Identity risk reports show where current controls are failing

At a glance

What this is: This is an independent analysis of a wave of identity security reports, showing that identity verification gaps, weak MFA adoption, and NHI over-privilege are driving a broader breach problem.

Why it matters: It matters because IAM teams must treat identity risk as a cross-domain issue spanning human authentication, NHI governance, and the controls that stop credential abuse before it becomes lateral movement.

By the numbers:

• 97% of organizations are challenged by identity verification.
• Only 45% are using multifactor authentication to verify the identity of users.
• 93% of organizations had two or more identity-related breaches in the last year.

👉 Read Axiad's analysis of the identity risk reports shaping current security priorities

Context

Identity risk is the gap between who or what a system thinks is trusted and what actually deserves access. In this article, the primary issue is not a single product or framework but the accumulation of evidence that identity controls are underperforming across human authentication, NHI exposure, and breach prevention. That makes identity security a programme-level governance problem, not a point control issue.

The article brings together multiple survey findings to argue that identity has become one of the biggest breach drivers for CISOs. It also shows that NHI exposure, credential reuse, and weak verification are now part of the same operational picture. For practitioners, the typical starting position is already behind the threat curve.

Key questions

Q: How should security teams reduce identity risk across human and machine identities?

A: Start by separating verification quality from verification coverage. Human identities need phishing-resistant MFA and hardened recovery paths, while NHIs need inventory, least privilege, rotation, and offboarding discipline. The goal is not more controls on paper. It is reducing the number of ways an attacker can turn a single credential into broader access.

Q: Why do excessive NHI privileges increase breach impact?

A: Because attackers rarely need root access if an NHI already has more permission than its workload requires. Excessive privilege turns a single compromised key, token, or service account into lateral movement, data access, or infrastructure control. The risk grows further when those identities are externally exposed or not rotated on schedule.

Q: How do teams know if identity controls are actually working?

A: Look at reduction in identity-related incidents, time to revoke compromised access, and the percentage of privileged accounts protected by phishing-resistant methods. For NHIs, also measure how many identities are inventoried, rotated, and offboarded on time. If those indicators do not improve, the programme is absorbing effort without shrinking exposure.

Q: Who should own identity risk when it spans users, NHIs, and third parties?

A: Identity risk should be owned jointly by security, IAM, and application or platform teams, but governed centrally so controls are consistent. When third-party access, machine identities, and human authentication are managed in separate silos, attackers exploit the seams. Central accountability with distributed execution is the right model.

Technical breakdown

Why identity verification fails at scale

Identity verification fails when organisations rely on signals that are easy to capture, replay, or phish. That includes weak MFA deployments, password-based recovery paths, and identity checks that are not bound to device, session, or transaction context. The result is not just authentication failure, but a trust gap that attackers can exploit at the edge of access. In practice, the issue is less about whether MFA exists and more about whether it is phishing-resistant and operationally enforced across the full population.

Practical implication: move from generic MFA coverage to phishing-resistant verification for all high-risk identities.

How NHI over-privilege expands the identity attack surface

Non-human identities become dangerous when they carry more privilege than the workload or integration actually needs. Excessive permissions, third-party exposure, and long-lived credentials create standing access that is difficult to notice and easy to abuse. In cloud and software supply chain environments, NHIs often outnumber humans and are easier to overlook in governance workflows. That makes over-privilege a structural amplifier of breach impact, especially when secrets are embedded in code or accessible through weak lifecycle controls.

Practical implication: inventory NHIs by privilege and external exposure, then reduce standing access before focusing on optimisation.

Why breach volume keeps rising even when controls exist

Identity breaches keep rising because many programmes optimise for administrative efficiency instead of attack containment. Control coverage can exist on paper while identity hygiene, credential rotation, and offboarding remain inconsistent in practice. Once an identity is compromised, broad entitlements and slow remediation turn a single access event into a wider incident. This is why identity security has to be managed as a continuous exposure reduction function, not as a one-time compliance activity.

Practical implication: measure identity control effectiveness by breach containment and remediation speed, not by policy presence alone.

Threat narrative

Attacker objective: The attacker’s objective is to turn identity weakness into repeated access, broader privilege, and breach-scale operational damage.

