79% of IT Pros Feel Ill-Equipped to Prevent Attacks Via Non-Human Identities, Cloud Security Alliance and Oasis Security Survey Finds

SEATTLE--(BUSINESS WIRE)--The Cloud Security Alliance (CSA), the world’s leading not-for-profit organization committed to AI, cloud, and Zero Trust cybersecurity education, today released a new survey report, The State of Non-Human Identity and AI Security, which reveals critical process and technology gaps for agentic access management. Commissioned by Oasis Security, the identity security platform, the survey shows how a lack of AI governance policies and outdated IAM solutions open organizations up to significant risk amid the rapid-fire adoption of AI.

92% of respondents are not confident that their legacy IAM solutions can effectively manage the risks associated with AI and NHIs.

Share

Key findings include:

• Governance and ownership gaps leave AI identities exposed. 78% of organizations don’t have documented and formally adopted policies for creating or removing AI identities.
• Legacy IAM infrastructure constrains AI readiness. 92% of respondents are not confident that their legacy IAM solutions can effectively manage the risks associated with AI and NHIs.
• IT and security professionals can’t keep up. The majority (79%) of organizations rated their confidence in their ability to prevent attacks via NHIs as low or moderate.

“Organizations with limited visibility and unclear ownership are feeling the strain of AI-driven identities and securing identities in the AI era. Establishing strong identity foundations now is critical to reducing risk and confidently scaling AI use” said Hillary Baron, AVP of Research, Cloud Security Alliance.

As AI becomes embedded across the business, the scale of identity creation and access will grow exponentially, compounding existing visibility and control gaps.

Among the survey’s key findings:

• Governance and ownership challenges persist. 39% of respondents cited governance as their chief concerns around AI systems and identity. 51% of organizations reported no clear ownership or accountability and over-permissioned access (51%) as their most significant pain points.
• Manual, static processes create risk and stall innovation. Even where processes exist, automation is limited—14% said the creation and removal of AI-related identities are fully automated, 41% rely on semi-automated workflows, and 27% handle these processes entirely by hand. This lack of automation makes effective governance difficult, as manual processes limit visibility, consistency, and accountability.
• Token sprawl and slow remediation expand risk. More than 16% of organizations don’t track when new AI-related identities are created. Even when these identities are known, lifecycle management is slow. Nearly one-quarter (24%) of organizations take more than 24 hours to rotate or revoke a credential after a potential exposure, and 30% take over a day to triage a high-severity credential leak.

“AI turns identity into a high-velocity system,” said Danny Brickman, CEO and Co-Founder of Oasis Security. “Every new agent, workflow, or integration can mint credentials and permissions in minutes. Too many organizations still govern that with spreadsheets and unsophisticated processes. That’s not an AI strategy–that’s an incident backlog.

“The fix is simple,” he continued. “Assign clear ownership, lock policy in writing, and automate the lifecycle before machine access scales beyond control.”

Oasis commissioned CSA to develop a survey and report to better understand the industry’s knowledge, attitudes, and opinions regarding NHI security and AI agents. Oasis financed the project and co-developed the questionnaire with CSA research analysts. The survey was conducted online by CSA in August and September 2025 and received 383 responses from IT and security professionals from organizations of various sizes and locations. CSA’s research analysts performed the data analysis and interpretation for this report.

Download the State of Non-human Identity and AI Security.

About Oasis Security

Oasis Security is the AI-powered identity security platform for the Agentic Access era. Backed by leading global investors including Sequoia Capital, Cyberstarts, and Accel, Oasis enables organizations to transcend legacy IAM tools and secure the growing ecosystem of AI agents and Non-Human Identities (NHIs). The Oasis platform provides unified visibility, intelligent automation, granular control, and streamlined lifecycle management across all agentic identities, helping enterprises confidently adopt, scale, and govern AI. By securing identity at the access layer, Oasis empowers organizations to embrace the speed of Agentic AI while maintaining trust, compliance, and control. Oasis Security was founded in 2022 by Danny Brickman and Amit Zimerman.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading not-for-profit organization committed to awareness, practical implementation, and credentialing of forward-looking cybersecurity topics, including AI, cloud, and Zero Trust. In an era where digital transformation drives business success, CSA stands as the global authority ensuring organizations can operate securely while harnessing cutting-edge technology. Through volunteer-driven research, globally-accepted standards, and award-winning vendor-neutral education programs that unite technical experts, industry practitioners, and varied associations, governments, chapters, and corporate members, CSA bridges the gap between innovation and pragmatic security execution. Visit CSA’s website to learn more.