TL;DR: Verizon’s 2025 DBIR found third-party involvement in 30% of breaches, initial access through vulnerabilities at 20%, and a 72% employee GenAI usage pattern that often bypassed corporate authentication, according to Verizon. The findings show that breach resilience now depends on supply chain control, rapid exposure reduction, and tighter identity governance around sanctioned AI use.
NHIMG editorial — based on content published by ColorTokens: 2026: Bringing Cyber Resiliency to Organizations
By the numbers:
- According to Verizon, third-party involvement was a factor in 30% of all breaches this year, up from approximately 15% in the previous year.
- The report found that exploitation of vulnerabilities accounted for 20% of all breaches, overtaking phishing at 15%.
- Of employees accessing GenAI on corporate devices, 72% were using a personal email for their account, and another 17% used a corporate email not integrated with company authentication systems.
Questions worth separating out
Q: What breaks when third-party access is not reviewed continuously?
A: The break is that access stays active long after the business relationship, vendor task, or application purpose has changed.
Q: Why do exposed edge systems demand a different remediation model?
A: Because the attack window can be effectively zero once a critical flaw is public.
Q: How can organisations prove their AI controls are actually working?
A: Look for evidence that policy decisions are logged, sensitive prompts are being redacted or blocked when required, and approved AI interactions are traceable by identity and business context.
Practitioner guidance
- Map third-party trust chains Inventory every external relationship that can authenticate, exchange data, or open support access into production.
- Prioritise exposed edge systems Classify VPNs, gateways, and other internet-facing control points as high-urgency remediation assets.
- Bring AI usage under enterprise identity Require corporate authentication for sanctioned GenAI services and block high-risk account creation patterns, especially personal email sign-ups on unmanaged platforms.
What's in the full article
ColorTokens' full post covers the operational detail this analysis intentionally leaves for the source:
- The vendor’s full breakdown of the four DBIR findings and how each one affects breach readiness planning.
- Specific examples of how microsegmentation and breach containment are positioned for edge and supply chain resilience.
- The article’s full discussion of why reporting behaviour matters operationally, not just as an awareness metric.
- ColorTokens’ own mitigation framing for organisations trying to reduce lateral movement when prevention fails.
👉 Read ColorTokens’ analysis of the four DBIR findings shaping breach readiness →
Verizon DBIR 2025: what changed for security and identity teams?
Explore further
Third-party exposure has become an identity problem, not just a supplier-risk problem. When 30% of breaches involve third parties, the practical issue is no longer whether a vendor is trusted, but whether delegated access, support pathways, and shared credentials are governed as part of the identity fabric. IAM, PAM, and NHI teams should treat external trust as an extension of their own control plane, because attackers do.
A question worth separating out:
Q: Who is accountable when AI-accelerated phishing leads to an identity breach?
A: Accountability should sit with the teams that own identity governance, privileged access, and incident containment, not only with security awareness programmes. AI makes phishing faster, but it is the organisation's access design that determines how far stolen credentials can go. If access is broad and durable, governance gaps become breach multipliers.
👉 Read our full editorial: Verizon DBIR 2025 signals a reset in breach and identity risk