By NHI Mgmt Group Editorial TeamPublished 2026-02-21Domain: Governance & RiskSource: Lumos

TL;DR: Identity-related security incidents have affected 96% of organisations, while 43.6% saw stolen credentials and 48.1% faced MFA fatigue attacks, underscoring how identity has become the main entry point for cyberattacks, according to Lumos. The real governance break is not visibility alone, but the fact that human IAM, NHI controls, and real-time detection are still being operated as separate problems rather than one identity security system.


At a glance

What this is: This is Lumos's 2026 identity risk report, and its central finding is that identity is now the most common entry point for cyberattacks.

Why it matters: It matters because IAM teams now have to manage human identity, NHI governance, and AI-assisted detection as one operating model instead of separate control silos.

By the numbers:

👉 Read Lumos's report on AI, automation, and identity risk in 2026


Context

Identity security now spans people, service accounts, tokens, and AI-driven workflows, and the control model fails when those subjects are treated separately. This report argues that identity-based attack paths have become the dominant entry point because attackers increasingly work through access, not exploitation.

For IAM teams, the issue is not just authentication friction. The report points to excessive privilege, invisible non-human identities, and weak real-time detection as the conditions that let identity incidents scale faster than governance programmes can keep up.


Key questions

Q: How should security teams reduce identity-related attack paths across users and machine identities?

A: Start by inventorying where identity is actually used, then remove standing privilege, dormant access, and overly broad service account entitlements. The goal is to reduce the number of valid paths an attacker can reuse, not just harden login screens. If identity is the entry point, governance has to focus on privilege scope, review quality, and detection speed.

Q: Why do service accounts and other NHIs increase identity breach risk?

A: Service accounts often retain access longer than the workflow that created them, and they are reviewed less consistently than human accounts. That makes them a persistent source of hidden privilege and a high-value target once credentials leak or are reused. In practice, NHIs increase breach risk when ownership, scope, and rotation are not tightly controlled.

Q: What do security teams get wrong about MFA fatigue attacks?

A: The common mistake is treating MFA fatigue as a user problem only. It is also a governance problem because repeated prompts exploit weak session controls, poor risk signalling, and overreliance on user judgement. Teams need stronger conditional checks, better prompt suppression logic, and faster anomaly detection around repeated approval attempts.

Q: Who is accountable when automated identity decisions cause a compliance issue?

A: Accountability stays with the organisation, not the automation. Security and IAM leaders need documented decision logic, reviewable evidence, and clear ownership for the policy behind every automated access outcome. If an automated workflow cannot be explained to auditors or control owners, it is not ready for high-trust identity operations.


Technical breakdown

Why identity has become the primary attack entry point

Identity has become the easiest way in because valid access is harder to distinguish from abuse than a traditional exploit. Stolen credentials, MFA fatigue, dormant access, and service account misuse all allow attackers to operate inside ordinary authentication and authorisation paths. That changes the defender's problem from blocking a perimeter breach to detecting legitimate-seeming activity that should not be happening. In practice, identity becomes the control plane for attack execution, not just the login surface.

Practical implication: treat identity telemetry as a primary detection source, not a secondary audit feed.

Permission creep and excessive privilege expand the blast radius

Permission creep occurs when accounts accumulate access beyond what the current role or workload requires. In human IAM this usually reflects weak recertification discipline, but in NHI environments it often means service accounts, API keys, and machine identities retain broad access long after the original use case changed. The result is an identity blast radius that turns a single credential compromise into lateral movement and wider data exposure. Least privilege only works when entitlement scope is actually kept current.

Practical implication: map standing privileges to actual task scope and remove surplus access before it compounds.

Why AI automation is being introduced into identity operations

The report's AI discussion is not about replacing governance, but about compensating for scale, speed, and review fatigue. Teams are struggling with real-time misuse detection, large identity populations, and manual access reviews that cannot keep up with identity churn. AI is being used where humans are too slow to triage anomalies, correlate weak signals, or maintain review quality across large estates. The technical question is whether automation can explain its decisions well enough to satisfy auditors and security owners.

Practical implication: require explainability and audit trails for any automated identity decisioning workflow.


Threat narrative

Attacker objective: The attacker aims to turn legitimate identity access into broad internal reach, data exposure, and operational disruption without triggering fast containment.

  1. Entry occurs through stolen credentials, MFA fatigue, or abused service account access that looks like normal identity activity at first glance.
  2. Escalation follows when permission creep or dormant access gives the attacker more privileges than the current user or workload should have.
  3. Impact comes from lateral movement, insider-style misuse, and delayed detection that lets the attacker operate before the organization notices the identity abuse.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity is now the attack surface because access paths are easier to abuse than systems are to exploit. Lumos's findings point to a structural shift in attacker behaviour: credentials, MFA prompts, dormant accounts, and service accounts now do the work that malware once had to do. That means identity control quality determines whether the attacker needs to break in or can simply log in. Practitioners should treat identity as an execution path, not just an authentication layer.

