Identity risk reports show why identity security is still failing

At a glance

What this is: Axiad’s roundup argues that recent identity security reports all point to the same problem: identity risk remains a major driver of breaches, over-privilege, and weak verification.

Why it matters: For IAM teams, the signal is that controls built around users alone are not enough, because NHI exposure, credential reuse, and weak verification now affect human, machine, and access governance together.

By the numbers:

• 97% of organizations are challenged by identity verification.
• 93% of organizations had two or more identity-related breaches in the last year.
• 69% of the security incidents its security operation center investigated were identity-related.
• 47% of respondents said that the complexity of existing systems is their top identity management problem.

👉 Read Axiad's roundup of identity security reports and identity risk findings

Context

Identity risk is the gap between who or what an organisation thinks it is authorising and the actual identity behaviour happening across users, service accounts, tokens, and other credentials. In this case, the article argues that identity security has become a primary breach driver, not just an administrative control plane.

The point matters because identity programmes often optimise for convenience, coverage, or operational efficiency while leaving verification, MFA quality, and non-human privilege unchecked. That leaves security teams with fragmented controls across human IAM and NHI governance, even as attacker paths increasingly cross both.

Key questions

Q: How should security teams reduce identity risk without relying on weak MFA?

A: Security teams should separate MFA adoption from authentication strength. Use phishing-resistant methods for privileged and remote access, then retire weaker factors where they still protect critical systems. The goal is to reduce bypass paths, not just increase factor counts. Measure whether the deployed factor can survive phishing, token theft, and session interception.

Q: Why do non-human identities create so much identity risk?

A: Non-human identities often carry standing privileges, are reused across systems, and are exposed to partners or third parties. That combination increases the chance that a single compromised secret can unlock broad access. The risk is not just compromise, but uncontrolled scope. Teams need lifecycle ownership, privilege scoping, and exposure tracking together.

Q: What do security teams get wrong about identity-related breaches?

A: They often treat identity compromise as an authentication event rather than a governance event. In practice, the breach usually succeeds because access persists, privileges are too broad, or response processes do not contain identity abuse quickly enough. The real question is whether identity controls shrink attacker reach after compromise starts.

Q: Who should own identity security when access spans users and machine identities?

A: Ownership should sit with the security and identity teams together, because the control problem spans human IAM, NHI governance, and incident response. If identity is managed only as an operational convenience, breach conditions persist. Clear ownership matters most where access touches privileged systems, third parties, or shared credentials.

Technical breakdown

Why identity verification fails when controls are inconsistent

Identity verification breaks down when organisations treat all authentication methods as equivalent. The article distinguishes phishing-resistant MFA from weaker forms, which matters because a login that technically uses MFA may still be vulnerable to social engineering or token theft. Verification is only as strong as the factor resistance behind it, not the label attached to it. In practice, that means teams need to distinguish access assurance from simple second-factor adoption and track where authentication methods can be bypassed.

Practical implication: inventory authentication methods by resistance level, not just by MFA coverage.

How over-privileged non-human identities expand attack paths

Non-human identities such as service accounts, API keys, and other machine credentials often carry standing access that exceeds the task they actually need to perform. When 97% of NHIs are over-privileged and 92% are exposed to third parties, the attack surface becomes a governance problem as much as a technical one. Excess privilege widens blast radius, while third-party exposure creates an additional trust boundary that many programmes do not track with the same rigor as employee access.

Practical implication: map NHI privilege scope and third-party exposure together before reviewing access design.

Why identity-related breaches keep outpacing existing programmes

Identity-related incidents persist when organisations separate identity governance from security operations. The article cites a rise in identity-linked incidents and a high level of breach frequency, which suggests that detection, lifecycle controls, and policy enforcement are not closing the loop fast enough. In other words, the problem is not only that identities are compromised, but that the programme does not reduce the time, reach, or reuse of compromised credentials quickly enough.

Practical implication: tie identity telemetry, access review, and response workflows to the same operational owners.

Threat narrative

Attacker objective: The attacker’s objective is to turn trusted identity access into broad unauthorized access that can be used for breach activity, data theft, or network movement.

1. Entry begins with compromised or weakly verified identities, including phishing-resistant gaps and reused credentials that allow the attacker to impersonate a trusted user or machine identity.
2. Escalation follows when the attacker moves through over-privileged NHIs or poorly governed access paths, increasing reach across systems and third-party connections.
3. Impact occurs as identity-based access is used to trigger breaches, data exposure, or operational disruption across environments that still trust the compromised identity.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity risk is now a governance failure, not just an authentication problem. The article’s report roundup shows that verification weakness, breach frequency, and over-privileged non-human access are converging into the same control failure. This is no longer a question of whether identity matters, but whether the identity programme is actually governing all identity types with equal rigor. Practitioners should treat identity as a primary security control plane, not a side function.

