Notifications
Clear all
Topic starter
02/06/2026 12:58 pm
TL;DR: March’s breach pattern showed that attackers are compromising trusted identities, not perimeter controls, and then using legitimate access to move downstream, according to Delinea Labs’ April 2026 Threat Outlook. The result is a governance problem, not just an authentication problem, because identity can become the weapon once trust is inherited across tenants, partners, and automation.
NHIMG editorial — based on content published by Delinea: Identity supply chains are under siege
By the numbers:
- The European Commission was among the targets when a compromised Trivy development pipeline led to approximately 340 GB of data being stolen.
- In March, 5,236 CVEs were disclosed across the industry, including 519 identity-related vulnerabilities.
Questions worth separating out
Q: How should security teams handle trust assumptions in identity supply chains?
A: Security teams should assume that any trusted upstream identity can become a downstream entry point if its permissions are not continuously verified.
Q: Why do service accounts and other non-human identities increase breach impact?
A: Service accounts and other non-human identities increase breach impact because they often carry broad, persistent access and bypass interactive controls like MFA.
Q: What breaks when administrative identity governance is weak?
A: When administrative identity governance is weak, one compromised account can change policies, wipe devices, approve access, or unlock whole environments without a second control layer.
Practitioner guidance
- Map downstream trust relationships Inventory where admin accounts, SSO sessions, cloud roles, and service accounts can operate across tenants, vendors, and automation workflows.
- Enforce just-in-time control for high-impact actions Apply just-in-time approval to destructive operations such as device wipes, policy changes, key rotation, and role assignment.
- Govern non-human identities as identities Assign owners, set expiry, rotate credentials, and review entitlements for service accounts, API keys, and automation tokens on a recurring schedule.
Teams that can model those links will be better positioned to stop trust cascade before it becomes incident response?
👉 Read Delinea's analysis of identity supply chain compromise patterns →
Explore further
02/06/2026 1:00 pm
Identity supply chains are now a primary attack path, not a side effect of vendor risk. The March incidents show that attackers are increasingly relying on trust relationships between organizations, platforms, and automation systems rather than on classic exploit chains. That changes how practitioners should think about segmentation and authorization. If a trusted identity can move downstream without friction, the supply chain itself becomes the access layer.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirming one and 26% suspecting one.
A question worth separating out:
Q: What should teams do in the first 24 to 72 hours after a trusted identity is abused?
A: Teams should revoke the compromised identity, invalidate active sessions and tokens, review downstream trust relationships, and isolate any control plane that could still be used for destructive actions. They should then identify whether the identity was human, machine, or third-party owned, because the containment steps and recovery order differ. The first goal is to stop inherited trust from spreading further.
👉 Read our full editorial: Identity supply chains are under siege as trust cascades downstream
