TL;DR: Verizon’s 2026 Data Breach Investigations Report analyzed over 22,000 confirmed breaches and found credential abuse in 39% of full breach chains, with 50% of ransomware victims seeing a credential or infostealer event within 95 days, according to Verizon. Identity controls now shape both intrusion paths and recovery cost.
At a glance
What this is: Verizon’s 2026 DBIR shows identity remains central to breach chains, with credential abuse, third-party access gaps, and backup integrity shaping both attack success and recovery cost.
Why it matters: For IAM, PAM, and NHI teams, the report reinforces that access governance is not just prevention, it is also recovery readiness when identity systems themselves become the failure point.
By the numbers:
- The 2026 DBIR analyzed over 22,000 confirmed breaches across 145 countries.
- Ransomware hit 48% of breaches.
- Organizations with compromised backups paid 8x more to recover, at $3M versus $375K.
- 60% year-over-year.
👉 Read Acsense's analysis of the Verizon DBIR 2026 and IAM resilience
Context
The Verizon DBIR 2026 argues that identity security is still the most durable breach pathway, even as vulnerability exploitation rises. Credential abuse, phishing, and pretexting still make up a large share of initial access, and credential abuse remains pervasive across the full breach chain. For IAM teams, that means identity governance is not a separate control plane from incident response; it is part of the attack path and part of recovery.
The report also ties identity weakness to operational resilience. When ransomware or third-party compromise reaches IAM infrastructure, the issue is no longer only access control, but whether the organisation can restore authentication, policy state, and admin trust without rebuilding by hand. That is a familiar failure mode across human IAM, NHI estates, and cloud identity stacks, and it is typical of current enterprise environments rather than an edge case.
Key questions
Q: What fails when identity systems are compromised before ransomware deployment?
A: What fails first is not only authentication, but trust in the identity control plane itself. If attackers can change MFA policy, register rogue apps, or corrupt admin accounts, the organisation loses the ability to restore access safely. Recovery becomes reconstruction unless clean identity backups and restore order are already tested.
Q: Why do infostealer events matter so much to IAM teams?
A: Infostealers matter because they turn endpoint compromise into valid identity reuse. Stolen credentials, browser sessions, and tokens can be replayed against cloud and SaaS controls, often long before a ransomware event. IAM teams should treat that exposure as a precursor to privileged abuse, not a low-level desktop problem.
Q: What do security teams get wrong about third-party identity risk?
A: They often focus on vendor onboarding and miss the lifecycle problem. Third-party accounts, delegated admin roles, and service identities need continuous review because MFA gaps and stale permissions can persist for months. If access outlives the business reason for it, the breach surface grows silently.
Q: How can organisations tell whether identity resilience is actually working?
A: Look for restore evidence, not policy statements. Identity resilience is working when MFA state, admin mappings, OAuth trust, and backup integrity can be restored quickly and validated before production access resumes. If those pieces cannot be recovered in sequence, the programme has availability, not resilience.
Technical breakdown
Why credential abuse still dominates full breach chains
Credential abuse remains the most persistent identity pattern because valid access blends into normal operations. Attackers do not need to break authentication if they can harvest credentials, reuse tokens, or abuse legacy trust relationships. In the DBIR framing, phishing, credential abuse, and pretexting are separate initial access routes, but they often converge into the same downstream problem: a trusted identity with more reach than it should have. For NHI and IAM programmes, the technical issue is not only password strength. It is the persistence of usable credentials, the absence of behavioural constraints, and weak visibility into how access is actually exercised after login.
Practical implication: Map every high-value identity to its likely reuse path, not just its login method.
How infostealers turn identity into a ransomware pipeline
Infostealers are a credential collection mechanism that converts endpoint compromise into downstream identity abuse. Once stolen credentials, session artefacts, or browser-stored secrets are sold to initial access brokers, the attack no longer starts at the perimeter. It starts inside a trusted identity context. The DBIR’s linkage between credential or infostealer events and later ransomware shows the time lag matters less than the reuse of valid access. In practice, the attacker uses the identity layer to reach admin surfaces, weaken controls, and stage the ransomware payload. That makes the identity plane an upstream control point, not a post-compromise containment problem.
