Identity compromise drives cyber risk as AI agents surge

Permiso has published new survey findings that place identity compromise at the centre of most cyber incidents and point to a sharp fall in confidence over organisations' ability to see every identity operating in their environments.

The company's 2026 State of Identity Security Report draws on responses from 512 organisations worldwide. It frames identity-based attacks as the dominant route for breaches and highlights gaps between confidence in tracking identities and the ability to spot risk early.

According to the research, 77% of organisations said identity compromise accounts for up to 75% of all security incidents. The report also identified what it described as a disconnect in operational readiness. While 95% of organisations said they felt confident tracking non-human identities such as service accounts and API keys, only 43% said they could proactively detect identity-based risks before incidents occur.

Visibility metrics showed a larger change year on year. Less than half of organisations, 46%, said they had comprehensive visibility into all identities in their environment. That compared with 93% in the previous year's responses, a decline of 47 percentage points.

"Organisations are finally being honest about what they can't see," said Jason Martin, Co-CEO, Permiso. "The 47-point drop isn't a collapse in capability, but rather a lack in having real-time visibility into what identities are actually doing. You can't detect what you can't see, and the answer to this major issue is simple: unified visibility," added Martin.

Preventable incidents

The survey results also addressed views on how much of the incident burden could be avoided. Some 71% of organisations said better identity visibility could have prevented between a quarter and three quarters of their security incidents.

At the same time, 44% cited security breaches as the primary business impact of limited visibility. When respondents ranked the identity types they considered riskiest, employees came top. The report said software-as-a-service environments used by employees had the worst visibility of any platform.

AI identities

Permiso's findings also focused on the spread of AI agents and their effect on identity sprawl. The report said 95% of organisations now believe AI systems can create or modify identities without traditional human oversight. It also said 91% expect AI-generated identities to increase in the next 12 months.

Use of AI agents in production environments featured heavily in the dataset. The report said 92% of respondents have AI agents accessing production data. It also said 39% reported AI systems have access to 26% to 50% of their sensitive data.

The research included additional datapoints on expected growth patterns. It said one quarter of organisations expect AI-generated identities to double or triple in the next year. It also said only 9% expect no growth in AI-generated identities. More than half, 52%, reported that AI identity creation happens consistently across all environments rather than in isolated systems.

Permiso framed these patterns as an extension of non-human identity challenges into a new category of machine-driven activity. The report argues that organisations face uncertainty over which AI systems have access, what permissions they hold, and how they use data once granted.

"The challenge with AI agents isn't that they're accessing data," said Paul Nguyen, Co-CEO at Permiso. "The challenge is that most organizations don't have visibility into which AI systems have access, what permissions they hold, or what they're doing with the data. These are non-human identities on steroids, with access patterns that traditional monitoring can't detect," said Nguyen.

Tool sprawl

The survey linked visibility gaps to the number of tools used for identity oversight. Respondents reported using an average of three to 10 separate tools for identity visibility. The report said this forces security teams to spend between 10 and 80 hours per week manually correlating data across platforms.

Permiso estimated the labour cost impact for 60% of organisations at between USD $31,000 and USD $125,000 annually, based on the time spent on manual correlation. It also said only 23% of organisations can both detect threats quickly and determine blast radius within minutes. The remaining 77% face delays during incident response, the report said.

"When we talk to security teams drowning in manual correlation, they all describe the same pattern," said Ian Ahl, CTO at Permiso. "They know which identities to investigate, but by the time they've pulled logs from five different systems, mapped the identity across three different formats, and reconstructed the timeline, the incident has evolved. They're always responding to yesterday's attack," added Ahl.

Budgets and speed

The report also measured intentions on spending and detection timelines. Nearly 90% of organisations said they plan to increase identity security investment in 2026. It said 38% plan increases of more than 30%.

Respondents also reported faster detection in general. The report said 79% now detect threats within 24 hours, compared with 61% in 2024.

In the survey, organisations ranked real-time threat detection and unified cross-platform visibility above additional point solutions when asked which areas would most improve their security posture. "They're always responding to yesterday's attack," said Ahl.