Many organizations believe they have identity security under control.
New data from Permiso’s State of Identity Security Report suggests that confidence is increasingly misplaced — right as identity becomes the dominant attack vector in cloud environments.
“92% percent of organizations have AI agents in production accessing sensitive data, and those agents are creating identities without the approval workflows we spent decades building for human access. No tickets, no justification, no expiration dates,” said Paul Nguyen, co-founder and co-CEO of Permiso in an email to eSecurityPlanet.
He explained, “The problem isn’t that AI is creating identities autonomously. The problem is we deployed it for speed without building the frameworks to govern it.”
Paul added, “That governance debt is compounding, and most organizations won’t realize how exposed they are until after a breach.”
Identity Is the New Attack Surface
Identity is no longer just a supporting control layer — it is the primary battleground.
Increasingly, attackers don’t need to “break in” through firewalls or exploit perimeter vulnerabilities.
They simply log in using stolen, reused, or over-permissioned credentials.
According to Permiso’s survey of 512 organizations worldwide, 77% reported that between 26% and 75% of their security incidents over the past year were identity-related.
In today’s cloud-first environments, identity has effectively become the new perimeter.
Multi-Cloud and Identity Fragmentation Increase Risk
That risk is compounded by structural complexity. Multi-cloud is now standard operating procedure, not an exception.
Many organizations operate across multiple cloud service providers while simultaneously relying on multiple identity providers (IdPs) to manage authentication and federation.
This creates a fragmented authentication and authorization fabric in which identities traverse environments, cross trust boundaries, and inherit permissions across platforms.
As this cross-platform sprawl grows, answering fundamental security questions becomes harder: Who has access? What can they access? What have they actually done?
When those answers require stitching together logs from several systems, visibility begins to erode.
At the same time, many organizations are managing identity populations large enough to require mature governance controls, yet not always large enough to justify dedicated identity security teams.
A significant portion fall into the 500 to 5,000 human identity range — a scale where informal oversight no longer works, but specialized identity resources are often absent.
In this “middle zone,” complexity can outpace capability, creating blind spots attackers are quick to exploit.
The Identity Visibility Illusion
Permiso’s most striking finding is what it describes as a visibility “illusion.”
Nearly half of organizations claim comprehensive visibility into all identities — both human and non-human — yet only 43% report that they can proactively detect identity-based risks before incidents occur.
Even among those claiming unified visibility across platforms, many acknowledge that achieving that view requires manual correlation of identity permissions and activity data. In other words, they have the data — but not necessarily the real-time insight.
Detection Improves, Response Still Lags
This gap becomes especially painful during incident response. Detection speeds have improved, with organizations reporting they can identify and confirm identity-based threats within 24 hours.
But detection alone is not enough. When teams cannot rapidly determine blast radius — what systems the compromised identity could access and what actions were taken — response slows dramatically.
Security teams may know an account is compromised while spending critical hours reconstructing its access paths across cloud platforms and SaaS applications.
During that delay, attackers can escalate privileges, move laterally to their next objective, or establish persistence.
Non-Human Identities Are Expanding the Attack Surface
Meanwhile, the identity landscape itself is shifting. Human identity volumes appear relatively stable, but non-human identities (NHIs) — including service accounts, API keys, tokens, certificates, and increasingly AI agents — are expanding rapidly.
Organizations now manage thousands or even tens of thousands of NHIs. These identities operate differently than human users: they often lack MFA, persist longer, rotate on different schedules, and may not undergo the same review cycles or governance scrutiny.
Despite that complexity, organizations express high confidence in their NHI inventories. That confidence weakens under closer inspection.
Roughly half of organizations rely on scheduled audits, manual documentation, or incident-driven discovery methods rather than continuous automated discovery.
This disconnect surfaces in credential hygiene data as well, with many reporting that a meaningful share of credentials are expired or unused yet remain active.
The result is a growing credential graveyard — dormant but valid access paths that attackers can leverage long after their original purpose has ended.
AI Is Accelerating Identity Risk
Artificial intelligence accelerates this challenge. AI does not simply introduce a new application layer; it fundamentally changes how identities are created and modified.
Organizations report that AI systems or automation tools can generate or alter identities and permissions, and many already have AI agents accessing production or sensitive data.
At the same time, the majority expect AI-generated identities to increase over the next year, often by double-digit percentages.
The core issue is not that AI is inherently insecure. It is that AI increases the speed and scale of identity change.
Identities can be created instantly. Permissions can be adjusted dynamically.
Traditional ticketing workflows and approval gates may be bypassed entirely.
Without clear visibility into which AI agents exist, what access they hold, and how they behave, AI becomes a force multiplier for existing non-human identity risks.
In an environment already struggling with fragmented visibility and manual correlation, automated identity creation adds another layer of acceleration — and another opportunity for attackers to blend in with legitimate access.
Identity Risk Mitigation Strategies
As identity plays a growing role in cloud security incidents, organizations need to move beyond reactive response and focus on reducing risk upfront.
Visibility is important, but it must be paired with stronger controls that limit privilege, reduce unnecessary access, and improve response times.
That includes managing identity risk consistently across human users, non-human accounts, third parties, and AI-driven systems.
- Consolidate identity visibility across cloud, SaaS, and identity providers to reduce tool sprawl and eliminate manual correlation gaps.
- Treat non-human identities as first-class assets by enforcing continuous discovery, automated lifecycle management, credential rotation, and removal of unused or long-lived access.
- Enforce phishing-resistant MFA and eliminate legacy authentication to reduce credential-based compromise risk.
- Replace standing privileges with just-in-time and least-privilege access controls to minimize blast radius and prevent privilege escalation paths.
- Implement identity attack path analysis and behavioral monitoring to detect anomalous activity, toxic permission combinations, and lateral movement early.
- Harden AI and third-party identity governance by tightly scoping permissions, segmenting access to sensitive data, and continuously monitoring automated identity creation and changes.
- Build and regularly test identity-focused incident response plans to ensure rapid token revocation, session invalidation, blast radius assessment, and containment during compromise.
Together, these measures help organizations reduce identity-related risk, strengthen control over access, and respond more effectively when compromises occur.
AI and the Expanding Identity Attack Surface
Identity risk is increasingly contributing to security incidents across cloud environments.
As organizations expand across multiple clouds, rely more heavily on non-human identities, and adopt AI-driven automation, maintaining clear visibility and consistent governance becomes more challenging.
These challenges are prompting organizations to use zero trust solutions as a way to enforce continuous verification and tighter access controls across users, devices, and workloads.
