TL;DR: The 2026 Verizon DBIR says 48% of breaches involve ransomware, third-party breaches reached 48%, exploitation of vulnerabilities rose to 32%, and credential abuse appeared in 39% of cases, while AI is accelerating attacker tradecraft across 793 tracked threat actors, according to Verizon. Point-in-time compliance is increasingly out of step with breach reality, and continuous technical visibility is now the dividing line between documented posture and actual exposure.
At a glance
What this is: The 2026 Verizon DBIR shows breach patterns are being driven by ransomware, third-party exposure, vulnerability exploitation, credential abuse, and AI-assisted attacker activity.
Why it matters: For IAM, NHI, and security assurance teams, the report shows why documentation-led assessments miss drift, weak access controls, and third-party risk that attackers are already exploiting.
By the numbers:
- 48% of all breaches now involve ransomware.
- Third-party breaches jumped 60% year over year, reaching 48% of all breaches in the dataset.
- Credential abuse still appears in 39% of breaches across the full attack chain.
- Verizon tracked 793 unique threat actors who faced enforcement action for violating acceptable use policies while using AI for malicious cybersecurity activity.
👉 Read Senserva's analysis of the 2026 Verizon DBIR findings for compliance and security assurance
Context
The security governance gap in the 2026 Verizon DBIR is simple: many programmes certify posture, but breaches expose behaviour. When vulnerability exploitation, credential abuse, and third-party access are the dominant entry and escalation paths, a questionnaire can confirm that controls exist without proving they are active, enforced, or current.
That gap matters across human identity, NHI, and AI-assisted attack operations. The article argues that attackers are using AI to move faster through familiar techniques, which makes continuous technical evidence more valuable than point-in-time assurance for any identity programme.
For compliance and security assurance teams, the practical question is no longer whether a policy was approved. It is whether the control state still matches reality after drift, delegation, and third-party connectivity have all had time to change it.
Key questions
Q: Why do compliance reviews fail to predict breach risk in cloud and identity environments?
A: Compliance reviews often prove that a control was documented at a point in time, not that it stayed effective. In cloud and identity environments, settings drift, privileged accounts change, and third-party access paths remain active after the review ends. Breach risk comes from the live state, so technical verification matters more than self-attestation.
A: Treat third-party access as a live identity relationship, not a paper process. Verify actual MFA enforcement, delegated permissions, connection paths, and account status in the target environment. A questionnaire can support governance, but only technical evidence shows whether the vendor’s access is still appropriate and limited to current business need.
Q: What do attackers gain when AI speeds up familiar breach techniques?
A: They gain scale, tempo, and flexibility. AI can help automate reconnaissance, refine phishing, test techniques, and adapt campaigns faster than human-operated tradecraft alone. That does not create a new category of attack, but it makes existing attack chains harder to outrun with slow review, alerting, and remediation processes.
Q: Who is accountable when misconfigurations in third-party environments lead to breaches?
A: Accountability usually sits with both the organisation owning the data and the provider or partner operating the environment, but the defender’s obligation does not disappear. Security teams must verify controls directly, document ownership for access decisions, and avoid assuming that a contract or SOC report proves the current live posture.
Technical breakdown
Why point-in-time assessment misses control drift
Point-in-time assessment records a configuration snapshot, not an operational guarantee. In identity and cloud environments, access policies, MFA enforcement, permission assignments, and exposed credentials can change after review, especially when third parties or admin teams modify settings outside the audit window. That means a control can be documented as present while the live environment has already diverged. The DBIR’s findings on weak password remediation and disabled admin MFA reflect this problem clearly: the issue is not just whether a control exists, but whether it remains enforced continuously.
Practical implication: assessors need technical evidence that proves control state, not just policy existence.
How credential abuse and misconfiguration create breach paths
Credential abuse remains powerful because it turns legitimate access into attacker access without needing a noisy exploit. Misconfigurations make that easier by expanding privilege, disabling MFA, or leaving permissions broader than intended. In cloud and Microsoft environments, these weaknesses often persist because they are spread across admin accounts, inherited roles, and third-party connections. Once an attacker has valid credentials or a misconfigured path, they can move through systems as an authorised user, which is harder to detect than a classic intrusion.
Practical implication: inventory privileged identities and permissions first, then validate MFA and effective access continuously.
What AI changes in attacker tradecraft
AI is not creating a new breach class here. It is compressing the time and skill needed to execute the old ones. According to the DBIR analysis, threat actors used AI across a median of 15 ATT&CK techniques in a single campaign, with some reaching 40 or 50 techniques. That means reconnaissance, phishing, payload refinement, and cleanup can all be accelerated inside one campaign. The defender problem is not that AI makes every attack novel. It is that it makes familiar attack chains arrive faster and with less effort.
Practical implication: shorten detection and review cycles, because attack velocity is now part of the risk model.
Threat narrative
Attacker objective: The attacker aims to turn weak identity and configuration controls into durable access that can support ransomware, exfiltration, or operational disruption.
- Entry occurs through vulnerability exploitation, credential abuse, or a third-party connection that provides legitimate-looking access into the environment.
- Escalation follows when misconfigurations, excessive permissions, or disabled MFA let the attacker expand reach without needing to break authentication again.
