Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI-generated identities surge in 2026: what IAM teams should watch


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Identity compromise now accounts for up to 75% of all security incidents at 77% of organisations, while only 43% can proactively detect identity-based risks and 46% report comprehensive visibility, according to Permiso Security’s 2026 State of Identity Security Report. The real governance problem is that visibility, not policy volume, has become the limiting control for NHI and AI identity programmes.

NHIMG editorial — based on content published by Permiso Security: Permiso Research Finds Up to 75% of Security Incidents Are Identity-Related, Highlighting New AI-Driven Risk

By the numbers:

Questions worth separating out

Q: How should security teams improve visibility across human, NHI, and AI identities?

A: Security teams should centralise identity telemetry so access changes, privilege relationships, and runtime activity can be analysed in one place.

Q: Why do AI-generated identities create extra governance risk?

A: AI-generated identities create extra governance risk because they can be created or modified by systems that do not follow traditional human approval cycles.

Q: What breaks when identity visibility is fragmented across tools?

A: Fragmented identity visibility breaks incident reconstruction, delay containment, and increases the chance that lateral movement will continue unnoticed.

Practitioner guidance

  • Consolidate identity telemetry across clouds and SaaS Correlate human, NHI, and AI identity events in one operational view so teams can trace access changes without stitching together logs from separate consoles.
  • Track runtime identity creation by AI systems Inventory which AI platforms can create or modify identities, then require explicit ownership for those lifecycle events and review them as continuously as workload changes.
  • Measure blast-radius mapping time Test how long it takes responders to identify impacted identities, permissions, and reachable systems after a suspected compromise, then treat slow mapping as a control failure.

What's in the full report

Permiso Security's full research covers the operational detail this post intentionally leaves for the source:

  • Survey methodology across 512 organisations and the full breakdown by environment type.
  • The report's detailed visibility and detection benchmarks, including where teams still struggle to correlate identity events.
  • Breakdowns of AI identity creation patterns and what practitioners reported about production access.
  • The operational and budget implications behind the move to unified identity visibility tools.

👉 Read Permiso Security's 2026 State of Identity Security Report →

AI-generated identities surge in 2026: what IAM teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Identity visibility has become the control plane for modern IAM and NHI governance. The report shows a widening gap between confidence and actual detection, which means organisations are still managing identity as a catalogue instead of a live attack surface. That failure affects humans, NHIs, and AI identities alike. Practitioners should treat visibility as the prerequisite for every other identity control.

A few things that frame the scale:

  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
  • In the same research, 72% of organisations said they have experienced or suspect they have experienced a breach of non-human identities, which shows the issue is already operational rather than theoretical.

A question worth separating out:

Q: Who is accountable when AI systems create or modify identities without oversight?

A: Accountability should sit with the team that owns the AI system and the identity lifecycle process it can influence. If the system can create or change access, those actions must be governed like other lifecycle events, with clear ownership, logging, and review expectations across the identity programme.

👉 Read our full editorial: Identity blind spots are widening as AI-generated identities surge



   
ReplyQuote
Share: