TL;DR: Identity-related breaches rose to 69% of organisations over the last three years, while 45% said breach costs exceeded typical breach costs and 24% reported losses above $10 million, according to RSA Security’s 2026 RSA ID IQ Report. The data shows identity governance is failing at both prevention and containment, especially where help desk abuse and weak passwordless adoption intersect.
NHIMG editorial — based on content published by RSA Security: 2026 RSA ID IQ Report findings on identity breaches, help desk hijacks, and passwordless adoption
By the numbers:
- 69% of organisations experienced an identity-related breach in the last three years, a 27-percentage-point increase year over year.
- 45% of organisations said that the cost of an identity-related breach exceeded the typical cost of a breach as defined by IBM.
- 24% of organisations said costs exceeded $10M, a three-percentage-point year-over-year increase since the previous year’s survey.
Questions worth separating out
Q: How should security teams reduce help desk takeover risk in identity programmes?
A: They should treat support workflows as part of the identity perimeter.
Q: When do passwordless programmes fail to reduce identity risk?
A: They fail when organisations keep weak fallback and recovery paths.
Q: What do security teams get wrong about identity breach prevention?
A: They often focus on login security and ignore the recovery chain.
Practitioner guidance
- Treat help desk recovery as privileged access Require strong identity proofing, approval logging, and escalation controls for every reset, override, and account recovery workflow.
- Measure identity breach cost by control failure path Track which identity paths most often lead to incident response, forced resets, or business disruption.
- Harden fallback paths for passwordless programmes Review every alternate route that remains when passwordless is unavailable, including service desk resets, device recovery, and temporary bypasses.
What's in the full analysis
RSA Security’s full report covers the operational detail this post intentionally leaves for the source:
- Question-level survey breakdowns across more than 2,100 IAM, IT, and cybersecurity professionals
- Country-level comparisons that show where Australian organisations diverge from global identity risk patterns
- The report’s full treatment of passwordless adoption barriers and implementation friction
- The AI adoption findings and associated commentary on how identity teams are planning for near-term stack changes
Identity breach costs and help desk hijacks: what teams missed?
Explore further
Identity recovery has become a privileged access path, not an administrative afterthought. The report’s help desk findings show that attackers are now treating support workflows as the fastest route around primary authentication. That means the real governance boundary is no longer just the login page but the entire recovery process, including identity proofing, reset approval, and escalation handling. Practitioners should treat recovery controls as part of privileged access governance.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when help desk bypass leads to an identity breach?
A: Accountability should sit with both IAM governance and the operational teams that own recovery workflows. Identity recovery is a security control, not just a service task, so policy, training, approval paths, and audit evidence must be owned and reviewed like any other privileged access process.
👉 Read our full editorial: Identity breaches surge as help desk hijacks raise IAM risk