By NHI Mgmt Group Editorial TeamPublished 2026-05-21Domain: Governance & RiskSource: Enzoic

TL;DR: The 2026 Verizon DBIR analyzed more than 31,000 security incidents and found that exploitation of vulnerabilities is now the leading initial access vector, while credential abuse still drives a large share of attacks and ransomware chains, according to Enzoic’s summary of the report. The message for identity teams is that patching and credential control remain the practical choke points, not abstract security goals.


At a glance

What this is: This is an Enzoic analysis of the 2026 Verizon DBIR showing that vulnerability exploitation and credential abuse remain the dominant entry paths in breach chains.

Why it matters: It matters because IAM, PAM, and NHI programmes still fail when credentials are reused, stolen, or left exposed long enough to be weaponised.

By the numbers:

👉 Read Enzoic's analysis of the 2026 Verizon DBIR and credential abuse trends


Context

Credential abuse is still one of the most reliable ways into enterprise environments, even as vulnerability exploitation has grown faster in the latest breach data. For identity teams, that means the question is not whether attackers will target credentials, but whether those credentials can be reused, stolen, or validated quickly enough to matter.

The 2026 DBIR also reinforces a familiar operational problem: remediation backlogs are rising while the time to patch known issues is getting longer. That combination weakens both human IAM and NHI governance because exposed credentials and unpatched systems tend to feed the same intrusion chain.

Enzoic’s analysis frames this as a tension between constant change in the threat landscape and the persistence of foundational security failures. That is a typical enterprise pattern, not an outlier, which makes identity hygiene a board-level operational issue rather than a narrow security task.


Key questions

Q: What breaks when stolen credentials are still valid after exposure?

A: When stolen credentials remain valid, attackers do not need to bypass authentication again. They can log in, blend in with normal activity, and use the trust already granted by the system. That turns a single leak into a repeatable access path for fraud, data theft, or lateral movement. The control problem is replayability, not just theft.

Q: Why do credential attacks still matter in environments with MFA?

A: MFA reduces some forms of credential abuse, but it does not eliminate all attacker paths. Valid session theft, phishing, fatigue attacks, token replay, and weak service credential governance can still produce real access. Teams should treat MFA as one layer, not a substitute for password hygiene, secret rotation, and entitlement minimisation.

Q: How do security teams know whether credential controls are actually working?

A: They should look for fewer successful logins from known compromised credentials, lower rates of password reuse, shorter time between exposure and revocation, and reduced lateral movement from initial access accounts. If credentials can still be used after exposure, the control is only partially effective. Measurement should focus on replay prevention, not policy coverage.

Q: Who is accountable when exposed credentials lead to a breach?

A: Accountability usually spans IAM, infrastructure, application owners, and security operations because the failure often crosses multiple controls. The key question is who owns the credential lifecycle, who can revoke it quickly, and who is responsible for the systems that accept it. Without named ownership, exposed access becomes everyone’s problem and no one’s control.


Technical breakdown

Why credential abuse still opens the door

Credential abuse covers stolen passwords, password spraying, credential stuffing, and the use of compromised secrets to authenticate as a legitimate user or service. The DBIR’s message is that identity remains the easiest path when attackers can bypass controls instead of breaking them. For NHI programmes, the same pattern applies to API keys, tokens, and service credentials that are exposed, reused, or never rotated. The real weakness is not just theft, but the durability of the identity after compromise. If a credential still works, it can be replayed at scale.

Practical implication: reduce the value of every stolen credential by shortening its usable lifetime and limiting where it can authenticate.

Why vulnerability remediation is now part of identity defence

The report shows that exploitation of vulnerabilities has become a major initial access vector, which matters because identity systems rarely fail in isolation. A vulnerable application, exposed management plane, or unpatched internet-facing service often becomes the first foothold that leads to credential theft or privileged session abuse. This is where security teams should stop separating patch management from identity governance. Once the first host is compromised, attackers often pivot into access material that was never meant to leave its trust boundary.

Practical implication: treat vulnerability remediation as a prerequisite for identity containment, not as a separate infrastructure queue.

Why stolen credentials remain the preferred path to lateral movement

Basic web application attacks still rely heavily on valid credentials because authentication systems are designed to trust successful login, not motive. Once an attacker has working access, lateral movement becomes a matter of exploring session scope, role overlap, and over-permissioned accounts. This is especially dangerous where human accounts and NHI accounts share weak governance habits such as reused secrets, broad entitlements, or unclear ownership. The control gap is not detection alone, but the absence of strong entitlement boundaries after login succeeds.

Practical implication: pair login protections with entitlement minimisation so a valid session cannot become broad internal access.


Threat narrative

Attacker objective: The attacker’s objective is to convert a single foothold into reliable internal access that can be monetised through theft, extortion, or broader intrusion.

  1. Entry occurs when attackers use exploited vulnerabilities or stolen credentials to obtain a valid foothold in the environment, often through a public-facing application or exposed service.
  2. Escalation follows when that foothold is used to access additional systems, harvest more credentials, or move into over-permissioned accounts that expand reach across the estate.
  3. Impact arrives when the attacker uses that access for data theft, ransomware deployment, fraud, or further compromise across adjacent systems.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Credential persistence is the real failure mode behind modern intrusion chains. The report shows that attackers do not need novel identity techniques when valid credentials remain reusable after exposure. That is a governance failure, not just a detection failure, because identity programmes still tolerate credentials that outlive the conditions under which they were issued. The practitioner conclusion is blunt: if compromise does not quickly invalidate access, identity becomes the attacker’s persistence layer.

