Identity observability is the missing control in the 2026 DBIR

At a glance

What this is: The 2026 DBIR shows breaches are increasingly driven by identities security teams cannot see, from shadow AI accounts to compromised credentials and slow third-party remediation.

Why it matters: IAM teams need to treat identity observability as a control gap across NHI, autonomous, and human programmes because unseen identities are becoming the path from exposure to breach.

By the numbers:

• 67% of users are accessing AI services through non-corporate accounts on corporate devices.
• Credentials show up as a factor in 39% of all breaches tracked in the 2026 DBIR.
• 50% of ransomware victims had a confirmed infostealer or credential leak event in the 95 days prior to the ransomware deployment.

👉 Read AuthMind's analysis of the 2026 Verizon DBIR through an identity observability lens

Context

Identity observability is the ability to continuously see which identities exist, how they are used, and whether their behaviour matches the access they were given. The 2026 DBIR suggests that many breaches are not beginning with a missing security tool, but with identities that sit outside the organisation's governance and detection layers. This is a primary keyword issue because the report keeps returning to identity as the hidden route into compromise.

That matters for human, NHI, and autonomous programmes because each one fails differently when the identity layer is incomplete. Human users create shadow accounts, NHIs accumulate excess access, and autonomous systems multiply the number of identities that must be inventoried and reviewed. The common failure is not just weak authentication, but a control plane that cannot reliably tell which identities are active, trusted, or overdue for review.

Key questions

Q: How should security teams find identities they cannot currently see?

A: Start with continuous discovery across authentication logs, browser telemetry, DNS, egress, and directory data, then compare discovered identities with approved federation and lifecycle records. The goal is to surface accounts that exist in practice but not in governance. That is the only reliable way to reduce blind spots across human users, NHIs, and AI-adjacent accounts.

Q: Why do hidden identities increase breach risk so quickly?

A: Because an unseen identity cannot be recertified, revoked, or monitored in the normal governance cycle. That leaves exposed credentials, over-permissioned third parties, and unmanaged AI accounts active long enough for attackers to chain discovery, reuse, and lateral movement. The risk is not just access, but time spent outside control.

Q: What do security teams get wrong about shadow AI risk?

A: They often treat it as a data-loss problem and start with DLP alone. In practice, shadow AI is an identity problem first, because the account itself may be unmanaged, invisible to IAM, and excluded from offboarding. If the identity is not governed, content controls can only observe the symptom, not close the exposure.

Q: Who is accountable when third-party access stays active too long?

A: Accountability should sit with the business owner, the identity governance function, and the third-party risk owner together, because the failure is lifecycle control, not just technical access. If a vendor identity remains active after the relationship or scope changes, the organisation has allowed a known blast radius to persist. Ownership must force revocation.

Technical breakdown

Shadow AI accounts and identity visibility gaps

Shadow AI becomes an identity problem the moment users start authenticating to consumer AI services from corporate devices outside approved federation paths. Those accounts may be invisible to IAM, absent from SSO logs, and unreachable by lifecycle workflows, which means DLP alone cannot explain or control them. The technical issue is not simply data exfiltration. It is the creation of parallel identities that live outside the organisation's policy and audit fabric. Browser telemetry, DNS, egress, and authentication signals are the only practical way to discover them at scale.

Practical implication: teams need continuous identity discovery for unmanaged AI accounts, not just content inspection.

Credential events as a precursor to ransomware

The DBIR's infostealer-to-ransomware pattern shows that credential theft is often an enabling event rather than the final compromise. A leaked or harvested credential can remain active long enough for the attacker to test it, move laterally, and stage payload delivery without triggering an immediate incident response. That makes credential posture a time-sensitive control problem. The key technical challenge is correlating credential exposure, unusual authentication, and privilege use quickly enough to interrupt the chain before ransomware deployment begins.

Practical implication: correlate credential exposure with access telemetry in near real time so an exposed identity can be contained before ransomware follows.

Third-party identities and delayed privilege remediation

Third-party access becomes dangerous when the organisation can see the account but not its current legitimacy, scope, or expiration state. In practice, that means an access review can identify excessive permissions while the identity remains active for months because offboarding and revocation are not tied to the relationship lifecycle. The technical weakness is stale entitlement data combined with weak ownership boundaries. Once a vendor credential is over-permissioned, every delay in review extends the attack window and broadens the blast radius of that external identity.

Practical implication: tie third-party entitlements to ownership, expiry, and offboarding events so stale access cannot linger unnoticed.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity observability is the missing governance layer in the 2026 DBIR. The report's findings are not separate stories about shadow AI, credentials, third parties, and ransomware. They are one pattern: identities are being created, used, and abused faster than governance can see them. When the control plane cannot inventory the identity, it cannot reliably certify it, revoke it, or detect misuse. The practitioner implication is that visibility is now a precondition for every other identity control.

