The gap between ransomware threats and the defenses meant to stop them is getting worse, not better. Ivanti’s 2026 State of Cybersecurity Report found that the preparedness gap widened by an average of 10 points year over year across every threat category the firm tracks. Ransomware hit the widest spread: 63% of security professionals rate it a high or critical threat, but just 30% say they are “very prepared” to defend against it. That’s a 33-point gap, up from 29 points a year ago.
CyberArk’s 2025 Identity Security Landscape puts numbers to the problem: 82 machine identities for every human in organizations worldwide. Forty-two percent of those machine identities have privileged or sensitive access.
The most authoritative playbook framework has the same blind spot
Gartner’s ransomware preparation guidance, the April 2024 research note “How to Prepare for Ransomware Attacks” that enterprise security teams reference when building incident response procedures, specifically calls out the need to reset “impacted user/host credentials” during containment. The accompanying Ransomware Playbook Toolkit walks teams through four phases: containment, analysis, remediation, and recovery. The credential reset step instructs teams to ensure all affected user and device accounts are reset.
Service accounts are absent. So are API keys, tokens, and certificates. The most widely used playbook framework in enterprise security stops at human and device credentials. The organizations following it inherit that blind spot without realizing it.
The same research note identifies the problem without connecting it to the solution. Gartner warns that “poor identity and access management (IAM) practices” remain a primary starting point for ransomware attacks, and that previously compromised credentials are being used to gain access through initial access brokers and dark web data dumps. In the recovery section, the guidance is explicit: updating or removing compromised credentials is essential because, without that step, the attacker will regain entry. Machine identities are IAM. Compromised service accounts are credentials. But the playbook’s containment procedures address neither.
Gartner frames the urgency in terms few other sources match: “Ransomware is unlike any other security incident,” the research note states. “It puts affected organizations on a countdown timer. Any delay in the decision-making process introduces additional risk.” The same guidance emphasizes that recovery costs can amount to 10 times the ransom itself, and that ransomware is being deployed within one day of initial access in more than 50% of engagements. The clock is already running, but the containment procedures don’t match the urgency — not when the fastest-growing class of credentials goes unaddressed.
The readiness deficit runs deeper than any single survey
Ivanti’s report tracks the preparedness gap across every major threat category: ransomware, phishing, software vulnerabilities, API-related vulnerabilities, supply chain attacks, and even poor encryption. Every single one widened year over year.
“Although defenders are optimistic about the promise of AI in cybersecurity, Ivanti’s findings also show companies are falling further behind in terms of how well prepared they are to defend against a variety of threats,” said Daniel Spicer, Ivanti’s Chief Security Officer. “This is what I call the ‘Cybersecurity Readiness Deficit,’ a persistent, year-over-year widening imbalance in an organization’s ability to defend their data, people, and networks against the evolving threat landscape.”
CrowdStrike’s 2025 State of Ransomware Survey breaks down what that deficit looks like by industry. Among manufacturers who rated themselves “very well prepared,” just 12% recovered within 24 hours, and 40% suffered significant operational disruption. Public sector organizations fared worse: 12% recovery despite 60% confidence. Across all industries, only 38% of organizations that suffered a ransomware attack fixed the specific issue that allowed attackers in. The rest invested in general security improvements without closing the actual entry point.
Fifty-four percent of organizations said they would or probably would pay if hit by ransomware today, according to the 2026 report, despite FBI guidance against payment. That willingness to pay reflects a fundamental lack of containment alternatives, exactly the kind that machine identity procedures would provide.
Where machine identity playbooks fall short
Five containment steps define most ransomware response procedures today. Machine identities are missing from every one of them.
Credential resets weren’t designed for machines
Resetting every employee’s password after an incident is standard practice, but it doesn’t stop lateral movement through a compromised service account. Gartner’s own playbook template shows the blind spot clearly.
The Ransomware Playbook Sample’s containment sheet lists three credential reset steps: force logout of all affected user accounts via Active Directory, force password change on all affected user accounts via Active Directory, and reset the device account via Active Directory. Three steps, all Active Directory, zero non-human credentials. No service accounts, no API keys, no tokens, no certificates. Machine credentials need their own chain of command.
Nobody inventories machine identities before an incident
You can’t reset credentials that you don’t know exist. Service accounts, API keys, and tokens need ownership assignments mapped pre-incident. Discovering them mid-breach costs days.
Just 51% of organizations even have a cybersecurity exposure score, Ivanti’s report found, which means nearly half couldn’t tell the board their machine identity exposure if asked tomorrow. Only 27% rate their risk exposure assessment as “excellent,” despite 64% investing in exposure management. The gap between investment and execution is where machine identities disappear.
Network isolation doesn’t revoke trust chains
Pulling a machine off the network doesn’t revoke the API keys it issued to downstream systems. Containment that stops at the network perimeter assumes trust is bounded by topology. Machine identities don’t respect that boundary. They authenticate across it.
Gartner’s own research note warns that adversaries can spend days to months burrowing and gaining lateral movement within networks, harvesting credentials for persistence before deploying ransomware. During that burrowing phase, service accounts and API tokens are the credentials most easily harvested without triggering alerts. Seventy-six percent of organizations are concerned about stopping ransomware from spreading from an unmanaged host over SMB network shares, according to CrowdStrike. Security leaders need to map which systems trusted each machine identity so they can revoke access across the entire chain, not just the compromised endpoint.
Detection logic wasn’t built for machine behavior
Anomalous machine identity behavior doesn’t trigger alerts the way a compromised user account does. Unusual API call volumes, tokens used outside automation windows, and service accounts authenticating from new locations require detection rules that most SOCs haven’t written. CrowdStrike’s survey found 85% of security teams acknowledge traditional detection methods can’t keep pace with modern threats. Yet only 53% have implemented AI-powered threat detection. The detection logic that would catch machine identity abuse barely exists in most environments.
Stale service accounts remain the easiest entry point
Accounts that haven’t been rotated in years, some created by employees who left long ago, are the single weakest surface for machine-based attacks.
Gartner’s guidance calls for strong authentication for “privileged users, such as database and infrastructure administrators and service accounts,” but that recommendation sits in the prevention section, not in the containment playbook where teams need it during an active incident. Orphan account audits and rotation schedules belong in pre-incident preparation, not post-breach scrambles.
The economics make this urgent now
Agentic AI will multiply the problem. Eighty-seven percent of security professionals say integrating agentic AI is a priority, and 77% report comfort with allowing autonomous AI to act without human oversight, according to the Ivanti report. But just 55% use formal guardrails. Each autonomous agent creates new machine identities, identities that authenticate, make decisions, and act independently. If organizations can’t govern the machine identities they have today, they’re about to add an order of magnitude more.
Gartner estimates total recovery costs at 10 times the ransom itself. CrowdStrike puts the average ransomware downtime cost at $1.7 million per incident, with public sector organizations averaging $2.5 million. Paying doesn’t help. Ninety-three percent of organizations that paid had data stolen anyway, and 83% were attacked again. Nearly 40% could not fully restore data from backups after ransomware incidents. The ransomware economy has professionalized to the point where adversary groups now encrypt files remotely over SMB network shares from unmanaged systems, never transferring the ransomware binary to a managed endpoint.
Security leaders who build machine identity inventory, detection rules, and containment procedures into their playbooks now won’t just close the gap that attackers are exploiting today — they’ll be positioned to govern the autonomous identities arriving next. The test is whether those additions survive the next tabletop exercise. If they don’t hold up there, they won’t hold up in a real incident.
