Identity blind spots are widening as AI-generated identities surge

At a glance

What this is: Permiso Security’s 2026 identity survey shows identity compromise, visibility gaps, and AI-generated identity growth converging into a broader governance problem.

Why it matters: It matters because IAM, NHI, and autonomous governance programmes now fail or succeed on real-time identity visibility, not on static entitlement assumptions.

By the numbers:

• 77% of organizations report that identity compromise now accounts for up to 75% of all security incidents.
• Only 43% can proactively detect identity-based risks before incidents occur.
• 46% claimed they had comprehensive visibility into all of the identities in their environment.
• 91% expect AI-generated identities to increase in the next 12 months.

👉 Read Permiso Security's 2026 State of Identity Security Report

Context

Identity visibility is the ability to know which humans, NHIs, and AI systems exist, what they can access, and what they are doing at runtime. Permiso Security’s survey suggests that many programmes still treat identity control as an inventory problem, even though the operational failure is now in detection, correlation, and blast-radius understanding.

The primary issue for IAM and NHI teams is not simply more identities. It is that identity sprawl is now being compounded by AI systems that can create or modify identities without traditional oversight, which pushes governance beyond periodic review and into continuous runtime assurance.

Key questions

Q: How should security teams improve visibility across human, NHI, and AI identities?

A: Security teams should centralise identity telemetry so access changes, privilege relationships, and runtime activity can be analysed in one place. The goal is not just better reporting. It is faster detection, faster blast-radius analysis, and fewer blind spots when identities move across cloud and SaaS platforms.

Q: Why do AI-generated identities create extra governance risk?

A: AI-generated identities create extra governance risk because they can be created or modified by systems that do not follow traditional human approval cycles. That shortens the useful window for review and makes entitlement drift easier to miss. Governance must therefore include runtime oversight of identity creation, not only periodic certification.

Q: What breaks when identity visibility is fragmented across tools?

A: Fragmented identity visibility breaks incident reconstruction, delay containment, and increases the chance that lateral movement will continue unnoticed. Teams may detect a problem, but they cannot quickly determine which identities are affected or how far access has spread. That makes response slower and less decisive.

Q: Who is accountable when AI systems create or modify identities without oversight?

A: Accountability should sit with the team that owns the AI system and the identity lifecycle process it can influence. If the system can create or change access, those actions must be governed like other lifecycle events, with clear ownership, logging, and review expectations across the identity programme.

Technical breakdown

Why fragmented identity visibility breaks incident response

When identity data is split across multiple tools, teams lose the ability to correlate who or what accessed resources, when that access changed, and how far an attacker could move. In practice, the gap is not just logging volume. It is the inability to reconstruct identity state quickly enough to contain abuse. That is why identity visibility must be treated as an operational control, not a reporting layer. If blast radius cannot be determined fast, containment starts late and lateral movement wins.

Practical implication: consolidate identity telemetry so response teams can reconstruct access paths before the incident evolves.

How AI-generated identities change the governance baseline

AI-generated identities differ from traditional service accounts because they can be created, modified, and used by systems with limited human oversight. That shifts the problem from managing static credentials to governing runtime identity creation and permission drift. If an organisation cannot see which AI systems are creating identities or what those identities can reach, conventional access reviews will miss the real risk. This is an NHI governance issue first, and an AI operations issue second.

Practical implication: extend identity governance to AI systems that can mint or alter access without human approval gates.

What blast-radius analysis requires in identity security

Blast radius is the practical measure of how far a compromised identity can move before controls stop it. It depends on access scope, identity lineage, and the speed at which teams can map privileged relationships across cloud, SaaS, and AI environments. The article shows that many organisations can detect threats eventually, but not determine impact quickly. That gap turns response into forensics after the fact instead of containment in the moment.

Practical implication: build incident workflows around rapid identity lineage mapping, not post-event log stitching.

Threat narrative

Attacker objective: The objective is to use compromised or newly created identities to gain hidden access, move laterally, and extract data before defenders can map the affected scope.

1. Entry occurs when an identity is compromised or created with access to production systems, data, or downstream services.
2. Escalation follows when fragmented visibility prevents teams from seeing permission changes, identity sprawl, or AI-generated access in time.
3. Impact occurs when attackers or malicious workflows move laterally, exfiltrate data, or widen blast radius before response teams can contain the incident.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity visibility has become the control plane for modern IAM and NHI governance. The report shows a widening gap between confidence and actual detection, which means organisations are still managing identity as a catalogue instead of a live attack surface. That failure affects humans, NHIs, and AI identities alike. Practitioners should treat visibility as the prerequisite for every other identity control.