Practical implication: Treat infostealer exposure as an identity incident with follow-on ransomware risk, not a standalone endpoint alert.
Why backup integrity determines whether identity recovery is survivable
Backup integrity matters because identity systems are stateful control systems, not static applications. If attackers corrupt configuration, MFA policies, OAuth registrations, or admin accounts, recovery depends on restoring trusted identity state, not just data files. The DBIR’s 8x recovery-cost gap shows that compromised backups turn response into reconstruction. For IAM and NHI platforms, immutable and tested backups are only useful if they preserve policy fidelity, change history, and restore order. Otherwise the organisation can technically recover while still being unable to trust who has access to what. That is why identity resilience needs the same recovery discipline as core production systems.
Practical implication: Back up identity configuration and test restore of policy state, not only directory data.
Threat narrative
Attacker objective: The attacker aims to turn trusted identity into durable access, then use that access to deploy ransomware, expand reach, or slow recovery.
- Entry begins when attackers obtain credentials through phishing, infostealers, or pretexting and convert that access into a trusted identity session. Escalation follows when the attacker uses the session to reach admin surfaces, weaken MFA, or modify identity controls. Impact occurs when the identity layer enables ransomware deployment or blocks recovery by corrupting backup trust and authentication state.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Credential abuse is now an identity lifecycle problem, not just an authentication problem. The DBIR’s 39% figure across full breach chains shows that access reuse, not only login compromise, remains the dominant identity failure mode. That puts joiner-mover-leaver discipline, secret handling, and admin account governance under the same pressure as phishing resistance. For NHI and human IAM teams alike, the programme question is whether stolen or stale access can still move through the estate unchecked.
Identity blast radius is the real risk metric. Once an attacker reaches a trusted account, the harm depends on how far that identity can move across cloud, SaaS, and recovery tooling. The DBIR’s third-party and ransomware findings show that overextended access is what turns a single compromise into a domain-wide event. NHI governance must therefore be measured by containment potential, not by whether a credential exists in a vault.
Backup integrity is a governance control, not a storage feature. When identity systems are encrypted or corrupted, the ability to re-establish authentication and policy state determines whether the business can recover at all. The 8x recovery-cost spread demonstrates that resilience depends on trusted restore paths for IAM configurations, not only data retention. Practitioners should treat identity backup design as part of access governance and incident readiness, not separate infrastructure hygiene.
Third-party access without lifecycle discipline is the hidden amplifier in the DBIR. The 60% rise in third-party breaches aligns with a familiar control gap: access that persists after the business relationship, change event, or configuration drift that justified it. That gap applies equally to vendor integrations, service accounts, and delegated admin paths. For practitioners, the field-level lesson is that offboarding and entitlement review must reach outside the core employee population.
Static trust assumptions are failing across human IAM and NHI estates. The report shows that identity failures compound when controls assume access is both stable and visible long enough for quarterly governance to catch up. That assumption no longer holds in environments shaped by infostealers, cloud admin sprawl, and automation. Practitioners should expect shorter control windows and design for continuous state verification, not delayed review cycles.
From our research:
- 59.8% of organisations see value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials, according to The 2024 Non-Human Identity Security Report.
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which keeps credential exposure easy to weaponise across both human and non-human identity estates.
- Ultimate Guide to NHIs , Why NHI Security Matters Now helps teams connect identity growth, secret sprawl, and governance pressure before the next breach chain forms.
What this signals
Identity resilience will increasingly be judged by recovery fidelity, not just prevention coverage. The DBIR’s 8x recovery-cost spread shows that backup integrity is now a governance outcome, not an infrastructure detail. Teams should expect audit and incident-readiness conversations to shift toward restore validation for IAM, privileged accounts, and access policy state.