Over-privileged NHI access is the clearest example of identity blast radius. When machine credentials are both excessive and externally exposed, the programme is allowing a single identity to carry far more operational trust than it can safely hold. That expands attacker reach without needing to break the underlying application. The practical conclusion is that privilege scope, exposure, and ownership must be analysed together, not separately.

Phishing-resistant verification exposes a broader truth about trust assumptions. The article is right that not all MFA meaningfully reduces identity risk, because factor presence is not the same as factor resistance. If the control can be bypassed through phishing or token replay, the programme has preserved an authentication label while weakening the security outcome. Practitioners should evaluate the trust model behind each access path, not just the existence of a second factor.

Identity security is being operationalized in ways that dilute accountability. The article notes that identity has been treated as an efficiency function in some organisations, which is exactly how governance gaps become persistent. When responsibility moves out of security ownership, policy drift and weak lifecycle controls follow. The field needs to re-center identity governance as a security discipline with measurable outcomes.

Identity verification challenge is the named concept this roundup exposes. The common failure mode is not a lack of identity technology, but a mismatch between the assurance the programme expects and the assurance the deployed controls actually provide. That gap is now visible across human MFA, NHI privilege, and breach incidence. Practitioners should use that mismatch as the starting point for programme re-evaluation.

From our research:

• 97% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 52 NHI Breaches Analysis shows how credential persistence and over-privilege repeatedly turn identity exposure into breach impact.

What this signals

Identity verification challenge: as identity programmes expand across users, workloads, and agents, the real issue is not whether organisations own identity tooling, but whether they can prove trust at the point of access. With 97% of organisations challenged by identity verification, per Ultimate Guide to NHIs, identity assurance is clearly a control-design problem, not a checkbox problem.

For practitioners, the next step is to treat identity risk as a cross-domain governance issue that spans IAM, NHI lifecycle, and incident response. The organisations that keep identity in the efficiency lane will keep inheriting the same breach patterns, only with more identities in the path.

Security teams should also watch for control drift between authentication policy and actual identity behaviour. When access paths are re-used, shared, or delegated, the programme needs telemetry and ownership strong enough to show where trust assumptions stop matching reality.

For practitioners

• Separate phishing resistance from MFA coverage Classify authentication methods by whether they resist phishing, token replay, and session theft. Then map where weaker methods still protect privileged access, contractor access, and remote access flows.
• Review NHI privilege against task scope Identify service accounts, API keys, and machine tokens that hold access broader than the workflow they support. Reduce standing privileges where the identity can complete its job without persistent broad access.
• Track third-party exposure for machine identities Document which NHIs are exposed to vendors, partners, or external platforms, and align ownership with offboarding and renewal processes. Third-party access should be subject to the same lifecycle discipline as employee access.
• Tie identity events to SOC response Feed identity anomalies, credential misuse, and access drift into operational response workflows so that compromise is not discovered only after lateral movement or data exposure has begun.

Key takeaways

• Identity risk is now a core breach driver because weak verification, over-privileged NHIs, and repeated incident patterns are converging.
• The scale is material: the article cites 97% identity verification challenge, 93% identity-related breaches, and 69% identity-related SOC incidents.
• Teams need to govern identity as a security control plane, with stronger authentication assurance, tighter NHI privilege scope, and clearer operational ownership.

Key terms

• Identity risk: Identity risk is the likelihood that a trusted account, factor, or credential will be misused to gain access beyond its intended scope. In practice, it shows up when verification is weak, privileges are excessive, or lifecycle controls fail to remove access quickly enough.
• Phishing-resistant MFA: Phishing-resistant MFA uses authentication methods that cannot be easily replayed or relayed by an attacker. For security teams, the distinction matters because some MFA reduces friction without materially reducing identity compromise risk, especially for privileged or remote access paths.
• Non-human identity: A non-human identity is a machine or software credential used by services, workloads, scripts, APIs, bots, or agents. It often has standing access and can move across systems faster than a human user, which makes lifecycle control, privilege scope, and secret handling critical.

Deepen your knowledge

Identity verification, MFA strength, and NHI privilege scope are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are reworking identity governance after reading this analysis, it is a practical place to start.

This post draws on content published by Axiad: A wave of identity security reports defines a big problem. Read the original.