Verizon DBIR 2026: Credentials and Third-Party Access Own the Breach Curve.
AI Agents Are the Next Credential Surface. Here's the Governance Gap.

For the first time in the DBIR's 19-year history, vulnerability exploitation (31%) surpassed stolen credentials as the top initial access vector. AI-accelerated attack tooling compresses the time from CVE publication to weaponized exploit from weeks to hours. Only 26% of CISA Known Exploited Vulnerabilities were fully remediated in 2025, down from 38% the year before. Median patching time rose to 43 days, up from 32 days previously.

But credential abuse as a standalone vector (13%) is only part of the identity picture. Phishing (16%) and pretexting (6%) are separate DBIR categories that also produce credential access. The human element remained present in 62% of all breaches. The infostealer pipeline is industrial-scale: infostealers surface an average of 2,362 breached corporate credentials per month from organizational email domains in stealer log datasets, and 54% of devices in Initial Access Broker logs had at least one infostealer installed.

Third-party breaches jumped 60% year over year and now feature in 48% of all incidents. The DBIR frames this as a supply chain problem — but the mechanism is almost always credential-based: a vendor's credentials are stolen or its access is abused, and that access propagates into customer environments because the vendor's permission scope was never enforced at least privilege.

Only 23% of third-party organizations fully remediated missing or improperly secured MFA on cloud accounts. Weak password and permission misconfigurations took a median of 8 months to resolve 50% of findings. The remediation gap is measured in months; attacker dwell time after credential compromise is measured in days.

The shadow AI layer compounds this directly. The DBIR found that 67% of users accessing AI services used non-corporate accounts — creating a sprawl of ungoverned third-party AI integrations that each carry their own credential surface and each constitute a new third-party access relationship outside any identity governance scope.

Ransomware was involved in 48% of all breaches analyzed — up from 44% in 2025. The increase arrives alongside a decline in ransom payment rates: 69% of victims did not pay, and the median ransom payment fell from $150,000 to approximately $140,000. Organizations are getting better at not paying. They are not getting better at preventing the initial access that makes ransomware possible.

The DBIR draws the clearest causal line yet between infostealer credential theft and ransomware deployment: 50% of ransomware victims had a documented infostealer or credential theft event in the 95 days before the ransomware attack. The pipeline is: infostealer → credential harvest → Initial Access Broker → ransomware operator → deployment. Every stage of that pipeline operates on credentials. None of it requires a zero-day.

The DBIR's infostealer findings — 2,362 breached corporate credentials harvested per month per organization, 54% of IAB-listed devices with at least one stealer installed — describe the environment your AI agents' credentials live in. Agent credentials are stored in environment variables, CI/CD secrets, cloud secret managers, and developer dotfiles. They appear in agent memory, in tool call logs, and in the OAuth grant tables of every SaaS your agents integrate with. Infostealers harvest anything they can read from a compromised endpoint — and developer endpoints are consistently the highest-value targets.

Unlike human credentials, AI agent credentials are rarely monitored for behavioral anomalies after provisioning. A human employee logging in from an unusual location triggers a risk signal in most modern identity platforms. An AI agent's OAuth token suddenly executing bulk exports at 2 AM generates no equivalent alert in most environments — because the token is valid, the action is permitted by the grant scope, and there is no behavioral baseline for "normal" agent activity.

The DBIR's third-party risk finding compounds this directly. An AI integration partner — the analytics tool, the CRM enrichment service, the data pipeline vendor — is a third-party access relationship. When that vendor's credentials are stolen or its environment is compromised, the attacker inherits the access granted to that integration. The Anodot-to-Snowflake breach chain of April–May 2026 is exactly this: a single analytics vendor's OAuth connector tokens gave attackers authenticated access to Vimeo's, Rockstar Games', and Zara's Snowflake environments. One vendor NHI breach, three enterprise blast radiuses.

• Snowflake — 160+ customers, 560M+ records (Apr–Jun 2024): Infostealers harvested Snowflake credentials over months. Attackers authenticated with valid credentials, ran bulk SELECT queries across 160+ customer environments. MFA was opt-in; no behavioral baseline detected the export volume. Source: KrebsOnSecurity
• Vimeo + Rockstar via Anodot (Apr 2026): ShinyHunters compromised analytics vendor Anodot, stole OAuth connector tokens, and authenticated directly into customer Snowflake environments. One third-party NHI breach; zero alerts on victim identity stacks.
• Canvas / Instructure — 275M student records, 3.65TB (May 2026): ShinyHunters exploited a self-enrollment tier sharing production infrastructure, exfiltrating 3.65TB across 8,809 institutions over 7 days — then repeated the breach one week later via the same vector. No credential-level controls stopped the volume.
• ADT + Okta vishing (Aug 2024, 2025, 2026): ShinyHunters vished ADT's help desk to reset Okta SSO credentials, pivoted to Salesforce, exfiltrated customer data — three times in 18 months using the identical vector. Third breach: 5.5M records confirmed by HIBP. Social engineering (DBIR: human element in 62% of breaches) amplified by a credential reset mechanism with no behavioral gate.

