Identity security still underpins breach reduction in the AI era

At a glance

What this is: This is Saviynt's commentary on Verizon's DBIR, arguing that identity security remains foundational because credential abuse, third-party exposure, and unmanaged AI use still drive breaches.

Why it matters: IAM and NHI teams need to treat identity as a core security control because the same access patterns now govern humans, external parties, and AI-driven workflows.

By the numbers:

• 53%.
• 88% of recorded web application attacks were through stolen credentials.
• 60% of breaches involved a human element.

👉 Read Saviynt's analysis of Verizon's DBIR and identity security

Context

Identity security is the discipline that governs how users, services, partners, and machines get access and how that access is limited. In this article, Saviynt uses Verizon's latest breach analysis to argue that IAM and NHI security remain the starting point for reducing breach exposure, especially as credentials and external access continue to shape attack paths.

The core governance gap is not whether identity matters, but whether organisations can control identity sprawl across internal, external, and non-human accounts fast enough to matter operationally. That is a typical enterprise problem now, not an edge case, because the same access model often spans employees, contractors, service accounts, and AI-driven workflows.

The post also frames generative AI as an access governance issue, not only a data handling issue. That is the right lens for IAM and NHI practitioners, because unmanaged AI usage creates another class of non-human access that existing identity controls must be able to see, limit, and review.

Key questions

Q: How should security teams handle credential abuse when breaches look like system intrusion?

A: They should treat credential abuse as an identity failure, not just an intrusion category. Successful logins can still be malicious if the account, device, or context is wrong. Security teams need correlation across identity, privilege, and behavior so that stolen credentials, unauthorized access, and privilege misuse are investigated as one problem, not separate ones.

Q: Should organisations give third-party identities the same governance as employee accounts?

A: Yes. External identities expand the attack surface in the same way as internal identities, and they are often harder to monitor. Organisations should assign owners, set expiry dates, enforce least privilege, and revoke access through the same lifecycle process they use for employees. Different trust sources require the same control discipline.

Q: Why do generative AI tools create non-human identity risk?

A: Generative AI tools create NHI risk because they often have access to corporate data, APIs, and workflows while operating outside traditional user-account models. The risk is not only prompt misuse. It is also the access identity behind the tool, the secrets it uses, and whether the organisation can see and constrain its reach.

Q: What is the difference between human identity governance and NHI governance?

A: Human identity governance focuses on people, while NHI governance focuses on service accounts, APIs, tokens, certificates, bots, and agents that act without direct human attendance. NHIs usually move faster, outnumber humans, and are more likely to accumulate standing privilege. That means lifecycle control, secret rotation, and entitlement review must be more automated.

Technical breakdown

Why credential abuse still drives identity-led intrusions

Credential abuse sits inside broader intrusion patterns because attackers do not need to break authentication if they can reuse or steal valid access. Verizon's breakdown separates deliberate privilege misuse from stolen credentials and unauthorized use, which means identity compromise often hides inside categories that look like generic system intrusion. For IAM teams, that distinction matters: a login event may be legitimate from the control's point of view while still being adversary activity. This is one reason identity visibility and authentication telemetry must be correlated with access intent, device context, and privilege level.

Practical implication: Map suspicious credential use to identity context, not just authentication success.

How third-party and external identities widen the attack surface

External identities create governance complexity because they extend trust beyond the organisation's direct employee base. Partners, vendors, contractors, and temporary workers often inherit access paths that are harder to review, rotate, and revoke at the same cadence as internal accounts. When those identities are not governed with the same least-privilege and lifecycle controls as employee identities, they become long-lived exposure points. The article's emphasis on third-party involvement reflects a broader pattern: the access perimeter now includes every externally connected identity, not just those on payroll.

Practical implication: Apply the same lifecycle, review, and revocation discipline to external identities as to internal ones.

Why generative AI turns access governance into an NHI problem

Generative AI use becomes an NHI issue when employees interact with public models or internal agents that process corporate data and act with some level of execution authority. Those systems can create unmanaged access paths, shadow usage, and data exposure that do not fit traditional human IAM assumptions. The problem is not just who typed a prompt, but what identity the AI service uses, what data it can reach, and how its outputs are retained or reused. That makes AI governance inseparable from secrets control, entitlement review, and non-human identity visibility.

Practical implication: Inventory AI systems as non-human identities and review their entitlements like any other privileged workload.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity security is still the control plane for modern breach reduction. The DBIR data does not weaken the identity argument just because system intrusion is large; it strengthens it because credential abuse, phishing, and unauthorized access are all identity problems expressed through different incident labels. Practitioners should read that as a reminder that detection and prevention both depend on knowing which identities exist and what they can do.

Third-party access is no longer a side issue in NHI governance. External identities now sit inside the same risk model as internal users, especially when contractors, vendors, and service providers retain access longer than necessary. The governance lesson is simple: if you cannot prove who owns the identity, what it can reach, and when it is revoked, you do not have control. Teams should treat external access as a standing review item, not a periodic exception.

