Notifications
Clear all
Topic starter
07/06/2026 8:05 pm
TL;DR: AI is accelerating attack speed by 4x, identity weaknesses appeared in 89% of investigations, and 87% of attacks crossed multiple surfaces, according to Palo Alto Networks’ Unit 42 report based on its analysis of more than 750 incidents. The governance problem is no longer isolated controls but compound trust failure across human, machine, and agentic identities.
NHIMG editorial — based on content published by Palo Alto Networks: the Unit 42 2026 Global Incident Response Report
By the numbers:
Questions worth separating out
Q: How should security teams handle identity-led attacks across cloud, SaaS, and browsers?
A: Security teams should treat identity-led attacks as chained intrusions, not isolated login events.
Q: Why do identity weaknesses create more breach risk than many technical vulnerabilities?
A: Identity weaknesses create breach risk because they often provide valid access rather than forcing an exploit.
Q: What breaks when teams manage SaaS, cloud, and endpoint access separately?
A: What breaks is the defender’s view of the intrusion.
Practitioner guidance
- Map cross-surface identity paths Trace how a single credential, token, or session can move from browser to SaaS to cloud to endpoint.
- Tighten governance around delegated access Review OAuth grants, API keys, and service tokens for standing trust that was created for convenience and never revisited.
- Treat browser sessions as identity assets Monitor session lifetime, token exposure, and unmanaged-device access as part of IAM operations.
What's in the full analysis
Palo Alto Networks' full report covers the operational detail this post intentionally leaves for the source:
- Per-attack breakdowns from more than 750 incidents, including the mix of identity, cloud, SaaS, and endpoint activity.
- Evidence on how attackers moved from initial access to exfiltration in the fastest cases, including the 72-minute benchmark.
- The report’s recommended response shifts for SOC, cloud, and identity teams, including where AI and automation are expected to reduce containment time.
- Its broader incident-response resource kit, which practitioners can use to compare this finding against their own control gaps.
👉 Read Palo Alto Networks’ 2026 Unit 42 incident response report on AI and identity-driven breaches →
AI and identity weakness are driving breaches faster than teams can respond?
Explore further
07/06/2026 9:51 pm
Identity trust debt is now the real breach multiplier. When 89% of investigations involve identity weakness, the problem is not a missing point control but accumulated trust that outlives its original context. Credentials, browser sessions, and delegated access now persist as reusable breach paths across environments. Practitioners need to treat inherited trust as a governance liability, not an operational convenience.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: How can organisations reduce the impact of AI-accelerated attack chains?
A: Organisations should pre-stage containment decisions so they can act at machine speed. That means having session revocation, account isolation, and delegated access removal ready before an incident unfolds, because human approval cycles are too slow when attacks can progress from access to exfiltration in minutes.
👉 Read our full editorial: AI, identity weakness, and attack complexity now drive most breaches
