AI adoption is outrunning identity security readiness in 2026

At a glance

What this is: A Netwrix report says AI adoption is expanding identity sprawl faster than governance, with a 4x breach-rate gap between organisations with and without AI-driven access growth.

Why it matters: IAM, NHI, and data security teams need to align governance, monitoring, and revocation at machine speed, or AI-enabled access changes will outpace review and containment.

By the numbers:

• Organisations where AI expanded access saw a 43% breach rate over the past twelve months, compared with 11% where AI had not materially changed access patterns.
• Only 11% of organizations report full AI security readiness, while 17% remain entirely unprepared and 45% are still developing governance programs.
• Only 23.5% of organizations can respond at the speed attackers move.

👉 Read Netwrix's 2026 Data and Identity Security Report on AI readiness and breach risk

Context

AI security readiness is becoming an identity governance problem before it is a model risk problem. When AI adds identities, expands permissions, and touches data faster than reviews can track, the control plane that governs access starts to lag the operating model it is supposed to secure.

Netwrix’s research points to a familiar but sharper failure mode across NHI, human IAM, and emerging AI workflows: organisations know they need governance, but the operating rhythm is still too slow. The result is more access paths, less visibility, and weaker containment when permissions are misconfigured or abused.

The report’s findings are a warning for teams that treat AI as a separate security track. In practice, AI adoption is increasing the number of identities and access decisions that IAM, IGA, PAM, and NHI programmes must govern together, not independently.

Key questions

Q: How should security teams govern AI-driven access growth without slowing delivery?

A: Treat AI-driven access growth as an identity capacity problem. Security teams should catalogue the new identities, permissions, and data paths created by AI use, then assign owners and revocation triggers. Governance works only when access changes can be reviewed, enforced, and removed as quickly as the workflow that created them.

Q: Why do AI-enabled environments increase breach risk for identity teams?

A: AI-enabled environments increase breach risk because they expand identity sprawl and reduce the time available for review. More permissions, more tokens, and more data paths create more ways for misconfiguration or compromise to matter. If governance still operates on periodic cycles, exposure can persist long enough for attackers to use it.

Q: How do organisations know whether AI security governance is actually working?

A: Use operational indicators, not policy statements. A working programme can tell you which identities reach sensitive data, how quickly standing access is removed, and whether shadow AI is visible in identity controls. If those answers take days to assemble, the governance model is lagging the environment.

Q: Who is accountable when AI-related access outpaces governance?

A: Accountability sits with the owners of identity, data, and platform controls together, because AI-related access problems cross programme boundaries. IAM, IGA, PAM, and security leadership must share responsibility for visibility, revocation, and ownership. If one team can create access but no team can remove it quickly, the control model is incomplete.

Technical breakdown

AI-driven identity sprawl and governance lag

AI systems expand the number of identities, permissions, and data paths that must be governed. In practice, that means more service accounts, tokens, application permissions, and machine-to-data relationships can appear faster than review cycles, approval workflows, and inventory processes can absorb them. The technical problem is not only volume. It is the mismatch between event-driven access creation and governance systems built around periodic review. Once AI begins creating or using access at runtime, the old assumption that permissions can be reviewed after the fact becomes weaker.

Practical implication: treat AI access growth as a governance capacity issue and track whether identity controls can keep pace with runtime change.

Unified visibility across data, identities, and permissions

The report’s data points to a common architecture gap: identity tools often know who has access, while data tools know what is sensitive, but few programmes connect the two cleanly. Without that link, organisations cannot quickly answer which identities can reach specific data sets, which permissions are excessive, or where AI systems have created new exposure. The result is fragmented assurance. You may have local visibility in IAM, logs in a SIEM, and sensitivity labels in DSPM, yet still lack a single operational view of access risk.

Practical implication: map sensitive data to the identities that can reach it, then use that map to drive remediation and review priority.

Continuous enforcement versus periodic review

The report shows that many organisations still rely on remediation windows measured in days, while attackers can move far faster. Technically, that means revocation, policy enforcement, and monitoring are not operating as a single closed loop. If standing access remains in place until the next review cycle, the environment is depending on delayed human action rather than immediate control response. For NHI and AI-connected access, that creates a wide exposure window where compromised permissions can persist long enough to be used.

Practical implication: shorten the gap between detection and access removal so that revocation is operational, not procedural.

NHI Mgmt Group analysis

AI readiness is now a governance throughput problem, not a policy problem. Netwrix’s numbers show that organisations are adding access faster than they can govern it, which turns identity control into a speed mismatch. The breach gap is not explained by AI alone. It is explained by governance systems that still assume access changes slowly enough to review later. Practitioners should read this as a capacity warning for IAM, IGA, PAM, and NHI programmes.

