Most successful breaches in 2026 do not begin with sophisticated malware or previously unknown vulnerabilities.
They begin with an identity. A permission. A trusted process. A human decision.
AI is accelerating the speed, scale, and sophistication of attacks, but the underlying weaknesses remain familiar. Attackers continue to exploit gaps in identity management, access governance, authentication, recovery processes, and human verification.
If you remember only five things:
- Identity is now the primary attack surface
- MFA dramatically reduces risk, but it is not enough by itself
- OAuth permissions can be just as dangerous as stolen passwords
- Session and token security matter as much as credential security
- Modern security depends more on verification than trust
The Numbers That Reframe the Conversation
The FBI’s Internet Crime Complaint Center (IC3) reported a record $16.6 billion in losses during 2024. The 2026 Verizon Data Breach Investigations Report, which analysed more than 22,000 confirmed breaches, found that the human element played a role in 62% of incidents. BEC alone accounted for $2.77 billion of those losses, and mobile phishing attacks are increasingly outperforming traditional email phishing.
Strip away the technical complexity and most breaches still come down to a person, a credential, or a process being manipulated. Attackers rarely break modern encryption. More often, they inherit legitimate access.
The Modern Breach Lifecycle
Most successful attacks follow a familiar pattern:
Reconnaissance → Initial Access → Persistence → Privilege Escalation → Business Impact
The tools evolve. The sequence rarely does.
Phishing: Still the Front Door
Phishing remained the most frequently reported cybercrime category in the FBI’s 2024 data. Today’s campaigns extend far beyond email; attackers increasingly target SMS, voice calls, messaging platforms, and collaboration tools. An organisation may have strong email protections while remaining vulnerable on the channels employees use and trust every day.
What helps: Phishing-resistant MFA, passkeys and hardware security keys, SMS and voice awareness training, browser and mobile security controls.
Business Email Compromise: The Billion-Dollar Con
BEC requires no malware, no exploit, no security alert. An attacker impersonates a trusted individual and persuades someone to take action.
The widely reported Arup deepfake incident demonstrated how AI-generated executives can convincingly impersonate trusted leaders during financial transactions. The goal wasn’t technical compromise; it was credibility. And the cost of manufacturing credibility continues to decline.
Trust without verification is not security. It is risk.
What helps: Callback verification using known phone numbers, dual approval workflows, segregation of duties, transaction delay windows, mandatory verification procedures.
MFA Fatigue and Authentication Abuse
Many organisations treat MFA as the finish line. It is not.
In MFA fatigue attacks, adversaries repeatedly trigger authentication prompts until a user eventually approves one. Authentication becomes routine. Routine becomes complacency.
What helps: Number matching, device-bound MFA, hardware security keys, risk-based authentication, conditional access policies.
OAuth Abuse in Microsoft 365 and Google Workspace
One of the least understood attack paths targets permissions rather than passwords. The user authenticates successfully, completes MFA, and grants access to what appears to be a legitimate application. At that moment, the organisation may unknowingly authorise access to email, calendars, files, contacts, and collaboration platforms, all without a single password being stolen.
What helps: Admin consent workflows, application allow lists, OAuth governance, permission reviews, least-privilege access.
Help Desk Social Engineering
Organisations invest heavily in security technology. Attackers increasingly focus on the help desk.
The MGM Resorts and Caesars incidents demonstrated that compromising recovery processes can be more effective than attacking technology directly. The attackers didn’t need to break systems; they only needed to convince someone to trust them.
What helps: Out-of-band identity verification, manager approvals, restricted reset authority, security-focused support training.
Token Theft: The Quiet Successor to Password Theft
Attackers are increasingly targeting access tokens, refresh tokens, session cookies, API credentials, and service identities. A valid token often provides immediate access without requiring another authentication event.
Resetting a password may not eliminate active access. The key question is no longer “Did we change the password?”; now it is “Did we revoke every active session?”
What helps: Short token lifetimes, continuous session validation, session monitoring, automated revocation, conditional access controls.
Machine Identities and Non-Human Access
Human users are no longer the only identities that matter. Modern organisations rely on service accounts, API keys, workload identities, service principals, automation accounts, and AI agents. Many enterprises now manage more machine identities than human users, often with excessive permissions, long-lived credentials, and limited oversight.
What helps: Secrets management, credential rotation, identity governance, least privilege, continuous monitoring.
Third-Party and Supply Chain Risk
Every vendor relationship expands the attack surface. Every SaaS platform introduces dependencies. A vendor compromise can quickly become your compromise.
What helps: Vendor security reviews, access minimisation, network and application segmentation, continuous monitoring, software supply chain controls.
AI-Powered Social Engineering: The Scale Multiplier
AI isn’t creating entirely new categories of attacks. It’s making existing attacks faster, cheaper, and more convincing. Attackers can now generate personalised phishing campaigns, executive impersonations, deepfake voice calls, synthetic video meetings, and multilingual fraud operations at scale.
If a convincing voice, face, or message can be generated on demand, then seeing or hearing someone is no longer proof of identity. Independent verification is becoming essential.
What helps: Out-of-band verification, identity-first security strategies, executive awareness programmes, financial controls, AI governance policies.
A Practical Verification Protocol
For any request involving money, credentials, or access:
- Verify payment changes through a known phone number
- Require dual approval for significant transactions
- Never rely solely on video calls for authorisation
- Require independent verification for help desk resets
- Revoke sessions, tokens, and OAuth grants before resetting credentials
None of these controls depend on detecting attacks. They depend on ensuring that trust never replaces verification.
What Leaders Should Be Asking
- How do we verify identity during recovery and support processes?
- What OAuth permissions currently exist across the organisation?
- How quickly can we revoke sessions and tokens?
- What controls govern financial transactions?
- How are machine identities managed and monitored?
- What happens if a privileged identity is compromised today?
The answers to these questions often reveal more about an organisation’s security posture than any vulnerability scan.
Final Thoughts
For decades, security programmes focused on protecting networks. Then attention shifted to devices. Today, the critical control plane is identity.
Every employee, contractor, vendor, application, workload, service account, API, and AI agent represents an identity that must be authenticated, authorised, monitored, and governed.
The organisations that succeed in the coming decade will not simply build stronger defences. They will build stronger systems of verification.
Because in 2026, the question is no longer “Can attackers get inside?” The question is: “How quickly can we detect and limit what a trusted identity can do once they get inside?”
This is Issue 2 of the Cloud, AI & Security Insights newsletter. Issue 3 explores why identity is the new perimeter and how Zero Trust works in practice.
Selected References: FBI IC3 2024 Internet Crime Report · Verizon 2026 DBIR · CNN Business / Fortune, Arup Deepfake Case · Cybersecurity Dive / Netwrix, MGM & Caesars Incidents
