Sophos’s latest report, The State of Identity Security 2026, found that during the last 12 months, 71 percent of organizations suffered at least one identity-related breach. The report, published on 12 May, is based on a survey of 5,000 IT and cybersecurity leaders.

“The survey revealed the mix of human, process, and technical failures that led organizations to fall victim to identity-based attacks,” the report said.

Overall, weak human identity management accounted for more than 60 percent of root causes of breaches, while issues with access and permissions for external applications came in at more than 56 percent. Attackers are also leveraging artificial intelligence (AI) and automation to speed up attacks.

• Human error – 42.7 percent
  
  
• Weak non-human identity management, such as static credentials, API keys stored in code, orphaned service accounts – 40.6 percent
  
  
• Weak human identity management for employees – 38.6 percent
  
  
• Lack of visibility into access and permissions granted to external applications – 35.7 percent
  
  
• Weak human identity management for contractors or suppliers – 31.4 percent
  
  
• Lack of control of access and permissions granted to external applications – 30.8 percent
  
  
• Malicious insider, where an employee deliberately enabled an attack – 26.7 percent
  
  

Now the second-greatest reason for a breach, weak management of non-human identities (NHIs) appears to be a growing security gap.

“Identity has become the primary attack surface in modern cybersecurity, and this data shows most organizations are losing ground,” said Ross McKerchar, chief information security officer, Sophos. “…AI agents are being granted privileges faster than security teams can track them, and organizations that fail to get ahead of this will find it an increasingly costly gap to close.”

An NHI is a digital credential issued to a piece of software, system, or automated process for the purpose of accessing an organization’s resources without human involvement. Instead of a password, an NHI uses non-human credentials to verify its identity, including API keys connecting applications, service accounts running backups, or AI agents access databases.

“NHI credentials can be stolen and misused in much the same way as human login details,” the report said. For organizations that fail to regularly audit NHI permissions, which are often broad and significant, there are notable consequences. Organizations with weak NHI management were 27.9 percent more likely to experience financial theft, 24.4 percent more likely to experience extortion, and reported overall recovery costs nearly $150,000 higher than the average of $1.64 million.

Despite the growing popularity of agentic AI, only one in three organizations (34 percent) regularly rotate or audit service accounts and NHIs, and only 11 percent do this continually. And don’t forget that AI agents can create new agents to complete sub-tasks, therefore creating a new NHI without human oversight or involvement. AI agents’ ability to make decisions, behave unpredictably, and operate continuously make it harder to pick up on when something goes wrong, the report noted.

The survey also asked whether organizations engage in five core identity management activities, and if so, how frequently.

“The results reveal significant gaps between best practice and reality—gaps that increase exposure to identity attacks,” the report said.

• Review identity governance policies: 33.4 percent of organizations do so quarterly, 10.55 percent continually, and 10.1 percent at most once a year
  
  
• Rotate/audit service accounts and NIHs: 37.7 percent on a quarterly basis, 11.1 percent continually, 7.5 percent once a year or longer
  
  
• Monitor for credential leaks: 31.4 percent on a quarterly basis, 17.9 percent continually, 6.6 percent once a year or longer
  
  
• Check for common passwords: 30.4 percent on a quarterly basis, 19.2 continually, 6.1 percent once a year or longer
  
  
• Monitor for unusual logins: 28.2 percent on a quarterly basis, 24.1 percent continually, 6.2 percent once a year or longer
  
  

The report also found that the highest breach rates came from energy, oil and gas, and other utility providers (80.3 percent); central and federal governments (78.4 percent); construction and property (76.1 percent); manufacturing and production (73.6 percent); and retail (72 percent). The lowest breach rates came from organizations in IT, technology, and telecoms (63.1 percent) and healthcare (63.4 percent).

Notably, smaller organizations (100-250 employees) were 72 percent less likely to identify an identity attack compared to large organizations (more than 1,000 employees).

And if an organization was breached once, it was likely to become a repeat victim. On average, organizations reported three separate incidents, with 5 percent reporting at least six breaches.

Across the board, the most likely consequence of a breach was data theft (48.8 percent), closely followed by ransomware involving stolen credentials (48.4 percent), and then extortion (43.9 percent), sabotage (30 percent), financial theft involving diverted payments (28 percent), and financial theft where money was stolen directly from an organization’s accounts (25.5 percent), the report said.

Sixty-seven percent of ransomware victims who responded to the survey confirmed that their incident stemmed from an identity attack, making identity compromise a primary delivery mechanism for ransomware.

 

MOST POPULAR ARTICLES

1. Trade Secret Theft: The Overlooked Fault Line in Modern Security

2. Gang Violence in Haiti Remains High as Armed Men Kidnap Security Expert and Family

3. 2 CPTED Must-Haves for Multitenant Buildings