Notifications
Clear all
Topic starter
08/06/2026 4:04 pm
TL;DR: Identity security reports show 97% of organisations are challenged by identity verification, only 45% use MFA, and 93% reported two or more identity-related breaches in the last year, according to Axiad. The pattern is clear: identity risk is now a core security problem, not an operational side issue.
NHIMG editorial — based on content published by Axiad: A wave of identity security reports defines a big problem
By the numbers:
- 97% of organizations are challenged by identity verification.
- 93% of organizations had two or more identity-related breaches in the last year.
- 47% of respondents said that the complexity of existing systems is their top identity management problem.
Questions worth separating out
Q: How should security teams reduce identity risk without relying on weak MFA?
A: Security teams should separate MFA adoption from authentication strength.
Q: Why do non-human identities create so much identity risk?
A: Non-human identities often carry standing privileges, are reused across systems, and are exposed to partners or third parties.
Q: What do security teams get wrong about identity-related breaches?
A: They often treat identity compromise as an authentication event rather than a governance event.
Practitioner guidance
- Separate phishing resistance from MFA coverage Classify authentication methods by whether they resist phishing, token replay, and session theft.
- Review NHI privilege against task scope Identify service accounts, API keys, and machine tokens that hold access broader than the workflow they support.
- Track third-party exposure for machine identities Document which NHIs are exposed to vendors, partners, or external platforms, and align ownership with offboarding and renewal processes.
What's in the full article
Axiad's full blog covers the report-by-report detail this post intentionally leaves for the source:
- Comparative breakdown of the identity risk findings cited from Ping Identity, IDSA, CyberArk, ConductorOne, Jumio, Expel, Regula, and CISA.
- The article’s full discussion of why some MFA implementations are not phishing resistant and how that changes breach resistance.
- The specific commentary on identity being treated as operational efficiency rather than a security imperative.
- The source post’s broader framing of identity risk as a board-level re-evaluation topic.
👉 Read Axiad's roundup of identity security reports and identity risk findings →
Identity risk reports and the governance gap teams are missing?
Explore further
08/06/2026 5:29 pm
Identity risk is now a governance failure, not just an authentication problem. The article’s report roundup shows that verification weakness, breach frequency, and over-privileged non-human access are converging into the same control failure. This is no longer a question of whether identity matters, but whether the identity programme is actually governing all identity types with equal rigor. Practitioners should treat identity as a primary security control plane, not a side function.
A few things that frame the scale:
- 97% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who should own identity security when access spans users and machine identities?
A: Ownership should sit with the security and identity teams together, because the control problem spans human IAM, NHI governance, and incident response. If identity is managed only as an operational convenience, breach conditions persist. Clear ownership matters most where access touches privileged systems, third parties, or shared credentials.
👉 Read our full editorial: Identity risk reports show why identity security is still failing
