Identity supply chains are under siege as trust cascades downstream

At a glance

What this is: This is an analysis of March breach activity showing how one compromised identity can cascade across enterprise and supply-chain environments.

Why it matters: It matters because IAM, NHI, and PAM teams need to govern trusted access paths before legitimate credentials are turned into operational impact.

By the numbers:

• The European Commission was among the targets when a compromised Trivy development pipeline led to approximately 340 GB of data being stolen.
• In March, 5,236 CVEs were disclosed across the industry, including 519 identity-related vulnerabilities.

👉 Read Delinea's analysis of identity supply chain compromise patterns

Context

Identity supply chains fail when trust is inherited without continuous verification. A credential, token, or admin role that is valid in one environment can become a bridge into many others if access is not segmented, reviewed, and constrained by context. For IAM and NHI practitioners, the issue is not simply who authenticated, but what that authenticated identity was allowed to do next.

This April 2026 analysis from Delinea is about March attack patterns, where attackers repeatedly used legitimate credentials, SSO accounts, cloud roles, and service accounts to reach operational systems. That starting position is becoming typical, not exceptional, because non-human and third-party identities often sit outside the controls that protect interactive users.

Key questions

Q: How should security teams handle trust assumptions in identity supply chains?

A: Security teams should assume that any trusted upstream identity can become a downstream entry point if its permissions are not continuously verified. The practical response is to segment trust, shorten credential lifetimes, require step-up approval for sensitive actions, and review third-party access as often as internal privileged access. Legitimate authentication is not enough if the resulting authority is overly broad.

Q: Why do service accounts and other non-human identities increase breach impact?

A: Service accounts and other non-human identities increase breach impact because they often carry broad, persistent access and bypass interactive controls like MFA. When those identities are not tightly scoped, rotated, and retired, attackers can reuse them to move quietly across systems, pipelines, and cloud environments. The issue is not the token alone, but the authority attached to it.

Q: What breaks when administrative identity governance is weak?

A: When administrative identity governance is weak, one compromised account can change policies, wipe devices, approve access, or unlock whole environments without a second control layer. That failure is especially dangerous in control planes such as device management, cloud administration, and identity platforms. The common pattern is too much standing privilege and too little behavioral verification.

Q: What should teams do in the first 24 to 72 hours after a trusted identity is abused?

A: Teams should revoke the compromised identity, invalidate active sessions and tokens, review downstream trust relationships, and isolate any control plane that could still be used for destructive actions. They should then identify whether the identity was human, machine, or third-party owned, because the containment steps and recovery order differ. The first goal is to stop inherited trust from spreading further.

Technical breakdown

Why identity supply chains fail under legitimate access

An identity supply chain is the chain of trust that extends from a primary account into downstream tenants, SaaS tools, cloud roles, CI/CD systems, and delegated admin consoles. Attackers prefer this path because legitimate authentication bypasses many perimeter controls and often looks normal in logs. Once they obtain one trusted identity, they can reuse existing permissions rather than deploy noisy malware. The failure mode is structural: access is granted for convenience, then reused in ways the original owner did not intend. Practical implication: treat every upstream identity as a potential control point for downstream compromise.

Practical implication: Map delegated access paths and revoke trust relationships that are broader than the business use case.

How non-human identities expand the attack surface

Non-human identities include service accounts, API keys, cloud credentials, and automation tokens. They authenticate without human interaction, which makes them ideal for workloads but also hard to observe with user-centric controls. Because they often lack strong lifecycle governance, they accumulate privileges, persist longer than their original purpose, and remain usable after the workflow changes. In practice, that means a stale token can become an entry point long after the system that created it has moved on. Practical implication: NHI governance has to cover issuance, rotation, scoping, and retirement, not just authentication.

Practical implication: Inventory machine identities and enforce lifecycle controls tied to ownership and expiry.

Why control planes become weapons when admin access is overtrusted

Administrative consoles and identity control planes carry broad authority by design. When an attacker compromises an admin identity in a platform such as device management or cloud IAM, the resulting actions can be destructive without requiring a separate exploit chain. This is where PAM and zero standing privilege matter: if high-impact actions do not require re-authorization, the attacker inherits the same authority as the operator. The Stryker example shows that abuse can be immediate and catastrophic. Practical implication: protect admin actions with approval, step-up controls, and behavioral monitoring.

Practical implication: Require multi-party approval and just-in-time elevation for destructive administrative actions.

Threat narrative

Attacker objective: The objective is to turn trusted identity into operational leverage, enabling lateral access, data theft, and destructive control-plane actions without exploiting software vulnerabilities.

1. Entry occurred through compromised administrative or third-party identities, including SSO accounts, cloud IAM roles, and CI/CD service accounts.
2. Escalation followed when legitimate access was reused inside trusted environments, allowing attackers to reach broader platforms and identity control planes.
3. Impact came from mass device wipe, data theft, and downstream access to client environments using the authority already embedded in those identities.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity supply chains are now a primary attack path, not a side effect of vendor risk. The March incidents show that attackers are increasingly relying on trust relationships between organizations, platforms, and automation systems rather than on classic exploit chains. That changes how practitioners should think about segmentation and authorization. If a trusted identity can move downstream without friction, the supply chain itself becomes the access layer.