- Impact lands in ransomware, data theft, or wider compromise once the attacker has enough access to manipulate systems, exfiltrate data, or lock operations.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Compliance evidence is no longer a reliable proxy for breach resistance. The DBIR shows that organisations can pass reviews while still carrying active exposure in MFA, permissions, and third-party access. That is not a documentation problem, it is a verification problem. When the breach pattern is driven by state that drifts after the audit window closes, the control model itself has to be treated as incomplete.
Continuous technical visibility has become the real assurance layer. The article’s strongest signal is that the breach drivers are observable in live environments, but invisible to self-attestation. That makes continuous validation more than an efficiency improvement. It becomes the difference between a control that exists on paper and a control that actually limits attacker movement. Practitioners should treat this as a governance design issue, not a tooling preference.
Third-party identity is now part of the core breach surface, not the perimeter. With third-party breaches rising sharply, vendor access, hosted data, and connected environments must be governed as active identity relationships. The old assumption that a vendor questionnaire captures the risk is too weak for a breach landscape shaped by delegated access, misconfiguration, and delayed remediation. Security assurance now has to follow the access path, not the contract signature.
AI-assisted attacker scaling changes the economics of defensive timing. The article does not show that AI invents new attack classes, but it does show that AI lowers the cost of running old ones at higher tempo. That means the field is moving from technique recognition to speed management. The practitioner implication is straightforward: if your review, detection, and remediation cycles are slower than attacker-assisted execution, your programme is already late.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
- The broader pattern is captured in The 52 NHI breaches Report, which helps frame why identity drift and standing access keep resurfacing as breach drivers.
What this signals
Control drift is now the programme risk that matters most. When 72% of organisations say they have experienced or suspect an NHI breach, the governance problem is not lack of policy, it is lack of live assurance. Teams need continuous validation across privileged identity, third-party access, and cloud configuration, because the attacker only needs one stale control path to turn documentation into exposure.
Identity assurance has to span human, machine, and delegated access paths. The DBIR’s emphasis on credential abuse and third-party compromise aligns with what the NHI breach data shows repeatedly: access relationships outlive the review process. That is why practitioners should align their operational controls with the NHI Lifecycle Management Guide and use the NIST Cybersecurity Framework 2.0 to tie evidence, monitoring, and response together.
Credential exposure debt: once privileged identity state drifts, organisations inherit a growing backlog of exposure that cannot be closed by attestations alone. The most defensible programmes are already treating continuous technical checks as the primary source of truth, then using Top 10 NHI Issues to prioritise what to fix first.
For practitioners
- Audit live MFA enforcement on privileged accounts Check admin and high-risk accounts in cloud and Microsoft environments for actual MFA enforcement, not policy intent or questionnaire evidence. Prioritise accounts that sit outside standard review cycles or are managed by third parties.
- Validate third-party access with technical evidence Replace questionnaire-only vendor reviews with direct checks of hosted environments, delegated permissions, and connection paths into your tenant. Look for standing access, inherited roles, and dormant trust links that outlive the business need.
- Track remediation against live exposure, not audit dates Measure the time between a finding appearing in the environment and the moment it is actually fixed. Use that interval to identify which misconfigurations remain open long after reviews say they are addressed.
- Shorten review cycles for AI-accelerated attack paths Treat AI-assisted phishing, reconnaissance, and exploitation as a timing problem as much as a detection problem. Update monitoring thresholds and escalation paths so controls react before a campaign can progress across multiple techniques.
Key takeaways
- The DBIR reinforces that breach reality is driven by live configuration, credential abuse, and third-party access, not by whether a control appears in a policy pack.
- AI is raising attacker tempo rather than inventing new attack classes, which makes slow review and remediation cycles a direct governance liability.
- Security assurance now depends on continuous technical evidence across identity and cloud state, especially for privileged and delegated access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity credentials and access management are central to the breach paths discussed. |
| NIST CSF 2.0 | DE.CM-8 | Continuous monitoring is needed to catch drift in cloud and identity controls. |
| NIST Zero Trust (SP 800-207) | The article centres on verifying identity and access continuously, which is core ZTA practice. |
Apply continuous verification to users, vendors, and workloads rather than trusting point-in-time approval.
Key terms
- Control Drift: The gap between the security state a programme believes it has and the state that actually exists in live systems. In identity-heavy environments, drift appears when MFA, permissions, or access paths change after review and remain undetected until a scan or incident exposes the difference.
- Third-Party Access Relationship: A delegated identity link that lets an external vendor, supplier, or hosted service operate inside another organisation’s environment. It is not a one-time approval. It is an active identity relationship that needs ongoing validation, lifecycle ownership, and clear revocation triggers when the business need changes.
- Credential Abuse: The use of valid credentials, tokens, keys, or accounts by someone who should not be exercising them. It is especially dangerous because it blends into normal authentication flows and often bypasses controls designed to catch obvious intrusion rather than authorised misuse.
- Continuous Technical Assurance: A governance approach that verifies security state directly from systems, not from declarations, questionnaires, or audit artefacts alone. It closes the gap between policy and practice by checking live configuration, access enforcement, and drift on an ongoing basis.
What's in the full article
Senserva's full analysis covers the operational detail this post intentionally leaves for the source:
- Step-by-step breakdown of the Microsoft Graph checks used to validate Conditional Access, MFA, and permission posture.
- Specific remediation guidance for the compliance findings discussed in the article, including what to fix first.
- Framework mapping details for CISA SCuBA and MCSB so assessors can align evidence with their review process.
- Operational comparison between questionnaire-based vendor review and technical evidence gathering.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org