

Practical implication: inventory non-human identities, assign ownership, and treat them as governable accounts rather than background plumbing.

Threat narrative

Attacker objective: The attacker aims to convert trusted identity access into enterprise-wide disruption, ransom leverage, and operational shutdown.

1. Entry occurred through stolen credentials harvested by infostealer malware or social engineering against third-party access, which gave attackers a trusted login rather than a noisy exploit.
2. Escalation followed as attackers used valid accounts to move laterally through internal systems and, in some cases, target non-human identities with broad administrative reach.
3. Impact came when ransomware deployment, data exfiltration, or infrastructure destruction forced business shutdowns, extended downtime, and expensive recovery decisions.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance is the control that decides whether ransomware becomes a contained incident or an enterprise shutdown. The article is right to frame IGA as a pre-breach control because valid access, not malware sophistication, is what determines how far attackers can move. That aligns with NIST Cybersecurity Framework 2.0, where access management and asset visibility are part of reducing attack surface. Practitioner conclusion: if identity teams cannot see and certify access quickly, they cannot contain ransomware surgically.

Third-party access without lifecycle offboarding is a governance failure, not a vendor problem. The Marks & Spencer pattern and the JLR reference both point to access that outlived business need or trust assumptions. The same failure mode shows up in supplier accounts, service desk resets, and partner credentials that remain valid after the relationship or role changes. Practitioner conclusion: external identities must be governed with the same lifecycle discipline as employees, or they become permanent entry points.

Non-human identities are the blind spot that makes blast radius unpredictable. When service accounts, sync accounts, and automation credentials hold administrative reach without strong ownership, the organisation cannot answer which systems are at risk if one is compromised. That is a classic NHI governance problem, covered in the OWASP Non-Human Identity Top 10 and the Ultimate Guide to NHIs. Practitioner conclusion: unmanaged machine identities should be treated as active exposure, not backend detail.

Blast radius is the named concept that matters here. The article shows that the decisive question is how far a compromised identity can move before detection, not merely how it got in. Identity programmes built around periodic review alone assume access changes slowly enough to be caught later, but ransomware actors exploit whatever remains valid now. Practitioner conclusion: governance must be measured by reachable systems, not just by account counts.

Continuous governance outperforms periodic review when access growth is faster than remediation. Access accumulates across directories, cloud platforms, SaaS applications, and partner systems faster than annual or quarterly certification cycles can correct it. The article’s argument matches the NHI Mgmt Group view that entitlement drift is operational risk, not just compliance drift. Practitioner conclusion: teams should focus on continuously reducing standing access and hidden privilege pathways.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.
• For broader lifecycle context, NHI Lifecycle Management Guide explains how provisioning, rotation, and offboarding reduce standing exposure before attackers can exploit it.

What this signals

Blast radius management will become the practical measure of identity maturity for ransomware resilience. If your team cannot identify which accounts can touch production, backups, and admin consoles, then your response posture is still being set by guesswork. The operational goal is to remove unnecessary reach before the incident, not to improvise containment after it starts.

Third-party and machine identities now need the same governance rigor as employees because attackers no longer need to compromise a human endpoint first. Access certifications, ownership assignment, and lifecycle offboarding need to reach suppliers, contractors, and service accounts in one operating model, or your identity surface will continue to expand faster than your controls.

Identity-driven ransomware defence depends on continuously collapsing standing privilege. The NHI Mgmt Group view is that annual review cycles are too slow for environments where access accumulates across cloud and SaaS estates every day. Teams should expect governance tooling to surface orphaned, overprivileged, and externally owned identities as routine operational exceptions, not rare events.

For practitioners

• Map the identities that can trigger shutdown decisions Build a current view of which human, partner, and non-human identities can reach production, backups, and identity infrastructure. Use that map to prioritise which accounts must be reviewed or removed first when ransomware risk rises.
• Bring third-party access into lifecycle control Apply joiner-mover-leaver discipline to supplier, contractor, and service desk identities so access is revoked when the business relationship changes. Tie every external account to an owner, an expiry condition, and a re-certification path.
• Inventory and own every non-human identity Identify service accounts, sync accounts, automation credentials, and cloud admin identities, then assign a business owner and technical custodian to each one. Remove orphaned credentials and revoke anything that no longer maps to an active workload.
• Reduce standing privilege before the next incident Review which accounts retain broad permissions across cloud, SaaS, and on-prem systems and narrow them to the smallest reachable scope. Prioritise credentials that can access backups, identity systems, or administrative consoles because those expand ransomware impact fastest.

Key takeaways

• Ransomware resilience now depends on identity governance because attackers are increasingly using valid credentials and ungoverned access paths rather than pure exploit chains.
• The evidence from JLR, Marks & Spencer, Verizon DBIR, and cloud ransomware cases shows that third-party and non-human identities are major contributors to blast radius.
• The most effective control is not just more review, but faster lifecycle governance that reduces standing privilege, removes orphaned accounts, and narrows reachable systems.

Key terms

• Identity Governance And Administration: Identity Governance and Administration is the control layer that shows who has access to what and whether that access is still justified. It combines visibility, approvals, certifications, and lifecycle actions so organisations can reduce standing privilege and remove access that no longer matches business need.
• Blast Radius: Blast radius is the amount of damage a compromised identity can cause based on the systems, data, and administrative paths it can reach. In practice, it is shaped by access scope, ownership quality, and how quickly governance teams can revoke or narrow entitlements.
• Non-Human Identity: A non-human identity is any machine or workload credential used by software rather than a person, including service accounts, tokens, API keys, and sync accounts. These identities often carry elevated permissions and need explicit ownership, review, and lifecycle control because attackers frequently target them as trusted access paths.
• Standing Privilege: Standing privilege is access that remains continuously available instead of being granted only when needed for a specific task. It creates unnecessary exposure because a compromised identity inherits broad reach immediately, which is why privilege reduction and time-bounded access are central to ransomware resilience.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity or security programme, it is worth exploring.

This post draws on content published by Omada Identity: Before a Ransomware Attack: How IGA Shrinks Your Identity Attack Surface. Read the original.