Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Ransomware, identity confidence, and what resilience teams must change


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 235
Topic starter  

TL;DR: Ransomware is shifting toward AI-driven, identity-abusing, supply-chain-aware operations that can exfiltrate data far faster than human defenders can react, according to Commvault. The practical break point is no longer prevention alone but whether organisations can verify, rebuild, and trust identity infrastructure after compromise.

NHIMG editorial — based on content published by Commvault: ransomware resilience trends for 2026 and the shift toward identity confidence

Questions worth separating out

Q: What breaks when ransomware uses stolen identities instead of malware alone?

A: Traditional perimeter and signature-based controls lose effectiveness when attackers operate with valid credentials, tokens, or delegated access.

Q: Why do stolen tokens and API keys make ransomware harder to contain?

A: Tokens and API keys often authenticate as legitimate machine or service identities, which means they can bypass the suspicion attached to obvious malware.

Q: How do organisations know whether clean recovery actually restored trust?

A: They know only when restored systems are checked for clean secrets, valid entitlements, and trusted identity state before reuse.

Practitioner guidance

  • Rebuild identity trust after every suspected compromise Validate tokens, API keys, service accounts, and delegated entitlements before any restored workload is allowed back into production.
  • Map ransomware paths through privileged and non-human identities Inventory where standing privileges, reusable secrets, and third-party access could let an attacker move from one trusted system to another.
  • Test clean recovery against tainted identity state Run recovery exercises that assume credentials are stolen, federated trust is suspect, and some controls are already bypassed.

What's in the full article

Commvault's full blog covers the operational detail this post intentionally leaves for the source:

  • The whitepaper's MTCR methodology for measuring clean recovery across data and identity dependencies.
  • The article's full breakdown of immutable backup, air-gapped validation, and rebuild controls.
  • The resilience evidence model tied to cyber insurance and regulatory expectations.
  • The supporting examples that show how AI-assisted ransomware changes recovery priorities.

👉 Read Commvault's analysis of AI-driven ransomware and recovery resilience →

Ransomware, identity confidence, and what resilience teams must change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9713
 

Identity confidence, not access control alone, is now the resilience boundary. The article’s core point is that attackers are increasingly abusing stolen tokens, API keys, and delegated access rather than trying to defeat authentication in the classic sense. That shifts the governance problem from authorising access to trusting the continued validity of access after exposure. Practitioners should treat identity state as an operational resilience signal, not just a security policy artefact.

A few things that frame the scale:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.

A question worth separating out:

Q: Who is accountable when ransomware spreads through third-party access and shared credentials?

A: Accountability sits across identity owners, vendor managers, and recovery leaders because the attack path often crosses internal and external trust boundaries. Organisations should assign ownership for third-party entitlements, offboarding, and recovery validation before an incident occurs. Frameworks that emphasise access control, vendor assurance, and resilience evidence are the right governance anchors.

👉 Read our full editorial: Ransomware resilience now depends on identity confidence



   
ReplyQuote
Share: