Key Takeaways from Verizon’s 2025 DBIR: Secrets, NHIs & AI Data Risk

Read full article here: https://entro.security/blog/key-takeaways-from-verizons-2025-dbir/?source=nhimg

The 2025 Verizon Data Breach Investigations Report (DBIR) validates a persistent truth in security operations: attackers don’t need sophisticated exploits when exposed credentials, non-human identities (NHIs), and poorly managed secrets provide far easier access. The report’s data reveals that secrets sprawl, slow remediation, and GenAI misuse are converging into a critical risk surface that many organizations still underestimate.

1. Secrets Exposure Remains a Prime Attack Path

Verizon identified 441,000+ secrets in public Git repositories, with two categories dominating:

• Web-app infrastructure secrets (39%), two-thirds of which were JWTs.

• CI/CD and development tokens (32%), with GitLab credentials making up half.

These are not low-value leaks, JWTs and CI/CD tokens often bypass MFA, grant broad API permissions, and enable deep lateral movement once compromised.

Risk Context: Tokens and NHIs act as the “master keys” to cloud workloads and SaaS platforms. Without rapid discovery and revocation, they give attackers persistent and privileged access.

2. The 94-Day Remediation Gap

The median time to remediate leaked secrets is 94 days, with some cases exceeding 160 days. In an environment where automated scanning tools and infostealer malware are active, this window is excessive, giving threat actors ample time to exploit the exposure.

Risk Context: Every day of exposure increases breach probability. Long-lived credentials in public repos are effectively “standing invitations” for attackers to enter.

3. GenAI Platforms as Unmonitored Data Exfil Channels 

The DBIR shows GenAI adoption is outpacing governance:

• 15% of employees access GenAI platforms from corporate devices every two weeks.

• 72% use personal emails, circumventing corporate identity controls.

• 17% use corporate emails but without secure authentication integrations (SSO, SAML).

Risk Context: This creates unmanaged data exfiltration vectors—sensitive code, customer records, or IP can be submitted to AI models without auditability or DLP controls.

The DBIR underscores a recurring security truth: identity and secret hygiene directly shape breach likelihood. With NHIs now outnumbering human accounts in most enterprises, unmanaged machine credentials represent one of the most scalable and profitable attack surfaces for adversaries.

Recommended Actions

1. Full Secrets Discovery - Continuously scan repos, logs, SaaS configs, and CI/CD pipelines for leaked credentials.

2. Ownership & Rotation SLAs - Attribute each secret to an owner and enforce time-bound rotation and expiry policies.

3. Real-Time Revocation - Automate the detection, prioritization, and revocation of exposed credentials.

4. GenAI Policy Enforcement - Integrate AI platform usage into IAM and DLP frameworks, restricting unmanaged account access.

Bottom Line

The 2025 DBIR is clear, credentials, secrets, and NHIs remain the low-hanging fruit for attackers. While technology stacks evolve, the fastest breach paths still come from poor secret management and unchecked machine identity sprawl. Organizations that close this gap will cut their breach risk dramatically.