State of Identity Security 2026 report highlights rising risks from human error, weak non-human identity management, and accelerating AI-driven attacks
Sophos has released its State of Identity Security 2026 report, revealing that 71% of organizations worldwide suffered at least one identity-related breach during the past year. The vendor-agnostic survey, conducted across 5,000 IT and cybersecurity leaders in 17 countries, highlights how identity compromise is becoming one of the most critical cybersecurity challenges for enterprises.
According to the report, organizations experienced an average of three separate identity-related incidents annually, with some reporting six or more breaches. Sophos found that ransomware attacks are increasingly linked to identity compromise, with 67% of ransomware victims confirming that the attack originated from an identity-based intrusion.
“Identity has become the primary attack surface in modern cybersecurity, and organizations are increasingly struggling to keep pace. The rapid growth of non-human identities, particularly AI agents with persistent privileges, is creating a major security challenge that many enterprises are not yet prepared to manage,” said Ross McKerchar, Chief Information Security Officer at Sophos.
The financial impact of these incidents remains severe. Organizations affected by identity attacks reported an average recovery cost of $1.64 million, while nearly three-quarters incurred expenses exceeding $250,000.
A major concern highlighted in the report is the rapid growth of non-human identities (NHIs), including service accounts, API keys, automated applications, and AI agents. Weak management of these identities was identified as a contributing factor in 41% of incidents. Sophos warned that the rise of agentic AI is accelerating the problem, as AI systems autonomously create sub-agents and credentials with broad access privileges that security teams often fail to monitor effectively.
Human error continues to play a significant role as well, with 43% of breaches linked to employees being tricked into disclosing credentials.
The research also revealed major visibility and detection gaps across organizations. Only 24% of enterprises continuously monitor unusual login attempts, while many review identity activity only quarterly or less frequently. Additionally, 14% of breached organizations admitted they could not detect or stop their most serious identity attack before damage occurred.
Critical infrastructure sectors such as energy, utilities, oil and gas, and government agencies reported the highest breach rates. Organizations struggling with compliance requirements also showed significantly higher exposure to identity-related attacks.
Sophos recommends a multi-layered security approach that includes multi-factor authentication, least-privilege access controls, identity threat detection and response (ITDR), secrets management, and Zero Trust architectures to reduce growing identity-based cyber risks in increasingly AI-driven enterprise environments.