AI usage is creating a trust gap that existing IAM models were not designed to close. The important shift is not that AI is new, but that it introduces execution-capable non-human access into environments already struggling with visibility and privilege sprawl. That creates a named concept we would call AI access trust debt: the accumulated risk from granting systems and agents access faster than governance can verify, constrain, and retire it. Practitioners should measure and reduce that debt before it becomes operational exposure.

Converged identity security is becoming the practical baseline, not an architectural luxury. Human identities, NHIs, and AI-driven access paths now overlap in the same workflows, so separate control planes create blind spots. The field is moving toward unified visibility, least privilege, and lifecycle enforcement across every identity class. Security teams should plan for convergence because fragmented control stacks will not keep pace with access sprawl.

Identity security programmes must shift from account administration to access assurance. The article's framing is useful because it pushes beyond static administration and toward continuous confidence that access is appropriate, revocable, and observable. That is the governance model NHI and IAM teams need now. Practitioners should align policy, telemetry, and review processes around assurance, not just provisioning.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which explains why entitlement sprawl persists even when teams know the risk.
• Start with 52 NHI Breaches Analysis to compare your controls against recurring failure patterns such as exposed secrets and weak revocation.

What this signals

AI access trust debt: enterprises are accumulating risk every time they extend access to AI tools faster than they can verify ownership, scope, and revocation. That debt is likely to surface first in secrets sprawl, overbroad tool access, and unclear accountability for machine-initiated actions.

The practical signal for IAM and NHI programmes is that identity inventories must expand beyond people and service accounts to include AI services that can execute actions. If those identities are not mapped, reviewed, and retired with the same discipline as other privileged accounts, access governance will lag the operating model.

With 91.6% of secrets still valid five days after notification in our research, remediation speed remains a structural weakness. Teams should expect the next gap to come from the overlap of external access and AI-enabled workflows, where revocation timing matters as much as initial provisioning.

For practitioners

• Correlate credential events with identity context Tie successful logins to device posture, geolocation, privilege level, and recent access changes so stolen credentials are easier to distinguish from legitimate use. Feed the results into review workflows and alerting for high-risk identities.
• Review external identity access on the same cadence as employee access Inventory contractors, vendors, and temporary workers alongside internal accounts, then apply least privilege, expiry dates, and revocation checks to each one. Do not leave third-party access outside your normal joiner-mover-leaver process.
• Treat AI systems as non-human identities Register public and internal AI services as identities with owners, entitlements, and secrets. Review what data they can reach, what tools they can invoke, and whether the access is still justified for the task.
• Reduce standing privilege in high-risk workflows Remove persistent elevated access from service accounts, automation jobs, and agentic tools where practical. Use short-lived credentials and task-scoped permissions instead of broad, durable entitlements.
• Use breach patterns to prioritise control gaps Compare your environment against the 52 NHI Breaches Analysis to identify recurring failure modes such as exposed secrets, overprivileged service accounts, and weak revocation discipline.

Key takeaways

• Credential abuse remains an identity problem even when incident taxonomies label it as system intrusion.
• External identities and AI systems expand the NHI surface, so governance must extend beyond employee accounts.
• Teams that cannot see, scope, and revoke non-human access quickly will continue to accumulate breach exposure.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software, infrastructure, or automation rather than a person. That includes service accounts, API keys, tokens, certificates, bots, and AI agents. These identities often outnumber human accounts and require lifecycle control, least privilege, and continuous review.
• Credential Abuse: Credential abuse is the use of valid secrets or accounts by an unauthorised party or for unauthorised purposes. In practice, it often looks like normal authentication unless teams correlate context, privilege, and behaviour. It is one of the most persistent ways identity failures become breaches.
• External Identity: An external identity is an account or access path owned outside the organisation but trusted inside it, such as a partner, vendor, contractor, or temporary worker. These identities enlarge the attack surface because they are harder to govern consistently and often fall outside standard employee lifecycle processes.
• AI Access Trust Debt: AI access trust debt is the accumulated risk created when organisations grant AI systems access faster than they can verify ownership, limit scope, and retire permissions. It grows when access paths, secrets, and tool permissions are not tracked as part of the identity programme.

What's in the full article

Saviynt's full post covers the operational detail this post intentionally leaves for the source:

• How the vendor maps Verizon incident categories to identity-related failure modes for internal reporting.
• How Saviynt positions identity security posture management in the context of human, external, and non-human access.
• How its AI-enabled identity features fit into a broader governance model for corporate and public genAI usage.
• How the vendor frames GE HealthCare's journey as an example of proactive identity security.

👉 The full Saviynt post covers breach statistics, genAI risk, and identity security positioning in more detail.

Deepen your knowledge

Identity lifecycle governance, secrets control, and non-human access management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is formalising controls around AI and third-party identities, it is worth exploring.