The DBIR's 48% third-party involvement finding covers every category of external access: managed service providers, software vendors, cloud service suppliers, and integration partners. An AI integration — the LLM orchestration platform, the AI workflow automation tool, the agent framework vendor — is structurally identical to any other third-party access relationship. It is granted credentials. It has access scope. It can be breached, and that breach propagates into your environment via the access you granted.

The DBIR notes that 67% of users accessing AI services used non-corporate accounts — meaning most enterprise AI tool usage is happening outside identity governance entirely. Every shadow AI integration is an ungoverned third-party access relationship: no inventory, no behavioral monitoring, no revocation process, and no visibility into what credentials were stored in that tool's environment when it was compromised.

The remediation gap DBIR documents — 8 months median to close 50% of password and permission misconfigurations for third-party organizations — is directly applicable to AI integration governance. If your AI vendor's credentials are over-scoped, the window between provisioning and remediation is measured in months. The attacker dwell time after credential compromise is measured in days.

The DBIR's infostealer finding — 2,362 breached credentials per month — describes a pipeline that most enterprises cannot detect because they have no inventory of what credentials their AI agents hold. KYA provides that inventory: every API key, OAuth token, service account, and CI/CD machine identity associated with an AI agent is tracked from provisioning through revocation, with least-privilege scope enforced by policy.

Behavioral baselines per agent mean that an agent executing bulk exports outside its normal pattern triggers a risk signal — the equivalent of the impossible-travel alert that exists for human identities, applied to non-human agent behavior. When the Snowflake infostealer attacks ran bulk SELECT queries across 160+ customer environments, the behavioral signal was the volume and pattern of queries. KYA's baseline detection would have flagged that deviation regardless of whether the credential was technically valid.

The DBIR's remediation timelines — 43-day median patch time, 8-month median for third-party permission fixes — reflect a detection and response gap that makes dwell time the primary cost multiplier in every breach. The Audit Black Box provides a tamper-proof, court-admissible record of every agent action, tool call, API interaction, and data access event — independent of whether application logs were destroyed or endpoints were compromised.

In the Snowflake attack chain, attackers ran queries that left minimal traces in customer-controlled logs. The Audit Black Box removes log manipulation as an attacker lever — forensics are available regardless of what happens to the endpoint or application layer. Time-to-detect compresses from the median 43-day patching window to the moment the behavioral anomaly occurs.

The DBIR's third-party remediation gap — 8 months to close 50% of permission misconfigurations — exists because most organizations have no programmatic enforcement layer for third-party access scope. RuntimeAI's Policy Engine enforces least-privilege scope for every AI integration as Policy-as-Code (Rego/OPA): what data an agent can access, what API calls it can make, what volume thresholds trigger review, and what third-party credential grants are within policy.

When an Anodot-style connector token is used to run bulk SQL queries against Snowflake customer data, the behavior violates every reasonable least-privilege policy — but no enforcement layer was in place to catch it. RuntimeAI's Policy Engine would have enforced a rate limit and access scope at the integration layer, stopping the bulk export before the data moved.

Every major credential-abuse breach in the DBIR dataset ends the same way: bulk data moves. The Snowflake breach: 560M+ records. Canvas: 3.65TB across 8,809 institutions. The ADT chain: 5.5M records. The technical mechanism varies; the outcome is the same — valid credentials plus unmonitored bulk access equals exfiltration.

PII Shield operates at the agent boundary, redacting PII and PHI inline before it can be returned in bulk by an agent query. Volume-based egress controls flag and block exports that exceed behavioral baselines — regardless of whether the credential executing the query is technically authorized. The authorization question and the behavioral question are evaluated independently.

The DBIR's ransomware finding — 50% of victims had a credential theft event in the 95 days prior — means the infostealer-to-ransomware pipeline typically runs for weeks or months before the ransomware deploys. That window is the detection and response opportunity. Most organizations miss it because they have no runtime enforcement layer watching credential behavior after authentication.

RuntimeAI Kill Switch provides a three-level escalation: L1 continuously monitors agent and NHI credential behavior against baselines. L2 notifies a security operator at high-confidence anomaly. L3 executes a policy-driven kill action — revoking the credential, stopping the agent, blocking the API session — mid-execution, before the exfiltration completes or the ransomware deploys. Not a post-incident report. During the attack.

Nation-state actors systematically collect encrypted data during extended dwell periods for future decryption once quantum computing capability scales. AI agent credentials, OAuth tokens, and API keys collected today by infostealers and sophisticated threat actors are potential decrypt targets. This is the harvest-now-decrypt-later threat model — and agent credentials harvested from the same infostealer ecosystem DBIR is documenting are particularly high-value targets for nation-state collection.

RuntimeAI's PQData stack addresses this directly:

• QuantumVault — agent secrets and credentials stored with NIST-certified post-quantum encryption (ML-KEM / FIPS 203); safe against future quantum decryption of harvested credential stores
• PQ Transit Shield — ML-KEM key exchange on all data in motion, including agent API calls; blocks harvest-now-decrypt-later attacks on agent traffic collected today
• PQ TokenVault — format-preserving tokenization for PII, card numbers, and PHI flowing through agent pipelines; data exfiltrated in tokenized form cannot be used even if decrypted
• PQ CryptoGuard — full cryptographic inventory of the AI stack mapped and scored for quantum readiness; gaps surfaced before regulators find them