PALO ALTO, Calif.–(BUSINESS WIRE)–Identity-related attacks emerged as the primary security threat in 2025, with 76% of organizations reporting that such incidents comprised up to 50% of their security breaches, according to a report released today by Permiso Security. The study, titled the Permiso State of Identity Security 2026, indicates a growing concern over significant vulnerabilities in identity security and the escalating risks associated with artificial intelligence.
Identity-related attacks occur when threats gain access to sensitive data and systems not by breaching firewalls, but through compromised credentials from current or former employees, third-party vendors, and even non-human entities like AI agents. The report highlights that a mere 46% of organizations possess comprehensive visibility into all identities operating within their environments, significantly hindering their ability to detect and mitigate threats.
Furthermore, only 43% of organizations can identify identity-based risks before incidents transpire, leaving them vulnerable to attacks. A concerning statistic reveals that only 29% of organizations can ascertain the scope of a breach within minutes; the remainder take hours or even days, providing attackers with ample opportunity to maneuver within systems and exfiltrate data.
As AI systems proliferate, the attack surface expands. A striking 95% of organizations acknowledge that AI systems can create or modify identities independently of traditional human oversight. Alarmingly, nearly 40% of respondents indicated that these AI systems have access to between 26% and 50% of their sensitive data, which includes customer records, financial information, and trade secrets—data processed outside conventional security controls.
Paul Nguyen, Co-CEO of Permiso Security, commented, “Organizations are deploying AI systems faster than they can secure them, granting access faster than they can track it, and generating identities faster than they can manage them.” He emphasized the lack of visibility that most organizations have regarding which AI systems hold access, the permissions granted, and the potential misuse of data. “These are non-human identities on steroids, with access patterns that traditional monitoring can’t detect,” he added.
The survey underscores the urgent need for improved security measures, as over 70% of respondents believe enhanced identity visibility could have prevented between 26% to 75% of their security incidents. Nearly 90% of organizations plan to increase their identity security investments in 2026.
Despite this awareness, many organizations are struggling with fragmented identity security management. Approximately three-quarters of those surveyed utilize between three and ten different tools solely for identity visibility, which creates operational gaps. The report notes that visibility into Software as a Service (SaaS) environments, where many critical applications reside, remains particularly poor. Moreover, third-party vendors are becoming an increasingly significant risk after internal employees in terms of security threats.
Jason Martin, Co-CEO at Permiso Security, remarked, “Organizations keep asking us for faster threat detection. But when we dig into what’s slowing them down, it’s always the same answer: fragmented visibility.” He emphasized that effective threat detection requires unified visibility rather than merely better detection tools. “You can’t detect what you can’t see, and you can’t respond quickly when you’re spending hours correlating data manually,” Martin explained.
The rapid growth of non-human identities, including AI agents and access tokens, is further complicating the situation. While 95% of organizations express confidence in tracking these non-human identities, there is a likelihood of “false confidence.” Many organizations may have records of non-human identities but lack visibility into their behavior and the sensitive data they can access.
“The gap between what organizations believe they can see and what they actually control has never been wider,” Martin stated. When organizations were asked about the capabilities that would most enhance their security posture, many prioritized real-time threat detection and unified cross-platform visibility over acquiring additional point solutions.
The full report, which includes detailed methodologies and analytical frameworks, is available for further exploration. As organizations grapple with these identity security challenges, the need for cohesive and comprehensive strategies to secure identity fabric across modern computing environments becomes increasingly urgent.
About Permiso Permiso is the leading cloud identity security platform that aids organizations in discovering, protecting, and defending against identity threats across multi-cloud and hybrid settings. The firm’s innovative approach integrates static configuration data with runtime intelligence, delivering comprehensive visibility into human identities, non-human identities, vendor accounts, and AI identities. Trusted by multiple Fortune 500 companies, Permiso enables organizations to secure their identity fabric across the spectrum of contemporary computing environments.
For more information about Permiso and its AI security capabilities, visit their website or request a demo at [email protected]
Contacts
Whitney DeBenedictis
[email protected]
See also
Anthropic’s Claims of AI-Driven Cyberattacks Raise Industry Skepticism
Anthropic Reports AI-Driven Cyberattack Linked to Chinese Espionage
Quantum Computing Threatens Current Cryptography, Experts Seek Solutions
Anthropic’s Claude AI exploited in significant cyber-espionage operation
AI Poisoning Attacks Surge 40%: Businesses Face Growing Cybersecurity Risks
