TL;DR: Forrester’s 2026 Technology & Security Predictions says security leaders will be judged less on deployed controls and more on measurable risk reduction, pushing identity exposure into sharper focus because compromised credentials can bypass password policy, MFA, and periodic audits without triggering obvious alerts. That makes external visibility into exposed identities the real test of defensible security.
NHIMG editorial — based on content published by Enzoic: How Forrester’s predictions expose the limits of assumed trust and password policy
Questions worth separating out
Q: How should security teams prove that identity controls are actually reducing risk?
A: They should measure exposed credentials, map those findings to active accounts, and trend the reduction over time.
Q: Why do password policies fail to stop credential-based attacks?
A: Password policies govern how credentials are created and maintained, but they do not tell you whether those credentials have already been stolen, reused, or sold elsewhere.
Q: What do IAM teams get wrong about identity assurance?
A: They often treat authentication controls as proof that the identity is trustworthy.
Practitioner guidance
- Measure exposed credentials as a governance metric Track how many active identities appear in breach data, credential dumps, or infostealer sets, and map those findings back to live accounts and business owners.
- Separate policy compliance from trust validation Keep password policy reporting, but add a second control layer that checks whether credentials are externally exposed before they are accepted as trustworthy.
- Prioritise identities with reusable or repeated exposure Focus remediation on accounts that appear in multiple breach sources, because repeated exposure is a stronger signal of real risk than password complexity alone.
What's in the full article
Enzoic's full article covers the operational detail this post intentionally leaves for the source:
- How credential exposure is detected and correlated to active user accounts in practice
- Why identity exposure can be measured more directly than password policy compliance
- Where exposed credentials typically originate, including breach data and infostealer collection
- How teams can use exposure findings to prioritise remediation and reporting
👉 Read Enzoic's analysis of password policy, trust assumptions, and identity exposure →
Password exposure and identity trust: what security teams need now?
Explore further
Assumed trust is the wrong baseline for identity security. Password policy, MFA, and audit cadence are useful controls, but they do not prove that an identity is still trustworthy at the moment it is used. Once credentials are exposed externally, the control stack is defending a premise that no longer holds. The practitioner conclusion is that identity assurance must be measured against exposure, not policy intent.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37%.
A question worth separating out:
Q: How can organisations reduce risk from exposed credentials before attackers use them?
A: They should continuously ingest exposure intelligence, match it to active accounts, and trigger revocation or reset workflows before access is abused. The goal is to move the control point earlier than login so the organisation can act while exposure is still manageable.
👉 Read our full editorial: Password policy is not proof of identity security value