Identity Ranks as No. 1 Cybersecurity Threat Vector; AI Massively Compounds the Risk, Permiso Research Finds

PALO ALTO, Calif.--(BUSINESS WIRE)--Identity-related attacks were the dominant threat vector in 2025 with 76% of organizations saying they accounted for up to 50% of security incidents, indicates a report released today by Permiso Security, the leading identity security company. The rest of the organizations said more than half of their security incidents were identity related.

Identity-related attacks occur when malicious actors attempt or succeed in accessing company or organizational data and systems—not by breaking through firewalls—but by logging in via compromised credentials of current and past employees, third-party vendors, and non-human identities, such as AI agents.

The Permiso State of Identity Security 2026 report is based on a survey of 512 organizations worldwide. The results reveal gaping identity security holes and looming AI-related risks ahead. Key findings include:

• Only 46% of organizations have comprehensive visibility into all identities operating within their environment, which hampers their ability to detect and respond to threats.
• Only 43% can detect identity-based risks before incidents occur—which means they cannot stop them.
• Only 29% of organizations can detect blast radius within minutes. The rest take hours or days—giving attackers time to move laterally and exfiltrate data.
• 95% of organizations say AI systems can now create or modify identities without traditional human oversight—which vastly increases the attack surface.
• Almost 4 in 10 survey respondents said AI systems have access to 26% to 50% of their sensitive data. That's customer records, financial data, and trade secrets being processed by systems that operate outside traditional security controls.

“Organizations are deploying AI systems faster than they can secure them, granting access faster than they can track it, and generating identities faster than they can manage them,” said Paul Nguyen, Co-CEO of Permiso Security. "Most organizations don't have visibility into which AI systems have access, what permissions they hold, or what they're doing with the data they can access. These are non-human identities on steroids, with access patterns that traditional monitoring can't detect."

The Cost of Fragmentation

Companies know they need to act. More than 7 in 10 say better identity visibility could have prevented 26% to 75% of their security incidents, the survey found. Also, almost 9 of 10 plan to increase identity security investment in 2026.

Organizations have a long way to go. Three quarters of the surveyed organizations use 3-10 separate tools just for identity visibility, which creates gaps. They have the worst visibility into SaaS environments, where most critical applications reside, and third-party vendors are a fast-rising threat after employees in terms of risk.

"Organizations keep asking us for faster threat detection,” said Jason Martin, Co-CEO at Permiso Security. "But when we dig into what's slowing them down, it's always the same answer: fragmented visibility. You can't detect what you can't see, and you can't respond quickly when you're spending hours correlating data manually. The fastest path to better detection isn't better detection tools. It's unified visibility.”

AI is compounding the challenges. Non-human identities—AI agents, access tokens, etc.,—are experiencing “explosive growth,” the report states. A full 95% of organizations express confidence in being able to track them but likely suffer “false confidence.” That’s because, while they have records of the non-human identity, they likely lack visibility into how AI agents behave and what sensitive data they have access to.

“The gap between what organizations believe they can see and what they actually control has never been wider,” said Martin.

When asked what capabilities would most improve their security posture, organizations prioritized real-time threat detection and unified cross-platform visibility over additional point solutions.

The full report, including detailed methodology and analytical frameworks, is available here.

About Permiso

Permiso is the leading cloud identity security platform that helps organizations discover, protect, and defend against identity threats across multi-cloud and hybrid environments. The company's innovative approach combines static configuration data with runtime intelligence to provide comprehensive visibility into human identities, non-human identities, vendor accounts, and now AI identities. Trusted by multiple Fortune 500 companies and some of the Las Vegas Strip's premier resorts and casinos, Permiso enables organizations to secure their identity fabric across the full spectrum of modern computing environments.

For more information about Permiso and its AI security capabilities, explore our solutions or request a demo at hello@permiso.io