Remote workforce security survey shows identity controls breaking down

At a glance

What this is: This is a remote workforce security survey showing that expanded access, user workarounds, and phishing are widening identity risk across hybrid environments.

Why it matters: It matters because IAM teams must balance remote access, authentication friction, and policy compliance across human identity programmes while the same patterns also inform NHI and autonomous governance models.

By the numbers:

• More than half (52%) of tech leaders said their remote employees had found workarounds to their company’s security policies.
• Phishing threats (71%) and malware (61%) have emerged as the most significant new threat vectors concerning remote work environments.

👉 Read Axiad's research on remote workforce security and access control risk

Context

Remote work changes the identity problem from one of controlled network access to one of distributed trust. When users authenticate from unmanaged locations and then work around policy friction, the programme no longer fails at a single control point, it fails across authentication, device posture, and access governance.

This survey is about human identity risk first, but the pattern matters beyond employee logins. The same governance pressure appears whenever access is expanded faster than verification, which is why IAM, PAM, and lifecycle teams should read it as a warning about control drift rather than a temporary remote-work inconvenience.

Key questions

Q: How should security teams reduce identity risk in remote workforce environments?

A: Security teams should reduce the number of resources each remote identity can reach, then align MFA, device posture, and access reviews with how people actually work. If users can bypass the control or delay it until later, the control is not protecting the session. The goal is to lower the blast radius of one compromised user account.

Q: Why do remote employees create more identity risk than office-based users?

A: Remote employees often authenticate from less controlled devices and networks, then depend on cloud and SaaS access that may be broader than their day-to-day task set. That combination increases the chance that phishing, malware, or a weak workaround becomes an enterprise access event. The risk comes from distributed trust, not remote work alone.

Q: What should organisations do when users work around MFA or other access controls?

A: Treat workarounds as evidence that the control design is not aligned with user behaviour. Re-examine friction, recovery paths, and helpdesk dependency, then simplify the authentication flow before tightening policy language. A control that users evade at scale has already weakened the programme.

Q: How do teams know whether remote access controls are actually working?

A: Look for adoption, bypass, and exception patterns rather than only policy coverage. If a large share of employees resists MFA, device management, or password tooling, the control may exist but still fail operationally. Real effectiveness shows up when the secure path is the easiest path for most users.

Technical breakdown

Remote access expansion and identity blast radius

The survey shows organisations adding more licenses, hardware, vendors, and cloud applications to support remote work. That expansion increases the number of identities, apps, and pathways that can be abused if one endpoint is compromised. In identity terms, the blast radius grows when access is distributed without a matching increase in assurance and monitoring. The problem is not remote work itself, but the way extra access points multiply the number of trust decisions IAM must defend.

Practical implication: map where remote access has expanded entitlement scope and reduce the number of high-value pathways behind each user identity.

MFA friction, workarounds, and control bypass

The report highlights resistance to multi-factor authentication, mobile device management, and password managers, plus widespread user workarounds. That matters because a control that people routinely bypass is not a durable control model, it is an aspiration. In human IAM, the security outcome depends on adoption as much as configuration. If users can avoid the friction, attackers often inherit the same bypass path through social engineering or credential theft.

Practical implication: measure how often users bypass authentication controls and treat workaround rates as a control failure signal.

Phishing as an identity compromise amplifier

Phishing and malware remain the dominant remote-work threat vectors because they convert human trust into credential compromise. In a perimeter-less environment, the attacker does not need to defeat the whole enterprise, only to capture one user’s authentication path and then move through whatever that identity can reach. That makes phishing more than an awareness problem. It is an access governance problem because the stolen identity becomes a trusted gateway into the rest of the environment.

Practical implication: pair phishing resilience with tighter privilege scope so a compromised user identity cannot reach broad corporate resources.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Remote work turns identity governance into a behaviour problem, not just a policy problem. The report shows that organisations can standardise controls on paper while users still find ways around them in practice. That means the real boundary is no longer the policy document but the point at which users experience the control as too difficult to follow. Practitioners should treat policy bypass as a governance signal, not user misconduct alone.