AI-generated identities expose a governance assumption that no longer holds. Provisioning workflows were designed for identities that are created by people or tightly controlled systems. That assumption fails when AI systems can create or modify identities without traditional human oversight because identity state changes faster than review cycles can observe it. The implication is that identity governance must be rebuilt around runtime behaviour, not periodic approval.

Blast-radius ignorance is now a breach amplifier. The survey shows that only a minority of organisations can both detect threats and determine impact quickly, which means the time between compromise and containment remains dangerously long. Once identity relationships are fragmented across tools, lateral movement becomes easier to sustain. Practitioners should measure the time it takes to map affected access, not just the time to alert.

Unified identity governance is no longer a tooling preference, it is a response requirement. The cost of fragmentation shows up in manual correlation, delayed decisions, and incomplete incident scope. That is especially damaging when production access is held by NHIs and AI agents that operate continuously. The field should stop treating cross-platform visibility as an integration nice-to-have and start treating it as identity resilience.

Identity creation without oversight: This report sharpens the failure mode where AI systems can spawn or alter identities faster than governance can see them. That is not a missing feature, it is a broken operating assumption about who controls identity lifecycle events. Practitioners should recognise that the governance model itself has drifted out of sync with machine speed.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• In the same research, 72% of organisations said they have experienced or suspect they have experienced a breach of non-human identities, which shows the issue is already operational rather than theoretical.
• For a deeper breach-focused lens, the 52 NHI Breaches Analysis helps teams connect repeated identity failure patterns to concrete governance controls.

What this signals

Identity visibility will become a board-level operational metric, not a monitoring metric. As AI systems create more identities, security leaders will need to report on time-to-detect, time-to-map, and time-to-contain identity events. The organisations that cannot do that will keep paying for manual correlation and slow containment.

Identity programmes should expect AI lifecycle events to outpace review cycles. Once systems can create or modify identities without traditional oversight, access certification loses much of its value unless it is paired with runtime control points. The next maturity step is governance that watches creation and change, not just standing access.

The practical signal for teams is simple: if they cannot explain who can create identities, which systems inherit that power, and how quickly that activity is visible, then the programme is already behind the risk curve.

For practitioners

• Consolidate identity telemetry across clouds and SaaS Correlate human, NHI, and AI identity events in one operational view so teams can trace access changes without stitching together logs from separate consoles.
• Track runtime identity creation by AI systems Inventory which AI platforms can create or modify identities, then require explicit ownership for those lifecycle events and review them as continuously as workload changes.
• Measure blast-radius mapping time Test how long it takes responders to identify impacted identities, permissions, and reachable systems after a suspected compromise, then treat slow mapping as a control failure.
• Reduce manual correlation work in incident response Replace ad hoc spreadsheet and console hopping with repeatable identity lineage workflows so analysts can move from alert to containment before the incident evolves.

Key takeaways

• Identity compromise is now the dominant path into many environments, which makes visibility a core control rather than a secondary monitoring function.
• AI-generated identities intensify the problem because lifecycle change can now happen faster than traditional approval and review processes can keep up.
• Teams that cannot map identity blast radius quickly should treat that delay as an exposure issue, not an operational inconvenience.

Key terms

• Identity visibility: Identity visibility is the ability to see which identities exist, what they can access, and how their permissions change over time. In modern programmes it must include humans, NHIs, and AI systems, because blind spots in any one group can create the same operational exposure.
• Blast radius: Blast radius is the amount of systems, data, and privileges an attacker or malicious workflow can reach after an identity is compromised. In identity security, it is a practical measure of containment quality, not just an incident response metric.
• AI-generated identity: An AI-generated identity is an account, token, or access object created or modified by an AI system rather than by a person following a standard approval process. These identities matter because their lifecycle can move faster than governance cycles and may never pass through normal oversight.
• Identity lineage: Identity lineage is the chain of relationships showing where an identity came from, what created it, what it can inherit, and what it can reach. It matters because incident teams need lineage to understand whether a single compromise has broader downstream effects.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Permiso Security: Permiso Research Finds Up to 75% of Security Incidents Are Identity-Related, Highlighting New AI-Driven Risk. Read the original.