Study shows companies are giving AI agents the keys to critical systems faster than they establish safeguards. Without comprehensive identity system security, attackers can accelerate compromise of Active Directory, EntraID or Okta.
HOBOKEN, N.J. – May 15, 2026 — Semperis, the identity-driven cyber resilience and crisis response company, today published results of a multi-industry global study of 1,100 organisations with the aim of understanding AI’s effect on the attack surface of identity systems such as Active Directory, Entra ID and Okta. The study shows that AI is quietly redrawing the boundaries of global identity attack surfaces and organisations are giving AI agents the keys to critical systems faster than they are putting guardrails around those new identities.
The State of Identity Security in the AI Era study found that 74% of organisations in the U.S., U.K., France, Germany, Spain, Italy, Singapore and Australia believe AI will increase attacks on identity infrastructure. In addition, 93% already use or plan to use AI agents for sensitive security tasks such as password resets and VPN access. Ninety-two percent say AI is installed on at least some local machines with access to SSH and encryption keys, yet globally only 32% are very confident they could regain control if AI exposes admin credentials. In the US, 53% of companies expressed confidence in regaining control and in France the number plummeted to 12%.
“The accelerated use of AI is introducing a bevy of new agents - each with its own non-human identity (NHI) - throughout global enterprises and many companies are just way too optimistic about their ability to recover their identity infrastructure following a breach, even as they expand this landscape of NHIs,” said Alex Weinert, Semperis Chief Product Officer.
Globally, only 65% of organisations say AI identities are fully registered, authenticated and authorised in a formal system, and 6% admit they do not track them at all. In organisations that do track AI identities, 57% use the same system as for human identities, while 43% authenticate and authorise them using a separate system.
“What is striking about the Semperis AI study is not just how quickly AI is being integrated into identity systems but how unprepared many organisations are to recover when things go wrong. Introducing AI at the identity layer offers operational advantages, but it must be accompanied by guardrails, observability and recovery readiness. It is a new dimension of an old question, really: Are you resilient enough to respond in the event of critical disruption,” said Grace Cassy, Partner, Ten Eleven Ventures.
Are organisations ready for AI-fueled identity breaches?
A concerning revelation from the study is that AI is being placed close to sensitive identity infrastructure, and too few organisations are prepared for the potential consequences. More than a quarter of surveyed organisations (29%) already use AI agents to manage security‑related help desk tickets including password resets and VPN access. Another 65% intend to do so within the next year. In parallel, 92% of respondents say that some percent of their workforce has AI installed on local machines where it can access SSH and encryption keys.
“The pattern of global organisations overestimating how quickly they can recover from a cyberattack is real, especially when identity is within the blast radius. On paper, organisations have plans and backups; in practice, identity failures turn technical incidents into prolonged business crises, exposing a dangerous gap between perceived resilience and reality,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor.
On the plus side, 83% of respondents indicated that AI identity governance is a priority for them in the coming months.
How can organisations govern these hard-to-control identities?
For now, best practices include:
- Treat agents explicitly as NHIs in the identity fabric.
- Enforce least‑privilege, just‑enough, and just‑in‑time access for agents as rigorously as for humans.
- Segregate agent and human trust boundaries where appropriate.
- Use UEBA‑style analytics to detect “zombie” or anomalous agent behavior.
- Ensure that your organisation can quickly recover identity systems to a trustworthy state if they are breached.
Access the full AI Study here: https://www.semperis.com/the-state-of-identity-security-in-the-AI-era/
Methodology
To conduct this study, we partnered with experts at Censuswide, an international market research consultancy. In early 2026, Censuswide surveyed 1,100 organisations across the U.S., U.K., France, Germany, Italy, Spain, Australia and Singapore.
About Semperis
Semperis is the identity-driven cyber resilience and crisis management company trusted by the world’s largest enterprises and government agencies to protect critical identity systems. Purpose-built for multi-cloud and hybrid identity environments—including Active Directory, Entra ID, Okta, and Ping Identity—Semperis helps organizations prevent, detect, respond to, and recover from identity-based cyberattacks.
Modern cyberattacks are won or lost at the identity layer, where failures now escalate into full-scale business crises. Semperis’ AI-powered platform unifies identity lifecycle defense and crisis management—hardening identity infrastructure, detecting and containing active threats, enabling rapid, trusted recovery, and supporting secure, out-of-band coordination when core systems are disrupted—all reinforced by a world-class identity forensics and incident response team.
As part of its mission to help organizations achieve true cyber resilience, Semperis supports the broader cyber community through the award-winning Hybrid Identity Protection (HIP) Conference and Podcast, and free identity security tools including Purple Knight and Forest Druid. More than 1,200 organisations—including over 25% of the 100 largest U.S. companies—rely on Semperis. The company is privately held, headquartered in Hoboken, New Jersey, and serves customers in more than 40 countries.
Learn more: semperis.com
Follow us: Blog / LinkedIn / X / Facebook / YouTube
Media Contact:
Bill Keeler
Semperis
Senior Director, PR & Comms