The concept of identity blast radius fits this report precisely. When more users, devices, and cloud applications are opened up to support remote access, each compromised account can reach more of the business. The issue is not only authentication strength, but how far an authenticated identity can move once it is inside. IAM and PAM teams should use this lens to reduce the amount of damage one account can do.

Human identity programmes fail when security assumes compliance will follow convenience. The survey’s 52% workaround rate shows that friction is not a side issue, it is a control design variable. Controls that do not fit daily work create shadow behaviour, and shadow behaviour creates ungoverned access paths. The implication is that identity teams must design for actual user movement, not ideal process flow.

Remote workforce security is already converging with broader identity governance challenges. The same tension between assurance and usability appears in service account governance and, increasingly, autonomous access models. The lesson from this survey is that identity control breaks when organisations equate having a policy with having a functioning control. Practitioners should measure whether controls are followed, not just whether they exist.

From our research:

• 79% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• From our research: Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• For a wider governance lens, review 52 NHI Breaches Analysis to see how weak visibility and unmanaged access turn into real incidents.

What this signals

Identity teams should read this survey as a warning about control adoption, not just control design. When 52% of workers find workarounds, the issue becomes whether security can survive contact with daily operations. That same adoption gap will reappear wherever authentication or access governance creates friction that users can avoid.

Identity blast radius is the right lens for remote work and for NHI governance. The more endpoints, applications, and access routes a single identity can touch, the more one compromise matters. Teams should use remote-work lessons to tighten entitlement scope before the same pattern shows up in service accounts and delegated automation.

With 90% of IT leaders saying properly managing NHIs is essential for successful zero trust, per Ultimate Guide to NHIs , Why NHI Security Matters Now, the governance lesson is clear: expansion without verification creates structural risk. Remote access is only one example of a wider pattern where trust grows faster than assurance. Practitioners should prepare for that pattern across human, machine, and autonomous identities.

For practitioners

• Reduce remote access blast radius Review which remote access pathways expose confidential data and privileged functions, then narrow access scopes so a single compromised user identity cannot reach broad resource sets.
• Treat workaround rates as a governance metric Track how often employees bypass MFA, device management, or password manager requirements, and use those signals in access review and control redesign conversations.
• Pair phishing resilience with entitlement limits Strengthen user training, but also shorten the access path available to any stolen identity by removing unnecessary application reach and privileged roles.
• Simplify controls before expanding them further Where users are resisting authentication steps, redesign the workflow for lower-friction verification rather than assuming stricter policy language will change behaviour.

Key takeaways

• Remote workforce security fails when organisations widen access without matching that expansion with stronger identity assurance and lower-friction controls.
• The survey’s strongest signals are user workarounds, authentication resistance, and phishing pressure, all of which turn identity into the primary attack path.
• Practitioners should treat bypass behaviour as a governance metric and reduce the blast radius of any one remote identity.

Key terms

• Identity blast radius: The amount of damage one identity can do once compromised. In remote-work environments, blast radius grows when a single account can reach many applications, data sets, or privileged actions. Good governance reduces this reach so one stolen credential does not become an enterprise-wide incident.
• Control bypass: A pattern where users avoid a security control because it is too slow, too rigid, or too hard to use. In practice, bypass is a governance failure, not just a user behaviour issue, because repeated avoidance shows the control design does not match operational reality.
• Distributed trust: A security model where authentication and access decisions happen across many locations, devices, and cloud services rather than inside one protected perimeter. For identity teams, distributed trust means assurance must travel with the user, the device, and the session instead of relying on network location.

Deepen your knowledge

Remote workforce identity governance is a practical part of our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is dealing with remote access sprawl, it is worth exploring.

This post draws on content published by Axiad: Remote Workforce Security Survey shows access control policies providing hackers with more routes into organizations. Read the original.