Unified identity-and-data visibility is the missing control plane for AI risk. The report’s 74% lack of a unified view of sensitive data and the identities that can access it points to a structural blind spot. Security teams can no longer separate entitlement governance from data protection when AI expands the number of actors reaching sensitive systems. That gap makes exposure harder to prioritise and harder to prove under audit. Practitioners should treat identity-data correlation as an operational requirement, not a reporting enhancement.

Standing-access governance is being outpaced by machine-speed usage. Netwrix reports that 76% of organisations cannot immediately revoke standing access when it is no longer needed. That failure mode becomes more acute when AI and NHI workflows generate access that is short-lived, high-volume, and difficult to observe in time. The implication is that classic review cadences are no longer enough to describe or control effective privilege. Practitioners should re-evaluate how much standing access still exists in AI-adjacent environments.

Continuous enforcement is becoming the dividing line between mature and symbolic governance. Only 11% of organisations report full AI security readiness, which suggests that most programmes are still assembling controls rather than operating them continuously. The market is moving toward runtime monitoring, immediate revocation, and identity-data correlation because periodic governance cannot keep up with AI-driven change. Practitioners should expect AI readiness to be judged by enforcement speed as much as by policy coverage.

Shadow AI is an identity governance issue before it is an AI inventory issue. If 20% of organisations fully monitor employee use of shadow AI, then unmanaged AI behaviour is already creating hidden access relationships that conventional review processes miss. That matters because identity governance breaks down fastest when the programme cannot see which actors are creating or consuming access. Practitioners should treat shadow AI discovery as part of IAM and NHI oversight, not a separate awareness exercise.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
• For a broader control baseline, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for rotation, provisioning, and offboarding patterns.

What this signals

AI access growth should be treated as an identity sprawl indicator, not just an innovation metric. With 70% of organisations reporting no unified strategy connecting identity and data visibility, the next stage of AI governance will be defined by how fast teams can correlate permissions to sensitive data. Practitioners should expect their IAM and DSPM programmes to converge around a single operational question: which identities can reach what, right now?

The report suggests that periodic review will remain necessary but insufficient. If organisations need one to three days to remediate identified risks, then the governance model is still slower than the environment it is trying to control. Teams should watch for control designs that collapse review, enforcement, and revocation into one runtime workflow instead of three separate handoffs.

Identity-data correlation gap: when access, sensitivity, and usage telemetry are managed separately, AI creates blind spots that are difficult to defend in audit or incident response. That is where practitioners should focus programme investment next.

For practitioners

• Inventory AI-adjacent identities and permissions Build a current list of service accounts, tokens, application permissions, and other non-human identities used by AI-enabled workflows. Tie each one to an owner, a business purpose, and a removal path so access does not persist after the use case changes.
• Correlate sensitive data to reachable identities Create a control map that links sensitive datasets to the identities, applications, and workloads that can access them. Use that map to prioritise reviews, detect overexposure, and reduce the time spent chasing permissions that never touch critical data.
• Shorten revocation and response cycles Measure how long it takes to remove standing access after a risk signal or access change. Where removal still depends on periodic review, move high-risk privileges into a process that can revoke them immediately when conditions change.
• Monitor shadow AI through identity control points Look for unsanctioned AI use by tracing unexpected token creation, unusual API activity, and new access paths to sensitive systems. Feed those signals into IAM, IGA, and security monitoring so hidden usage becomes a governed identity problem.

Key takeaways

• The report shows that AI adoption is widening the gap between access creation and access governance, which increases breach exposure across identity programmes.
• The scale is clear: 43% breach rates where AI expanded access, only 11% full AI readiness, and 76% of organisations still not fully governing or monitoring NHIs.
• The practical response is to connect identity and data visibility, accelerate revocation, and treat AI access growth as an IAM control problem rather than a separate technology trend.

Key terms

• AI Security Readiness: The degree to which an organisation can govern, monitor, and enforce controls around AI-related access and data use. In practice, this means identity, data, and policy controls work together fast enough to keep pace with runtime AI behaviour, not just document it after the fact.
• Identity Sprawl: The rapid growth of identities, entitlements, and access paths that a security team must track and govern. For AI-enabled environments, sprawl often includes service accounts, API tokens, and application permissions that expand faster than review and revocation processes can absorb.
• Standing Access: Access that remains active until someone removes it, rather than appearing only for a task or session. In AI and NHI environments, standing access is risky because it can persist beyond its original purpose and survive long enough to be misused or exploited.
• Identity-Data Correlation: The practice of linking who or what has access to the data it can actually reach. This is a key operational control because it lets security teams prioritise risk, spot overexposure, and prove where AI-connected identities can interact with sensitive information.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Netwrix: Netwrix 2026 Data and Identity Security Report on AI adoption outpacing readiness. Read the original.