Ransomware Readiness Gap Widens: Why Machine Identities Are the Missing Piece

The cybersecurity preparedness gap is widening, and a critical blind spot is emerging in ransomware defense: machine identities. While organizations focus on resetting user and host credentials during an attack, they routinely overlook the vast network of non-human accounts – service accounts, API keys, tokens, and certificates – that attackers increasingly exploit for lateral movement and persistence.

Ivanti’s 2026 State of Cybersecurity Report reveals a concerning trend. Despite 63% of security professionals viewing ransomware as a high or critical threat, only 30% feel “incredibly prepared” to defend against it, creating a 33-point preparedness gap. This gap has grown from 29 points in the previous year, indicating a worsening situation across the threat landscape. The report tracks preparedness across multiple threat categories – ransomware, phishing, software vulnerabilities, and more – and found that the gap widened year-over-year in every single category.

The scale of the problem is underscored by CyberArk’s 2025 Identity Security Landscape, which found that organizations now have 82 machine identities for every human user. A significant 42% of these machine identities possess privileged access, amplifying the risk. These aren’t simply administrative conveniences; they are prime targets for attackers seeking to escalate privileges and move undetected within a network.

The Playbook Problem: A Critical Oversight

The most widely used ransomware preparation guidance, a April 2024 research note from Gartner titled “How to Prepare for Ransomware Attacks,” and its accompanying Ransomware Playbook Toolkit, focuses heavily on resetting “impacted user/host credentials” during the containment phase. While essential, this approach is incomplete. The playbook meticulously outlines steps for containing, analyzing, remediating, and recovering from an attack, but it conspicuously omits any mention of service accounts, API keys, tokens, or certificates.

This omission isn’t accidental. The playbook’s credential reset procedures are entirely focused on Active Directory, addressing user and device accounts. There’s no provision for identifying, revoking, or rotating machine credentials. As Gartner itself notes, ransomware is unique in its urgency – “putting affected organizations on a countdown timer.” Yet, the containment procedures don’t reflect that urgency when it comes to the fastest-growing attack surface.

The issue isn’t that Gartner doesn’t recognize the problem. The research note explicitly warns that “poor identity and access management (IAM) practices” are a primary starting point for ransomware attacks, and that previously compromised credentials – including those used by machines – are frequently exploited through initial access brokers and dark web data dumps. However, the connection between these warnings and the need to address machine identities within the containment phase remains unmade.

Beyond the Playbook: A Deeper Readiness Deficit

The lack of focus on machine identities is symptomatic of a broader “Cybersecurity Readiness Deficit,” as described by Daniel Spicer, Ivanti’s Chief Security Officer. This deficit represents a persistent imbalance between an organization’s ability to defend against evolving threats and the actual threats they face. It’s not simply a matter of preparedness; it’s a matter of execution.

CrowdStrike’s 2025 State of Ransomware Survey illustrates this point. Even among organizations that rate themselves as “very well prepared,” recovery times are often slow, and significant operational disruption is common. For example, only 12% of manufacturers who felt well-prepared recovered within 24 hours, while 40% experienced significant disruption. In the public sector, the numbers were even worse. Critically, only 38% of organizations that suffered an attack were able to fix the *specific* vulnerability that allowed attackers to gain access; the rest invested in general security improvements without addressing the root cause.

The economic incentives further exacerbate the problem. Despite FBI guidance against paying ransoms, 54% of organizations report they would or probably would pay if attacked. This willingness to pay reflects a lack of confidence in their ability to contain and recover without resorting to ransom, a situation that robust machine identity procedures could help alleviate.

Five Critical Gaps in Current Procedures

Current ransomware response procedures typically follow five containment steps, and machine identities are largely absent from each:

1. Credential resets weren’t designed for machines: Resetting user passwords doesn’t address compromised service accounts.
2. Nobody inventories machine identities before an incident: You can’t secure what you don’t know exists. Discovering machine identities during an active breach is time-consuming and inefficient. Ivanti’s report found that nearly half of organizations (51%) don’t even have a cybersecurity exposure score.
3. Network isolation doesn’t revoke trust chains: Removing a machine from the network doesn’t invalidate API keys or tokens it has already issued.
4. Detection logic wasn’t built for machine behavior: Anomalous activity from machine identities often goes unnoticed because existing detection rules are geared towards human behavior. CrowdStrike found that 85% of security teams acknowledge traditional detection methods are insufficient.
5. Stale service accounts remain the easiest entry point: Unrotated, orphaned accounts are a significant vulnerability.

The Future: Agentic AI and the Expanding Attack Surface

The problem is poised to become significantly more complex with the rise of agentic AI. Ivanti’s report indicates that 87% of security professionals prioritize integrating agentic AI, and 77% are comfortable allowing autonomous AI to act without human oversight. However, only 55% are using formal guardrails. Each autonomous agent creates new machine identities, further expanding the attack surface and increasing the need for robust identity management.

The cost of inaction is substantial. Gartner estimates total ransomware recovery costs can be ten times the ransom amount, while CrowdStrike puts the average downtime cost at $1.7 million per incident. Organizations that pay the ransom are still likely to have data stolen and face the risk of repeat attacks. Addressing machine identities isn’t just about closing a gap in current defenses; it’s about preparing for the future of cybersecurity.

Security leaders who prioritize machine identity inventory, detection, and containment procedures will not only mitigate current risks but also be better positioned to govern the increasingly autonomous systems that are rapidly becoming integral to the modern enterprise.