TL;DR: Identity-related breaches rose sharply in RSA’s 2026 ID IQ Report, with 69% of organisations affected in the last three years and 24% reporting breach costs above $10M, while 90% said passwordless adoption still faces challenges. The data shows identity governance, service desk controls, and recovery discipline are now board-level security issues, not narrow IAM concerns.
NHIMG editorial — based on content published by RSA Security: the 2026 RSA ID IQ Report
By the numbers:
- 69% of organisations experienced an identity-related breach in the last three years.
- 24% of organisations said identity-related breach costs exceeded $10M.
Questions worth separating out
Q: How should security teams defend against help desk hijacking in identity workflows?
A: They should treat the service desk as part of the identity perimeter.
Q: Why do passwordless programmes stall even when organisations want stronger authentication?
A: They stall because passwordless removes the password but not the surrounding operational dependencies.
Q: What breaks when identity recovery is easier than primary authentication?
A: The trust model breaks.
Practitioner guidance
- Harden service desk identity proofing Require stronger verification for password resets, MFA changes, recovery overrides, and privileged account support requests.
- Map every passwordless fallback path Document what happens when a user loses a device, cannot complete enrolment, or needs emergency access.
- Treat recovery flows as access controls Review support and recovery workflows as if they were privileged administrative functions.
What's in the full report
RSA Security's full report covers the operational detail this post intentionally leaves for the source:
- Question-level breakdown of the survey methodology and respondent profile behind the 2,100-person dataset
- Country-level comparisons showing how German identity breach experience differs from the global baseline
- Additional reporting on passwordless adoption barriers and the operational reasons organisations stall
- Webinar context from RSA leadership on how the findings were presented and discussed
👉 Read RSA Security's 2026 ID IQ Report on identity breaches and help desk hijacks →
Help desk hijacks and passwordless stall: what IAM teams must face?
Explore further
Identity assurance is now being defeated at the support layer, not only at the login layer. The report’s help desk findings show that organisations still treat service desk workflows as lower-risk than authentication, even though they can be used to reset trust itself. That mismatch matters because the attacker only needs one socially engineered support interaction to change the identity state of the account. Practitioners should treat support-channel verification as part of the control plane.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still cannot confidently inventory the assets they are expected to protect.
A question worth separating out:
Q: Who is accountable when identity breaches originate in the service desk?
A: Accountability sits with identity governance, not only with the support team. IAM, security operations, and business owners all share responsibility for recovery controls, approval design, and auditability. If the programme allows access to be reset without strong proof, the breach reflects a governance failure as much as a procedural one.
👉 Read our full editorial: Identity breaches keep rising as help desk hijacks intensify