Permission creep is an identity blast radius problem, not just a review hygiene problem. Once accounts accumulate more privilege than current work requires, every stolen credential becomes more valuable and every detection delay becomes more expensive. This is as true for human users as it is for NHIs, where long-lived access often outlasts the workflow that justified it. The practical conclusion is that entitlement drift must be managed as a live exposure issue, not a periodic cleanup task.

Invisible NHIs create governance debt because the organisation cannot secure what it cannot inventory. The report's 20:1 machine-to-human ratio is the warning sign, but the deeper issue is that machine identities frequently sit outside the disciplines applied to human access. When service accounts are untracked, over-privileged, or rarely reviewed, identity governance becomes partial by design. Practitioners should assume unmanaged NHIs are part of the attack surface until proven otherwise.

Automation is being asked to compensate for a governance model built for slower, smaller identity estates. The report shows strong interest in AI for triage and detection, but that does not remove the need for accountable decisions, clean data, and explainable review outcomes. The field is moving toward machine-assisted identity operations because manual governance no longer scales. Security teams should read that as a mandate to redesign operating models, not just add another tool.

Runtime identity detection is becoming the deciding control, because identity incidents now move faster than monthly or quarterly review cycles. Identity programmes that depend on scheduled review alone will continue to miss the window where abuse is actually happening. The field needs continuous visibility into who or what has access, what changed, and whether behaviour still matches the entitlement. Practitioners should measure success in minutes to detect and minutes to contain, not in review completion rates alone.

From our research:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why hidden machine identities continue to evade governance and detection.
  • For a deeper breakdown of how hidden identities turn into breach paths, see The 52 NHI breaches Report.

What this signals

Identity blast radius: the real governance problem is not authentication volume but the amount of privilege that survives after the original use case has changed. When organisations cannot see service accounts clearly, the attack surface becomes durable rather than transient, and review cycles arrive after the damage window has already opened.

With 80% of identity breaches involving compromised non-human identities, teams should expect hidden machine accounts to remain part of every serious identity review. The programme question is no longer whether NHIs matter, but whether ownership, rotation, and offboarding are being enforced with the same rigour as human access.

For a broader control lens, map the problem to NIST AI Risk Management Framework governance expectations and the OWASP Top 10 for Agentic Applications 2026 where automation enters the identity workflow.


For practitioners

  • Collapse identity silos into one governance model Unify human IAM, NHI governance, and identity analytics so the same policy logic can track credentials, service accounts, and user behaviour across environments.
  • Reduce standing privilege before measuring anything else Prioritise accounts with excessive permissions, dormant access, and long-lived service credentials because they create the largest blast radius when compromised.
  • Move detection closer to runtime identity activity Instrument access logs, entitlement changes, and anomalous authentication events so identity misuse can be detected before lateral movement completes.
  • Require explainability for automated identity decisions Set a governance standard that every automated access review, triage, or denial can be traced back to a clear rule, signal, or decision path.

Key takeaways

  • Identity incidents are now a mainstream breach path, which means access governance is a front-line security control rather than a back-office process.
  • Hidden machine identities, standing privilege, and MFA fatigue together create a breach pattern that defenders still underestimate.
  • The practical response is tighter visibility, faster detection, and more accountable automation across both human and non-human identities.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Hidden service accounts and API keys are central to this report's risk picture.
NIST CSF 2.0PR.AC-4Excess privilege and identity misuse map directly to access management and least-privilege control.
NIST Zero Trust (SP 800-207)PR.AC-1The report's identity-first attack paths align with continuous verification principles.

Inventory every NHI, assign ownership, and enforce lifecycle controls for credentials that outlive their use case.


Key terms

  • Permission creep: Permission creep is the gradual accumulation of access that exceeds what an identity currently needs to do its job. It usually happens through role changes, one-off exceptions, or neglected recertification, and it turns ordinary accounts into larger blast-radius targets when those accounts are abused.
  • Identity blast radius: Identity blast radius is the amount of damage an attacker can cause after compromising a single identity. The wider the standing privilege, the more systems, data, and workflows become reachable through that one account, credential, or token.
  • Non-human identity: A non-human identity is any machine- or workload-based identity used by software rather than a person. It includes service accounts, API keys, tokens, certificates, and similar credentials that often have long lifetimes, broad permissions, and weaker day-to-day oversight than human accounts.
  • Identity misuse detection: Identity misuse detection is the ability to spot when valid access is being used in ways that do not match normal behaviour or intended scope. It combines authentication telemetry, entitlement context, and activity patterns to identify abuse before it spreads across the environment.

What's in the full report

Lumos's full report covers the operational detail this post intentionally leaves for the source:

  • Survey methodology and respondent breakdown across CISO, CIO, CTO, and security leadership roles
  • Detailed percentages for identity review automation, detection priorities, and AI adoption maturity
  • The report's framing of permission creep, NHI visibility gaps, and real-time detection as linked operational problems
  • Additional context on how leaders think about AI-assisted identity triage and review workflows

👉 The full Lumos report adds the survey data, methodology, and identity risk breakdown behind these findings.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-21.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org