The gap between ransomware threats and the defenses put in place to stop them is getting worse, not better. Ivanti’s 2026 State of Cybersecurity report found that the preparedness gap has increased an average of 10 points year over year in every threat category the company tracks. Ransomware is widespread: 63% of security professionals consider it a high or serious threat, but only 30% say they are “very prepared” to protect against it. This is a difference of 33 points from 29 points a year ago.
CyberArk’s 2025 Identity Security Landscape presents a solution to the problem: 82 machine identities for every human in organizations around the world. Forty-two percent of those machine identities have privileged or sensitive access.
The most official playbook framework has the same blind spot
Gartner’s Ransomware Preparedness Guidance, April 2024 research note “How to Prepare for Ransomware Attacks” that enterprise security teams refer to when building incident response procedures, specifically emphasizes the need to reset “affected user/host credentials” during prevention. The accompanying Ransomware Playbook Toolkit walks teams through four phases: prevention, analysis, remediation, and recovery. The credential reset step instructs teams to ensure that all affected user and device accounts are reset.
Service accounts are missing. So are API keys, tokens, and certificates. The most widely used playbook framework in enterprise security stops at human and device credentials. Organizations that follow inherit that blind spot without even realizing it.
The same research note identifies the problem without linking it to the solution. Gartner warns that “poor identity and access management (IAM) practices” remain the primary starting point for ransomware attacks, and previously compromised credentials are being used to gain access through initial access brokers and dark web data dumps. In the recovery section, the guidance is clear: updating or deleting the compromised credentials is necessary, because without that step, the attacker will regain access. Machine identities are IAM. The compromised service account credentials are. But the playbook’s prevention processes don’t solve any of this.
Gartner outlined the urgency in terms matching some other sources: “Ransomware is unlike any other security incident,” the research note said. “This puts affected organizations on a countdown clock. Any delay in the decision-making process brings additional risks.” The same guidance emphasizes that recovery costs can be up to 10 times the ransom amount, and with over 50% of activities involving ransomware being deployed within a day of initial access. The clock is already ticking, but prevention processes don’t match the urgency — not when the fastest-growing class of credentials goes unreported.
The lack of urgency runs deeper than any single survey
Ivanti’s report tracks the preparedness gap in every major threat category: ransomware, phishing, software vulnerabilities, API-related vulnerabilities, supply chain attacks, and even poor encryption. Each one became wider year after year.
“While defenders are optimistic about the promise of AI in cybersecurity, Ivanti’s findings also show that companies are falling behind in how well they are prepared to defend against a variety of threats,” said Daniel Spicer, Ivanti’s chief security officer. “This is what I call the ‘cybersecurity readiness deficit,’ which is a persistent, year-over-year growing imbalance in an organization’s ability to protect its data, people, and networks against the evolving threat landscape.”
CrowdStrike’s 2025 State of Ransomware Survey shows what losses look like in the industry. Of manufacturers who rated themselves “very well prepared”, only 12% recovered within 24 hours, and 40% faced significant operational disruption. Public sector organizations fared worse: 12% recovery despite 60% confidence. Across all industries, only 38% of organizations that faced a ransomware attack fixed the specific issue that allowed attackers to get in. The rest invested in general security improvements without closing the actual entry point.
Despite FBI guidance against paying, according to the 2026 report, 54 percent of organizations said they would or probably would pay if they were hit by ransomware today. This willingness to pay reflects a fundamental lack of prevention options, similar to those that machine detection procedures provide.
Where machine recognition playbooks fall short
Five prevention steps define most ransomware response processes today. The machine’s identity is missing from every one of them.
Credential reset machines were not designed for
Resetting each employee’s password after an incident is standard practice, but this does not prevent lateral movement through the compromised service account. Gartner’s own playbook template clearly shows the blind spots.
The ransomware playbook sample prevention sheet lists three credential reset steps: forcing logout of all affected user accounts through Active Directory, forcing password change on all affected user accounts through Active Directory, and resetting the device account through Active Directory. Three steps, all Active Directory, zero non-human credentials. No service account, no API key, no token, no certificate. Machine credentials require their own chain of command.
No one invents machine identity before an event
You cannot reset credentials whose existence you do not know about. Service accounts, API keys, and tokens require ownership assignments mapped before the event. It takes days to find them in the middle of the breach.
Ivanti’s report found that only 51% of organizations even have a cybersecurity exposure score, meaning almost half couldn’t tell the board about their machine identity exposures when asked yesterday. Despite 64% investing in exposure management, only 27% consider their exposure risk assessment “excellent”. The gap between input and execution is where the identity of the machine disappears.
Network isolation does not invalidate the trust chain
Removing a machine from the network does not revoke API keys issued to downstream systems. Containment that stops at the network perimeter assumes that the trust is bounded by the topology. Machine recognition does not respect that limit. They prove it.
Gartner’s own research note warns that adversaries can spend days to months gathering credentials for persistence, infiltrating within the network, and achieving lateral movement before deploying ransomware. During that digging phase, service accounts and API tokens are the credentials that are most easily collected without triggering alerts. According to CrowdStrike, seventy-six percent of organizations are concerned about preventing ransomware from spreading from an unmanaged host on SMB network shares. Security leaders need to map which systems trust each machine’s identity so they can revoke access to the entire chain, not just the compromised endpoint.
Detection logic was not designed for machine behavior
Abnormal machine detection behavior does not trigger alerts like a compromised user account. Unusual API call volumes, tokens used outside the automation window, and service accounts authenticating from new locations require identity rules that most SOCs haven’t written. CrowdStrike’s survey found that 85% of security teams admit that traditional detection methods can’t keep up with modern threats. Yet only 53% have implemented AI-powered threat detection. Detection logic that catches abuse of machine identity barely exists in most environments.
Old service accounts remain the easiest entry points
Accounts that haven’t been changed in years, including some created by employees who left long ago, are the most vulnerable surfaces to machine-based attacks.
Gartner’s guidance calls for strong authentication for “privileged users, such as database and infrastructure administrators and service accounts,” but this recommendation sits in the prevention section, not in the prevention playbook where teams need it during an active incident. Orphan account audit and rotation schedules relate to pre-incident preparations, not post-breach preparations.
Economics now makes it urgent
Agent AI will exacerbate the problem. According to the Ivanti report, 87 percent of security professionals say integrating agentic AI is a priority, and 77% report comfort with allowing autonomous AI to function without human oversight. But only 55% use formal guardrails. Each autonomous agent creates new machine identities, identities that authenticate, make decisions, and act independently. If organizations can’t control machine detection today, they’re going to have to add an order of magnitude more.
Gartner estimates that the total recovery cost will be 10 times higher than the ransom. CrowdStrike puts the average cost of ransomware downtime at $1.7 million per incident, while the average cost for public sector organizations is $2.5 million. Paying doesn’t help. 93 percent of organizations that paid had their data stolen anyway, and 83% were attacked again. Nearly 40% could not completely restore data from backups following ransomware incidents. The ransomware economy has professionalized to such an extent that adversary groups now encrypt files remotely on SMB network shares from unmanaged systems, never transferring the ransomware binary to a managed endpoint.
Security leaders who build machine identity lists, identity rules, and prevention processes into their playbooks will no longer close the gaps that attackers are exploiting today – they will be positioned to control autonomous identities going forward. The test is whether those extras hold up to the next tabletop exercise. If they don’t survive there, they can’t survive any real event.
<a href