Firms lack confidence in securing AI-driven identities

A new survey by Cloud Security Alliance finds most IT and security professionals lack confidence in their ability to prevent attacks that use non-human identities, as organisations adopt more AI-driven systems and automate more business processes.

The survey report, titled The State of Non-Human Identity and AI Security, points to gaps in governance and identity and access management practices. It also highlights what it describes as slow responses to credential exposure and inconsistent lifecycle processes for AI-related identities.

Governance gaps

The results show 79% of respondents rated their confidence in preventing attacks via non-human identities as low or moderate. The findings also show 78% of organisations lack documented and formally adopted policies for creating or removing AI identities.

Concerns about governance appeared throughout the survey. Some 39% of respondents cited governance as their chief concern around AI systems and identity. The report also found 51% of organisations reported no clear ownership or accountability and over-permissioned access as their most significant pain points.

Cloud Security Alliance said the combination of unclear ownership and fast-growing identity estates increased exposure. Many organisations already manage large numbers of service accounts, API tokens, bots, workload identities and machine credentials. AI agents and new automation workflows add to that count.

Cloud Security Alliance linked the findings to the rapid spread of AI systems in business environments. It said this trend increased the scale of identity creation and access. It also said it compounded existing visibility and control gaps.

Hillary Baron, AVP of Research, Cloud Security Alliance, commented on the strain organisations reported as identity volumes rise.

"Organisations with limited visibility and unclear ownership are feeling the strain of AI-driven identities and securing identities in the AI era. Establishing strong identity foundations now is critical to reducing risk and confidently scaling AI use," said Hillary Baron, AVP of Research, Cloud Security Alliance.

Legacy IAM

The survey also points to a lack of confidence in existing identity and access management tools. It found 92% of respondents are not confident their legacy IAM solutions can effectively manage the risks associated with AI and non-human identities.

In many organisations, traditional IAM programmes focus on employee and contractor access. Non-human identities often sit across cloud services, CI/CD pipelines, data platforms, SaaS integrations and security tools. The survey indicates many teams still manage these identities with mixed processes and incomplete inventories.

Manual steps in provisioning and deprovisioning also featured in the results. Only 14% of respondents said the creation and removal of AI-related identities are fully automated. A further 41% said they rely on semi-automated workflows. Another 27% said they handle these processes entirely by hand.

Credential response

The survey highlights delays in identifying and responding to credential exposure. More than 16% of organisations said they do not track when new AI-related identities are created. The report frames this as a visibility issue that affects incident response and audit readiness.

Remediation timelines also appear to lag. Nearly one-quarter of organisations, 24%, take more than 24 hours to rotate or revoke a credential after a potential exposure. The survey also found 30% take over a day to triage a high-severity credential leak.

Danny Brickman, CEO and Co-Founder of Oasis Security, argued that AI-driven automation changes how quickly permissions and credentials appear across systems.

"AI turns identity into a high-velocity system," said Danny Brickman, CEO and Co-Founder of Oasis Security.

"Every new agent, workflow, or integration can mint credentials and permissions in minutes. Too many organizations still govern that with spreadsheets and unsophisticated processes. That's not an AI strategy-that's an incident backlog.

"The fix is simple," he continued. "Assign clear ownership, lock policy in writing, and automate the lifecycle before machine access scales beyond control," said Brickman.

Survey details

Oasis commissioned Cloud Security Alliance to develop the survey and report. Oasis financed the project and co-developed the questionnaire with Cloud Security Alliance research analysts. Cloud Security Alliance conducted the survey online in August and September 2025. It received 383 responses from IT and security professionals from organisations of various sizes and locations. Cloud Security Alliance research analysts performed the data analysis and interpretation.

The report frames non-human identity security as a growing operational discipline inside identity and security teams. It highlights policy ownership, automation of identity lifecycle processes and faster credential response times as areas where organisations reported gaps.

Cloud Security Alliance and Oasis Security said organisations should expect the number of AI-related identities to rise as AI systems embed across business functions and connect to more internal and external services.