Authentication Gets You In. Governance Decides the Damage.
New Sophos data puts a number on the non-human identity problem. It's 41%. Here's why your PAM program probably hasn't addressed it.
Seventy-one percent of enterprises experienced an identity-related breach in 2025. That’s the headline from new Sophos research released this week -- and it’s the kind of number that should stop a CISO mid-sentence. More than two-thirds of organizations had their identity systems compromised in a single year. Sixty-seven percent of ransomware attacks in the study started there. The average breach cost $1.64 million.
I’ve seen enough identity breach post-mortems to know that the number most people skim past is the one that actually explains the loss. In this data, it’s 41%: the share of identity breaches where the root cause was a non-human credential. Not a phished employee. Not a stolen password. An API key, a service account, or an OAuth token.
That finding reframes the entire identity security conversation. Most organizations have invested heavily in securing human credentials -- MFA, phishing-resistant authentication, privileged access management for human accounts. The Sophos data suggests that almost half of the identity breaches they’re experiencing aren’t going through the controls those investments were built to stop.
The Credentials Nobody Governs
Non-human identities are the credentials that machines use to talk to other machines. The API key a developer generates to connect a file transfer service to a workflow platform. The service account that runs a nightly data sync. The OAuth token that authorizes a SaaS vendor to access corporate systems on a user’s behalf.
Unlike human credentials, non-human identities are almost never reviewed on any consistent cycle. They’re rarely rotated unless something breaks. They’re often never revoked when the relationship that created them ends. And they proliferate at a rate that human identity governance programs weren’t designed to handle -- every integration creates credentials, and every credential persists until someone explicitly kills it.
The CrowdStrike 2026 Global Threat Report adds a time dimension that makes this governance gap critical: the average eCrime actor achieves breakout -- from initial access to lateral movement -- in 29 minutes. The fastest recorded breakout in the data is 27 seconds. A security team’s response to a compromised service account is measured in hours, not seconds.
By the time anyone realizes a machine credential has been obtained and used, the attacker has already moved.
Why Authentication Is the Wrong Place to Draw the Line
Here’s the conceptual error that the Sophos data exposes: most identity security programs treat authentication as the primary control. If the credential is valid, the request is authorized. If MFA was passed, the session is trusted.
That model breaks completely when the credential itself is legitimate -- which is exactly what happens in a non-human identity breach. An attacker who finds an API key in a public repository hasn’t bypassed authentication. They’ve authenticated. The credential is valid. The session is trusted. And everything that credential was authorized to reach is now in the attacker’s hands.
Authentication is a gate. Governance determines what’s behind it.
A compromised API key gives an attacker the complete access rights of the service account it belongs to -- no additional exploitation required. If that service account can read contracts in a document management system, the attacker can read contracts. If it can initiate file transfers to external endpoints, the attacker can initiate those transfers. If it can query a database containing PHI, the attacker now has PHI.
The DTEX 2026 Insider Threat Report puts a financial figure on what closing this gap is worth: organizations that implement privileged access management effectively report $6.1 million in annual savings from reduced insider risk. The mechanism isn’t better authentication -- it’s least-privilege access governance. Credentials, human or machine, access only what their specific purpose requires. When one is compromised, the blast radius is bounded.
The Gap in Most PAM Programs
The problem is that most PAM programs were designed for human privileged accounts. They track administrators, executives, and developers with elevated permissions. They enforce MFA at login, record sessions, and require approval workflows for high-risk actions.
Non-human identities often sit outside that perimeter. Service accounts are provisioned with broad access because flexibility makes integrations easier to build. API keys are scoped loosely because tighter scoping requires more development effort. OAuth tokens inherit the permissions of the user who authorized them -- which may be considerably broader than the specific application needs.
The Kiteworks Data Security and Compliance Risk: 2026 Forecast Report finds that 55% of enterprises cannot isolate a system or automated process that begins behaving unexpectedly. That applies directly to non-human identity compromise: if you can’t terminate the service account credential being misused while you investigate, the attacker retains access for the duration of your response.
The architectural response is governance at the content layer -- applying access controls to what credentials can reach at the data level, independent of whether the credential is human or machine, and independent of whether the authentication event looked normal. Platforms like Kiteworks enforce attribute-based access policy at the data layer, so a compromised machine credential encounters the same governance controls a human user would.
The Number to Carry Into Your Next Access Review
Forty-one percent. That’s the share of identity breaches that started with a non-human credential -- API keys, service accounts, OAuth tokens. If your privileged access management program isn’t specifically governing those identities with the same rigor you apply to human accounts, you have an unmodeled gap in your blast radius calculations.
The $1.64 million average breach cost frames the investment case cleanly. The question isn’t whether to govern non-human identities. It’s whether to govern them before the next breach or after it.
If this is useful, subscribe to get the next one.