Notifications
Clear all
Topic starter
12/06/2026 10:09 pm
TL;DR: Recent identity risk research shows that 97% of organisations struggle with identity verification, while only 45% use MFA to verify users and 93% report multiple identity-related breaches in the last year, according to cited industry reports. Identity security is no longer a support function; it is a core breach-control problem.
NHIMG editorial — based on content published by Axiad: A Wave of Identity Security Reports Defines a Big Problem
By the numbers:
- 97% of organizations are challenged by identity verification.
- Only 45% are using multifactor authentication to verify the identity of users.
- 93% of organizations had two or more identity-related breaches in the last year.
Questions worth separating out
Q: How should security teams reduce identity risk across human and machine identities?
A: Start by separating verification quality from verification coverage.
Q: Why do excessive NHI privileges increase breach impact?
A: Because attackers rarely need root access if an NHI already has more permission than its workload requires.
Q: How do teams know if identity controls are actually working?
A: Look at reduction in identity-related incidents, time to revoke compromised access, and the percentage of privileged accounts protected by phishing-resistant methods.
Practitioner guidance
- Replace broad MFA coverage metrics with phishing-resistant verification targets Track how many privileged users, administrators, and recovery paths are protected by phishing-resistant methods, not just whether MFA is enabled somewhere in the estate.
- Inventory NHIs by privilege and external exposure Build a complete register of service accounts, API keys, tokens, and certificates, then rank them by standing privilege, third-party access, and business criticality.
- Reduce identity attack surface before expanding new controls Remove unused credentials, retire stale accounts, and cut overly broad entitlements so that verification and monitoring efforts are not overwhelmed by preventable exposure.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- The full breakdown of each cited survey and what it says about current identity programme maturity
- Axiad's commentary on why phishing-resistant authentication changes the risk profile compared with weaker MFA
- The specific vendor framing behind its identity risk assessment and demo-oriented product context
- The full list of reports Axiad cites on identity verification, NHI privilege, and identity-related breaches
👉 Read Axiad's analysis of the identity risk reports shaping current security priorities →
Identity risk is widening fast, and controls are not keeping up?
Explore further
13/06/2026 12:44 am
Identity risk is now a cross-domain governance problem, not a human-only authentication problem. The article correctly shows that user verification, credential reuse, NHI privilege, and breach frequency all belong to the same control surface. That matters because identity programmes that only focus on employees miss the machine and third-party access paths attackers increasingly exploit. Practitioners need a governance model that treats human identity, NHI, and lifecycle controls as one breach-reduction system.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most remediation processes start from incomplete asset knowledge.
A question worth separating out:
Q: Who should own identity risk when it spans users, NHIs, and third parties?
A: Identity risk should be owned jointly by security, IAM, and application or platform teams, but governed centrally so controls are consistent. When third-party access, machine identities, and human authentication are managed in separate silos, attackers exploit the seams. Central accountability with distributed execution is the right model.
👉 Read our full editorial: Identity risk reports show where current controls are failing