1. Entry occurs through identity verification weakness, often where MFA is absent, weak, or susceptible to phishing and credential reuse.
2. Escalation follows when compromised human or NHI credentials expose over-privileged accounts, tokens, or third-party access paths.
3. Impact emerges as attackers move from initial access into multiple identity-related breaches, unauthorized access, and broader operational disruption.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity risk is now a cross-domain governance problem, not a human-only authentication problem. The article correctly shows that user verification, credential reuse, NHI privilege, and breach frequency all belong to the same control surface. That matters because identity programmes that only focus on employees miss the machine and third-party access paths attackers increasingly exploit. Practitioners need a governance model that treats human identity, NHI, and lifecycle controls as one breach-reduction system.

Excessive privilege is the named failure mode behind much of the identity risk discussed here. The article’s NHI data points point to a familiar control gap: access is granted more broadly than the workload or integration requires, and then left to accumulate. That is a governance failure, not just a configuration issue. The implication is that identity teams must stop treating standing access as normal and treat privilege scope as a continuously managed exposure.

Phishing-resistant authentication is no longer a narrow best practice, it is the boundary between managed and unmanaged identity risk. The article’s contrast between general MFA adoption and stronger identity verification points to a deeper problem: not all verification materially changes attacker effort. When the control can be replayed or socially engineered, it does not meaningfully reduce breach likelihood. Practitioners should interpret verification quality as a resilience metric, not a checkbox.

Identity security has become a board-level resilience issue because breach counts are rising even as programmes become more operationalised. The article highlights the danger of treating identity as an efficiency function rather than a security control. That shift often reduces visibility, weakens accountability, and leaves remediation to ad hoc teams. The field now needs identity governance that measures exposure, not just process completion.

NHI visibility is still the deciding factor in whether identity programmes can actually constrain risk. If organisations do not know where service accounts, API keys, and third-party credentials exist, they cannot verify, rotate, or revoke them reliably. That is why NHI risk is not an adjacent topic to IAM but a central test of whether identity governance works in the real world. Practitioners should treat visibility as the prerequisite for every other control.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most remediation processes start from incomplete asset knowledge.
• For a deeper breakdown of lifecycle exposure, see 52 NHI Breaches Analysis for recurring patterns in compromised access and delayed revocation.

What this signals

Identity debt: the longer an organisation keeps unverified access alive, the more likely that access is to become part of a breach path. With 91.6% of secrets still valid five days after notification, remediation windows are clearly out of step with attacker timelines.

IAM teams should expect more scrutiny on verification quality, not just control coverage. The market is moving toward evidence that access can be proven, contained, and revoked quickly across both human and machine identities, especially where third-party exposure is involved.

For practitioners

• Replace broad MFA coverage metrics with phishing-resistant verification targets Track how many privileged users, administrators, and recovery paths are protected by phishing-resistant methods, not just whether MFA is enabled somewhere in the estate.
• Inventory NHIs by privilege and external exposure Build a complete register of service accounts, API keys, tokens, and certificates, then rank them by standing privilege, third-party access, and business criticality.
• Reduce identity attack surface before expanding new controls Remove unused credentials, retire stale accounts, and cut overly broad entitlements so that verification and monitoring efforts are not overwhelmed by preventable exposure.
• Tie remediation SLAs to identity breach containment Measure how quickly compromised credentials are revoked, rotated, or disabled after detection, because slow response is what turns identity incidents into repeated compromise.

Key takeaways

• Identity risk is not a single authentication problem. It is a programme-level exposure problem spanning users, NHIs, and third-party access paths.
• The evidence in the article points to a control gap between having security tools and actually reducing breach likelihood, especially where verification quality and privilege scope are weak.
• Practitioners should prioritise phishing-resistant verification, NHI inventory, privilege reduction, and faster remediation before adding more governance complexity.

Key terms

• Identity Verification: Identity verification is the process of proving that a user or system is who or what it claims to be before access is granted. In modern programmes, the quality of verification matters as much as coverage, especially when attackers can phish, replay, or socially engineer weaker methods.
• Non-Human Identity: A non-human identity is a machine-facing credentialed entity such as a service account, API key, token, certificate, bot, or workload. These identities often operate at machine speed, carry broad permissions, and are easy to overlook unless they are inventoried and governed as first-class identities.
• Phishing-Resistant MFA: Phishing-resistant MFA is multi-factor authentication designed to resist credential replay, phishing, and interception. It uses stronger proofing mechanisms than basic one-time codes, making it materially harder for attackers to turn stolen credentials into usable access.
• Standing Privilege: Standing privilege is persistent access that remains available until manually removed or rotated. For NHIs, standing privilege is especially risky because it can outlive the workload, the integration, or the original approval context, creating a durable path for abuse.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: A Wave of Identity Security Reports Defines a Big Problem. Read the original.