u/expert-insights

• 71% of organizations hit by an identity-related breach in the past year
• Weak non-human identity management added roughly $147K to recovery costs
• Only 10.5% of organizations continuously rotate or audit service accounts and NHIs
• Just 24.1% continuously monitor for unusual logins

Non-human identities (API keys, service accounts, OAuth tokens, AI agent credentials) seem to be where most of the cost is landing, yet they're the least monitored part of most environments.

Interested to hear how people here are approaching this. What does your actual process look like for auditing service accounts and machine identities?

Some interesting numbers on identity security which we've recently covered.

The average cost to recover from an identity breach is now $1.64M, and 71% of organizations were hit in the past year.

Apparently driving most of the damage is unmonitored non-human identities: API keys, service accounts, OAuth tokens, AI agent credentials.

Only around 10% of organizations continuously rotate or audit them. Curious what people here are doing for NHI management in practice. What's actually working?

A fake OpenAI privacy filter repository has pulled approx. 244,000 download and scored the #1 trending spot on hugging face all in under 18 hours! All before hiddenlayer flagged it.

The payload was a Rust-based infostealer that targeted browser credentials, session cookies, crypto wallets, Discord

CVE-2026-0300. Buffer overflow in the User-ID Auth Portal on PAN-OS. Unauthenticated, RCE as root, already being hit in the wild.

If your Captive Portal is sitting on the internet, lock it down to internal zones or turn it off if nobody's actually using it. That kills the attack path.

Patches don't land until May 13, with the rest on the 28th. So we've got a week of this.

Affected: PAN-OS 10.2, 11.1, 11.2, 12.1. Prisma Access, Cloud NGFW and Panorama are fine. Default configs aren't vulnerable either, fwiw.

Palo Alto's calling it "limited exploitation" which usually means someone interesting is behind it. No IoCs public yet.

Every vendor pitching AI tooling right now leans on "human in the loop" as the answer to agent risk. Approve the action, review the output, sign off.

The problem is one analyst can’t effectively review 400 agent decisions an hour.

A few CISOs we've spoken to recently have hinted at this without saying it directly. One told us their team approves agent actions in batches at the end of the day, which is not really a loop. Another said HITL is "what we tell the board" while the actual control is logging and post-hoc audit.

1. Is HITL already out  at any meaningful scale of agent deployment, or are there teams making it work? If you've made it work, what does this look like?
2. If HITL is broken, what replaces it? Logging and audit feels like accepting the breach rather than preventing it. Hard policy guardrails sound right but vendors keep telling us guardrails are immature.
3. Are boards being sold a control that doesn't exist? And if so, who carries the risk when it surfaces?

1. If your critical patch SLA is longer than 48 hours, what's the actual plan? Virtual patching, compensating controls, or accepting the window and leaning on detection?
2. Does the "identity abuse > zero days" framing match what your IR teams are seeing?
3. Is a 24-hour critical patch cycle realistic at enterprise scale, or is the real answer shifting spend toward identity, EDR, and segmentation?

Our recent survey found that 64% of organizations don’t have effective governance of technical controls for Gen AI. What does effective governance look like for you? Inventory, acceptable use policy, DLP coverage or something else? Do the 36% have something real, or is it a tick box doc nobody reads.