TL;DR: AI is turning stolen credentials into a continuous training signal, with 88% of web application attacks involving stolen credentials and 16 billion login records circulating in 2025, according to Verizon and PYMNTS. Static password resets and periodic audits cannot keep pace with adaptive attack loops, so identity teams need continuous credential defence.
NHIMG editorial — based on content published by Enzoic: How AI Is Supercharging Credential Attacks
By the numbers:
- 16 billion login records circulated across public and dark-web sources in 2025 alone, according to PYMNTS.
Questions worth separating out
Q: How should security teams stop AI-driven credential attacks from succeeding?
A: They should move from periodic password management to continuous credential defence.
Q: Why do breached credentials still create major risk even after passwords are changed?
A: Because the breach does more than reveal one secret.
Q: What do organisations get wrong about password rotation in AI-driven attacks?
A: They assume rotation is a sufficient response when the real problem is exposure plus speed.
Practitioner guidance
- Embed breached-credential screening in authentication flows Check passwords at creation, reset, and login against live breach intelligence so compromised values are rejected before use.
- Automate remediation for exposed accounts Trigger resets, step-up checks, or temporary lockouts when new exposure data appears, and route those events into IAM, SIEM, or SOAR workflows for traceable response.
- Extend monitoring to third-party identities Include vendor, partner, and federated accounts in breach monitoring and compromise screening so exposures in connected ecosystems are not missed.
What's in the full article
Enzoic's full white paper covers the operational detail this post intentionally leaves for the source:
- How continuous credential defence is wired into authentication flows and directory services.
- Implementation detail for breach intelligence ingestion, screening logic, and automated enforcement.
- Examples of how IAM, SIEM, and SOAR integrations support remediation workflows.
- Operational guidance on privacy-preserving credential checks and performance tuning.
👉 Read Enzoic's analysis of AI credential attacks and continuous defence →
AI credential attacks and continuous defense: what IAM teams need?
Explore further
Continuous credential defence is now a governance model, not just a detection tactic. The article describes a world where breach data, infostealer output, and adaptive automation all feed the same attack loop. That means identity programmes must govern exposure, screening, and remediation as one continuous process, not as separate operational tasks. The practical conclusion is that credential risk has to be managed as a living control plane.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when compromised credentials are used through third-party access?
A: Accountability sits with the organisation that owns the identity governance process, even when the credential is issued to a vendor or partner. Third-party access should be monitored, revoked, and screened under the same policy standard as internal identities, because external accounts often reach the most sensitive integrations.
👉 Read our full editorial: AI credential attacks are outpacing manual identity controls