Credential pipelines will keep linking human, NHI, and cloud-admin risk. When stolen access can move from endpoint to broker to ransomware, the practical boundary between user identity and machine identity becomes less important than how far any credential can travel. That is why programmes built around quarterly reviews are likely to fall behind continuous-state verification, especially across cloud and delegated admin estates.
From our research: 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report. That gap becomes more dangerous when identity systems also serve as recovery infrastructure, because weak NHI governance can slow both detection and restoration.
For practitioners
- Audit identity recovery paths separately from data recovery Verify that IAM configuration, MFA policy state, OAuth registrations, and privileged account mappings can be restored from clean backups before broader disaster recovery work starts. Test the full restore order, including admin trust and policy dependencies, so identity comes back as a trusted control plane, not a partially rebuilt directory.
- Treat infostealer exposure as a credential incident with follow-on blast radius When endpoint telemetry shows credential theft or token exposure, assume the attacker will reuse that access against identity admin surfaces, cloud consoles, and third-party integrations. Escalate to identity review, rotate exposed secrets, and verify that brokered access has not already been sold or replayed.
- Close the third-party MFA and admin gap continuously Inventory cloud-admin and delegated-access paths for vendors, partners, and service accounts, then validate whether MFA, conditional access, and approval workflows are still enabled. Continuous checking matters because the DBIR shows these misconfigurations can persist for months before remediation.
- Measure identity blast radius as part of resilience planning Map which identities can change MFA settings, register OAuth apps, alter backups, or create persistence without secondary approval. The goal is to identify which accounts turn a local compromise into a domain-wide recovery event and to reduce that reach before the next incident.
Key takeaways
- The DBIR shows identity remains a primary breach pathway, even where vulnerability exploitation is rising.
- Recovery cost is driven as much by identity backup integrity as by ransomware itself, with an 8x gap between protected and compromised environments.
- Practitioners should treat IAM, PAM, and NHI recovery paths as core resilience controls, not side projects.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential abuse and secret handling are central to the DBIR's identity findings. |
| NIST CSF 2.0 | PR.AC-4 | Identity access management and least privilege are directly implicated by the breach chains. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management is relevant to MFA gaps, credential abuse, and secret rotation. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0040 , Impact | The report centers on credential abuse leading to ransomware impact. |
Prioritise secret lifecycle controls and reduce standing credential exposure across human and non-human identities.
Key terms
- Identity Blast Radius: The amount of access, control, and downstream system reach an identity can influence if it is compromised. In practice, it measures how far a stolen account, token, or service identity can move before containment stops it. For IAM and NHI teams, it is a better risk lens than raw account count.
- Identity Control Plane: The collection of authentication, authorisation, policy, and administrative functions that decide who or what can access systems. When this plane is attacked, the problem is broader than data theft because the organisation may lose the ability to trust or restore access decisions. Recovery depends on restoring that plane intact.
- Credential Pipeline: The path from credential theft to downstream abuse, often through infostealers, brokers, and reused access. It matters because valid credentials can move through multiple hands before the final attack occurs. IAM teams should treat the pipeline as an end-to-end identity threat, not a single compromise event.
- Identity Resilience: The ability to restore identity services, policies, and privileged access safely after disruption. This includes backup integrity, tested recovery sequencing, and validation that restored access is trustworthy before production use resumes. It is the difference between regaining service and rebuilding the IAM estate from scratch.
What's in the full article
Acsense's full article covers the operational detail this post intentionally leaves for the source:
- A step-by-step IAM resilience mapping table that ties DBIR findings to specific recovery requirements across Okta and Entra ID.
- A practical readiness checklist for backup coverage, drift detection, disaster recovery, and compliance validation.
- An illustrative scenario showing how an infostealer on an IAM admin account can weaken MFA, register a rogue OAuth app, and trigger ransomware.
- Operational detail on continuous backup and validated restore sequencing for identity configurations.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org