Shadow AI is not just a DLP problem, it is an unmanaged identity problem. The moment a worker uses a personal AI account on a corporate device, the organisation has an identity it did not provision and cannot lifecycle manage. That account may also fall outside federation, logging, and recertification, which means the risk is not only exfiltration but governance drift. The implication is that human IAM and NHI governance are converging around the same visibility failure.

Identity observability closes the gap between exposure and action. The DBIR's 39% credential factor and the 50% infostealer-to-ransomware linkage show that security teams often receive identity signals too late or not in a usable form. This is exactly where NIST-CSF identify and detect functions need to meet NHI governance, because a known exposed identity that remains active is not a discovery problem anymore, it is a control failure. The practitioner implication is to treat exposure-to-action time as a core security metric.

Third-party access without lifecycle accountability is a standing blast-radius problem. The report's delayed remediation findings show that organisations can know a vendor account is over-permissioned and still leave it active far too long. That means the failure is not simply missing review, but an accountability model that does not force timely revocation when the relationship changes. The practitioner implication is that third-party access must be governed as a living identity relationship, not a periodic audit item.

Machine accounts will inherit the same visibility gap as AI adoption scales. Verizon's warning about service and machine accounts in an agentic future is a category signal, not a niche prediction. Every AI integration creates non-human identities, and many are provisioned before ownership, scope, and retirement are clear. That makes OWASP-NHI and ZT-NIST-207 directly relevant: the field is moving toward more identities, less human oversight, and shorter tolerance for blind trust. The practitioner implication is to inventory machine identities before the volume outpaces governance.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That remediation gap is why identity observability must connect discovery, ownership, and lifecycle controls, as outlined in 52 NHI Breaches Analysis.

What this signals

Identity observability is becoming the practical boundary between discovery and governance. As AI adoption spreads, teams will need a single view of human, NHI, and unmanaged AI accounts before they can decide what is approved, what is risky, and what should be removed. The organisations that can answer which identities exist outside the governance fabric will move faster than those still reconciling quarterly exports.

The near-term signal for practitioners is that identity reviews will have to become continuous rather than periodic. If a credential exposure can remain valid long enough to become a ransomware event, then exposure-to-action time is now a board-level metric for identity programmes. That shifts the programme from inventory maintenance to active risk containment.

For practitioners

• Map unmanaged AI accounts on corporate devices Use browser, DNS, and egress telemetry to identify personal AI accounts operating outside approved SSO paths, then classify each one by owner, business purpose, and data sensitivity.
• Correlate credential exposure with active identity risk Link infostealer and credential leak signals to authentication logs, privilege changes, and lateral movement indicators so exposed identities can be contained before they are reused.
• Shorten third-party remediation loops Tie vendor accounts to explicit owners, expiry dates, and offboarding triggers so excessive permissions cannot remain active for months after they are identified.
• Inventory machine identities before agentic scale arrives Create a current register of service accounts, API keys, tokens, and certificates, then assign each identity to a business owner and a retirement path before AI deployments expand the population.

Key takeaways

• The 2026 DBIR frames identity visibility, not just access control, as the common weakness behind shadow AI, credential abuse, and third-party drift.
• The evidence is directional and practical: hidden or stale identities are staying live long enough for attackers to convert exposure into lateral movement and ransomware.
• Security teams should treat continuous identity discovery and rapid lifecycle action as core controls, not as supporting hygiene.

Key terms

• Identity Observability: Identity observability is the ability to continuously discover, correlate, and monitor identities across systems so governance can act on what is actually happening. In NHI and human IAM programmes, it means seeing who or what exists, how access is used, and when behaviour drifts outside approved boundaries.
• Shadow AI: Shadow AI is the use of AI services or agentic tools outside approved governance, often through personal accounts or unsanctioned integrations. It creates identity risk because the account may be authenticated but still invisible to inventory, policy, logging, and offboarding processes.
• Third-Party Identity: A third-party identity is an account, token, or credential used by an external partner, supplier, or contractor to access your environment. It is governed by the same lifecycle discipline as any other identity, but accountability is shared and the blast radius can persist if offboarding is slow.
• Identity Exposure Window: An identity exposure window is the period between when a credential or account becomes risky and when governance actually removes or contains it. The longer that window stays open, the more likely attackers can reuse the identity, escalate access, or turn a leak into a breach.

Deepen your knowledge

Identity observability, NHI discovery, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a programme that must track hidden identities across human and machine use cases, it is worth exploring.

This post draws on content published by AuthMind: analysis of the 2026 Verizon DBIR through an identity observability lens. Read the original.