Standing access and weak remediation create identity blast radius. The DBIR’s patching data and credential abuse data point to the same structural issue: organisations let exposure linger long enough for it to be chained. Vulnerability management and identity governance are therefore coupled controls, because one governs entry surfaces and the other governs what happens after entry. The practitioner conclusion is to manage blast radius as a single programme across systems and identities.

Non-human identity governance cannot rely on the same assumptions as human access review. Service accounts, API keys, and tokens do not raise alerts simply because time has passed, and they do not self-report when their scope becomes unsafe. That makes the review model itself a control assumption that can fail quietly in NHI-heavy environments. The practitioner conclusion is to treat machine credentials as continuously live attack paths, not periodic audit items.

Identity hygiene is now a resilience metric, not a hygiene metric. The scale of incident data in the DBIR shows that credential compromise remains a repeatable business problem, not an edge case. Organisations that measure identity control only by policy existence will miss the operational question of whether credentials can still be used after exposure. The practitioner conclusion is to judge controls by whether they reduce replayability and internal reach.

Ephemeral credential trust debt: organisations accumulate risk when short-lived credentials are treated as low-risk by default even though their trust assumptions are rarely verified at runtime. The problem is not duration alone, but the assumption that temporary access is automatically safe. The practitioner conclusion is to tie every temporary credential to strict scope, owner, and revocation logic.

From our research:

What this signals

Identity teams should assume compromise-to-impact chains are shortening, not slowing. With attackers able to exploit vulnerable services and reusable credentials in the same campaign, the practical window for containment is shrinking. That means NHI and IAM programmes need to treat exposure duration as a measurable risk signal, not just an incident after-action metric.

Control ownership must move closer to the systems that issue and accept credentials. The DBIR data points to a programme gap where patching, authentication, and privilege management are still handled as separate queues. Teams that close that gap will reduce both human and machine identity exposure, especially where service accounts and application credentials are embedded in operational workflows.

For practitioners, the question is no longer whether credentials are valuable to attackers, but how much internal reach they still provide after first access. That is where the next control conversation belongs, alongside the OWASP NHI Top 10 and the 52 NHI Breaches analysis for pattern matching and prioritisation.


For practitioners

  • Harden credential replay resistance Enforce unique passwords, blacklist known compromised passwords, and require MFA wherever it is supported so stolen credentials have less operational value.
  • Shorten the life of exposed access paths Review any password, token, or API key that can be reused across multiple systems and reduce its usable lifetime through rotation, revocation, or narrower scope.
  • Tie patching to access risk Prioritise internet-facing vulnerabilities that can lead to authentication bypass, code execution, or credential theft before they become identity incidents.
  • Map credential abuse to privileged pathways Identify where successful login leads directly to lateral movement, administrative functions, or data export so those paths can be segmented or monitored more tightly.
  • Review NHI ownership and expiry Confirm that every service account, token, and key has an owner, an expiry condition, and a documented revocation path that works without manual delay.

Key takeaways

  • The DBIR reinforces that credential abuse remains one of the most reliable ways into enterprise environments, even as vulnerability exploitation grows.
  • The scale of the problem is operational, not theoretical: patching backlogs are rising, remediation is slowing, and reused access continues to create breach paths.
  • Identity programmes should be measured by how quickly exposure loses value, because that is what limits lateral movement, data theft, and ransomware.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Credential reuse and rotation gaps are central to the article’s identity-risk pattern.
NIST CSF 2.0PR.AC-4Least-privilege access management is directly challenged by reusable credentials and broad entitlements.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe article centers on stolen credential use followed by internal movement.
NIST SP 800-53 Rev 5IA-5Authenticator management is directly relevant to password hygiene and credential lifecycle.
NIST Zero Trust (SP 800-207)Zero Trust principles fit the need to limit trust after authentication succeeds.

Map attack paths to credential access and lateral movement techniques to prioritise containment controls.


Key terms

  • Credential Abuse: Credential abuse is the use of stolen, reused, or otherwise compromised login material to gain unauthorized access. It includes password spraying, stuffing, and replaying valid secrets, and it remains effective whenever authentication trusts the credential more than the context around it.
  • Initial Access Vector: An initial access vector is the first mechanism an attacker uses to enter a target environment. In this context it often includes exploited vulnerabilities or valid credentials, and it matters because every later stage depends on how the attacker gets in.
  • Identity Blast Radius: Identity blast radius is the amount of internal reach a compromised identity can create once it is used successfully. It is shaped by entitlement scope, privilege overlap, and session trust, and it is one of the clearest ways to measure the damage potential of a single stolen credential.

What's in the full article

Enzoic's full analysis covers the operational detail this post intentionally leaves for the source:

  • The year-over-year incident breakdown behind the 31,000-plus case sample, including where exploit and credential patterns shifted.
  • The DBIR figures on remediation lag, including the 26% CISA KEV completion rate and the rising patch burden.
  • The report’s breakdown of AI use in attacks, including phishing, exploit support, and credential abuse.
  • Enzoic’s interpretation of what the data means for password hygiene, vulnerability management, and incident response prioritisation.

👉 Enzoic's full post covers the incident data, attack-vector shifts, and credential compromise implications in more depth.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-21.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org