2026 Verizon DBIR: where identity fundamentals are still failing

TL;DR: The 2026 Verizon DBIR found 31% of breaches tied to known vulnerabilities, 39% involved credential abuse in the attack chain, and ransomware accounted for 48% of breaches, according to Verizon. The lesson is not that new threats replaced old ones, but that human, machine, and AI identities still fail in the same control gaps.

NHIMG editorial — based on content published by Delinea: 2026 Verizon DBIR: Why cybersecurity fundamentals still matter

By the numbers:

• Credential abuse was down 13% this year, dropping to third place on the breach list behind phishing (16%), but ahead of pretexting (6%).
• 48% of all breaches were ransomware-related, up from 44% the prior year.
• 67% of users access AI services from non-corporate accounts on their corporate devices.

Questions worth separating out

Q: How should security teams reduce breach risk when known vulnerabilities and credential abuse remain the main entry paths?

A: Start by treating exposure management and identity controls as one programme.

Q: Why do AI services create governance risk even when employees are just using them for productivity?

A: Because the security problem is usually account ownership and access provenance, not the model itself.

Q: What do organisations get wrong about credential abuse in modern breach patterns?

A: They often treat it as a phishing problem when it is really a trust problem.

Practitioner guidance

• Rebuild vulnerability prioritisation around exposure and trust paths Map internet-facing and partner-connected assets to business criticality, then remediate the vulnerabilities that open direct access to identity-bearing systems first.
• Tighten credential lifecycle controls across all identity classes Review how secrets, passwords, tokens, and certificates are issued, rotated, and revoked for humans, service accounts, and AI-linked access.
• Separate sanctioned AI usage from unmanaged Shadow AI Inventory which AI services are approved, which accounts can access them, and which devices are using non-corporate logins.

What's in the full article

Delinea's full blog covers the operational detail this post intentionally leaves for the source:

• The report’s exact breakdown of initial access vectors across vulnerability exploitation, phishing, credential abuse, and pretexting.
• Delinea’s specific guidance on how it recommends reducing risk across AI identities, third parties, and credential abuse paths.
• The detailed interpretation of the 2026 DBIR findings that underpins its control recommendations for practitioners.
• The article’s discussion of how Delinea connects the DBIR themes to broader identity security platform choices.

👉 Read Delinea’s analysis of the 2026 Verizon DBIR and identity risk →

2026 Verizon DBIR: where identity fundamentals are still failing?

Explore further

View Full Forum →  |  NHI Foundation Course →