Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity incidents, NHI blind spots, and AI-driven defence gaps


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 164
Topic starter  

TL;DR: Identity-related security incidents have affected 96% of organisations, while 43.6% saw stolen credentials and 48.1% faced MFA fatigue attacks, underscoring how identity has become the main entry point for cyberattacks, according to Lumos. The real governance break is not visibility alone, but the fact that human IAM, NHI controls, and real-time detection are still being operated as separate problems rather than one identity security system.

NHIMG editorial — based on content published by Lumos: AI, Automation, and Risk in 2026, Identity at a Breaking Point

By the numbers:

Questions worth separating out

Q: How should security teams reduce identity-related attack paths across users and machine identities?

A: Start by inventorying where identity is actually used, then remove standing privilege, dormant access, and overly broad service account entitlements.

Q: Why do service accounts and other NHIs increase identity breach risk?

A: Service accounts often retain access longer than the workflow that created them, and they are reviewed less consistently than human accounts.

Q: What do security teams get wrong about MFA fatigue attacks?

A: The common mistake is treating MFA fatigue as a user problem only.

Practitioner guidance

  • Collapse identity silos into one governance model Unify human IAM, NHI governance, and identity analytics so the same policy logic can track credentials, service accounts, and user behaviour across environments.
  • Reduce standing privilege before measuring anything else Prioritise accounts with excessive permissions, dormant access, and long-lived service credentials because they create the largest blast radius when compromised.
  • Move detection closer to runtime identity activity Instrument access logs, entitlement changes, and anomalous authentication events so identity misuse can be detected before lateral movement completes.

What's in the full report

Lumos's full report covers the operational detail this post intentionally leaves for the source:

  • Survey methodology and respondent breakdown across CISO, CIO, CTO, and security leadership roles
  • Detailed percentages for identity review automation, detection priorities, and AI adoption maturity
  • The report's framing of permission creep, NHI visibility gaps, and real-time detection as linked operational problems
  • Additional context on how leaders think about AI-assisted identity triage and review workflows

👉 Read Lumos's report on AI, automation, and identity risk in 2026 →

Identity incidents, NHI blind spots, and AI-driven defence gaps?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

Identity is now the attack surface because access paths are easier to abuse than systems are to exploit. Lumos's findings point to a structural shift in attacker behaviour: credentials, MFA prompts, dormant accounts, and service accounts now do the work that malware once had to do. That means identity control quality determines whether the attacker needs to break in or can simply log in. Practitioners should treat identity as an execution path, not just an authentication layer.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why hidden machine identities continue to evade governance and detection.

A question worth separating out:

Q: Who is accountable when automated identity decisions cause a compliance issue?

A: Accountability stays with the organisation, not the automation. Security and IAM leaders need documented decision logic, reviewable evidence, and clear ownership for the policy behind every automated access outcome. If an automated workflow cannot be explained to auditors or control owners, it is not ready for high-trust identity operations.

👉 Read our full editorial: Identity incidents now dominate cyberattacks, with NHIs in the blind spot



   
ReplyQuote
Share: