TL;DR: The 2026 SANS Identity Threats & Defenses Survey found that 55% of organisations experienced an identity-related compromise in the past year even though 85% deploy identity security solutions, while 68% detect attacks within 24 hours but only 55% contain them in that window. The real gap is upstream credential exposure, not login-time detection.
NHIMG editorial — based on content published by Enzoic: 2026 SANS Identity Threats Report, Why Attacks Still Work
By the numbers:
- 55% of organizations experienced an identity-related compromise in the past year.
- 85% deploying identity security solutions.
- 68% detect them within 24 hours, but only 55% can contain them in that same window.
Questions worth separating out
Q: What breaks when compromised credentials are still accepted by identity systems?
A: When compromised credentials are still accepted, detection becomes a post-exploitation signal rather than a control.
Q: Why do exposed credentials remain a major IAM risk in hybrid environments?
A: Exposed credentials remain risky because hybrid estates often trust the same identity across directories, cloud services, and SaaS applications.
Q: How should security teams reduce the impact of stolen passwords and tokens?
A: Security teams should combine continuous exposure detection with rapid invalidation and tighter credential lifetime controls.
Practitioner guidance
- Track exposed credential lifecycle end to end Build a workflow that identifies exposed passwords, tokens, and browser-based credentials, then tracks them until revocation is confirmed across every identity system that trusts them.
- Measure containment speed as an identity control Use the gap between detection and containment as an operating metric for IAM and SOC coordination, because a login alert without fast invalidation still leaves a usable attack window.
- Reduce reliance on long-lived credentials Prioritise shorter-lived access paths, tighter federation boundaries, and stronger revocation logic for identities that can be reused across cloud and SaaS environments.
What's in the full article
Enzoic's full blog post covers the operational detail this post intentionally leaves for the source:
- The report's breakdown of the most common identity attack techniques, including credential phishing, compromised browsers, MFA fatigue, and token-based access.
- The hybrid identity environment discussion that shows how on-premises, cloud, and SaaS systems expand the trust boundary.
- The article's explanatory detail on why exposed credentials stay useful after compromise and why password rotation alone does not solve the problem.
- The source post's concluding guidance on continuous exposure detection and containment priorities.
👉 Read Enzoic's analysis of why identity attacks still succeed despite broad security deployment →
Identity attacks and exposed credentials: what IAM teams are missing?
Explore further
Identity exposure, not authentication failure, is the primary control gap this report exposes. The security industry still talks as if login is the decisive boundary, but the article shows the more important moment is when credentials leave the trust boundary. Once that happens, MFA and monitoring become downstream controls. Practitioners should read this as a structural shift in where identity risk actually starts.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to NHI Mgmt Group research.
A question worth separating out:
Q: Who is accountable when identity compromise persists after detection?
A: Accountability sits across IAM, SOC, and platform owners because the issue spans detection, revocation, and trust propagation. If an exposed credential stays valid after the alert, the organisation has a governance failure, not just an operational miss. Identity risk management must assign ownership for invalidation speed.
👉 Read our full editorial: Identity attacks still work because exposed credentials stay valid