Non-human identity governance is the missing control plane in most breach narratives. Service accounts, API keys, and CI/CD identities were central to several of the month’s compromises, yet many programmes still manage them as secrets inventory rather than as identities with lifecycle, ownership, and privilege boundaries. Ephemeral credential trust debt: the longer a machine identity remains valid after its original task, the more downstream trust it accumulates. Practitioners should treat this debt as a measurable governance failure.

Administrative access must be treated as an attack surface, not a privileged exception. The Stryker incident shows that one authenticated admin can create enterprise-wide disruption when the control plane is too permissive. PAM, step-up authorisation, and multi-party approval are no longer optional refinements for high-impact actions. They are the minimum boundary between routine administration and catastrophic misuse.

Supply chain identity risk is converging with agentic and automation risk. The same patterns that let attackers abuse third-party access also apply to autonomous systems that inherit delegated permissions. As AI agents and automation tokens proliferate, organisations need policy that follows the identity, not the application. Practitioners should assume the next compromise may arrive through a trusted workflow rather than a compromised host.

Detection after authentication is no longer enough. March’s incidents repeatedly show that initial access often looks legitimate, while the harmful action happens later, inside the control plane or downstream environment. That means logging in is not the security boundary. The boundary is whether post-authentication behaviour matches the intended scope of the identity. Teams should prioritise runtime authorization and behaviour analytics.

From our research:

• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirming one and 26% suspecting one.
• As identity supply chains keep expanding, practitioners should pair the 52 NHI Breaches Analysis with lifecycle controls that reduce standing trust before an attacker inherits it.

What this signals

Identity supply chain risk will force IAM teams to move from account-centric controls to relationship-centric governance. The next phase of programme maturity is not just knowing who has access, but how that access propagates across vendors, clouds, and automations. Teams that can model those links will be better positioned to stop trust cascade before it becomes incident response.

With 72% of organisations already having experienced or suspecting a breach of non-human identities, the governance gap is now operational, not theoretical. That figure from our NHI research suggests that machine identity exposure is already a board-level exposure pattern, especially where third-party access and automation intersect. Practitioners should prioritise visibility, ownership, and expiry across every non-human identity class.

Control-plane abuse will keep rewarding attackers who can authenticate legitimately and act destructively afterward. That means detection, approval, and runtime authorization need to sit beside identity issuance, not after the fact. For most programmes, the next meaningful improvement is not a new login control but a tighter post-authentication boundary.

For practitioners

• Map downstream trust relationships Inventory where admin accounts, SSO sessions, cloud roles, and service accounts can operate across tenants, vendors, and automation workflows. Remove inherited access paths that are not required for the business function.
• Enforce just-in-time control for high-impact actions Apply just-in-time approval to destructive operations such as device wipes, policy changes, key rotation, and role assignment. Pair this with multi-party authorization for shared administrative functions.
• Govern non-human identities as identities Assign owners, set expiry, rotate credentials, and review entitlements for service accounts, API keys, and automation tokens on a recurring schedule. Do not leave machine identities managed only as secrets inventory.
• Monitor privileged behavior after login Track privilege escalation, unusual admin actions, policy changes, and lateral movement after authentication. If the identity’s behaviour no longer matches its task scope, trigger containment and review.
• Harden third-party access continuously Review SSO, cloud IAM, and vendor-held access at least as often as internal privileged access. Use the 52 NHI Breaches Analysis to pressure-test assumptions about hidden trust paths.

Key takeaways

• Identity supply chains let one trusted compromise propagate across vendors, cloud environments, and automation systems.
• Non-human identities remain under-governed, and that gap is now large enough to create repeated operational breaches.
• Practitioners should prioritize downstream trust mapping, just-in-time control, and runtime authorization over login-only defenses.

Key terms

• Identity supply chain: An identity supply chain is the network of trusted accounts, roles, tokens, and delegated permissions that connect one system to another. When one link is compromised, attackers can inherit access downstream and use legitimate trust relationships to spread impact across environments.
• Non-human identity: A non-human identity is any machine account, service account, API key, token, certificate, or autonomous agent that authenticates and acts without a person directly driving each action. These identities need ownership, expiry, rotation, and scope control because they often outlive the task they were created for.
• Control plane: A control plane is the administrative layer used to manage systems, policies, devices, and access. It is a high-value target because a compromised control plane can change configuration, grant access, or execute destructive actions across many assets at once.
• Standing privilege: Standing privilege is persistent access that remains available until it is manually removed. In NHI and IAM programmes, it increases blast radius because an attacker who compromises the identity can use that access immediately without waiting for approval or just-in-time elevation.

Deepen your knowledge

Identity supply chain governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your environment includes third-party access, cloud roles, and automation tokens, it is worth exploring.

This post draws on content published by Delinea: Identity supply chains are under siege. Read the original.