Experts across industries say they are still losing ground against identity-related breaches, even after years of investment in stronger access controls, according to RSA.
Many said their organizations had faced at least one identity-related breach in recent years, and most of those incidents caused operational damage. These breaches often start with everyday gaps such as password reuse, weak verification, and overconfidence in aging systems. Once attackers gain access through a compromised account, they can move laterally for weeks before anyone notices.
Passwords refuse to die
Even after years of effort to move away from them, passwords remain the dominant form of authentication. Most organizations say they plan to adopt passwordless systems, but few are close to finishing that transition.
Modernizing identity controls across on-premises systems, cloud platforms, and third-party applications is difficult because each has different requirements. Legacy software adds another layer of friction. Some applications simply cannot support passwordless methods without major rebuilds.
Credentials remain one of the most common entry points for a breach. Every shared password or copied access token introduces another weak link.
Where passwordless adoption is higher, identity-related breaches and related losses are lower. In organizations that still rely mainly on passwords, the numbers move in the opposite direction.
The help desk blind spot
Many recent breaches began with a convincing phone call or chat message from someone pretending to be an employee asking for a password reset or MFA bypass. These social engineering tactics work because support teams are trained to help users, not question their legitimacy.
Few organizations have added stronger identity checks for support interactions. Most still rely on security questions, one-time codes, or passwords to confirm a caller’s identity. Those methods are easy to fake or intercept.
When a help desk falls for one of these scams, the damage spreads fast. A single reset can give an intruder legitimate access, allowing them to impersonate other users, steal data, and escalate privileges.
Zero trust, still a work in progress
Findings show that many organizations believe they are maturing in their zero trust journey, but the breach numbers tell a different story. Only a small share of respondents said they had reached full zero trust maturity for identity, yet most still reported serious breaches.
That mismatch raises questions about how progress should be measured. Deploying MFA and tightening access policies show intent, but applying those measures consistently across all systems and user groups remains the test. Experts acknowledge that visibility and enforcement still fall short, particularly in large hybrid environments.
Zero trust is not a checklist but a shift in how access is granted and monitored. Until that shift is complete, breaches that begin with stolen credentials will keep undermining the model’s promise.
AI offers hope, but not a shortcut
Artificial intelligence has become the main source of optimism among security teams. Most experts believe AI will strengthen defense more than it will help attackers. Many are already planning to integrate AI-driven detection and response tools into their operations.
AI can analyze large volumes of data, detect unusual activity, and automate response steps that would otherwise take hours. It can also help security teams identify suspicious patterns in identity use that might point to compromised accounts.
Still, AI will not fix the basics. Weak passwords and outdated verification methods will remain problems no matter how advanced the tools become. Without stronger fundamentals, automation only accelerates existing risks.
