Identity risk in 2026: are current IAM controls keeping up?

TL;DR: Identity security is at a breaking point, with leaders reporting low preparedness, ongoing identity-related incidents, and rising expectations that AI will reshape detection and response across IGA, NHI, and least-privilege programmes, according to Lumos’ 2026 research. The real issue is not more automation, but governance models that still assume identity risk is slow, visible, and human-paced.

NHIMG editorial — based on content published by Lumos: AI, Automation, and Risk in 2026: Identity at a Breaking Point

By the numbers:

• 133 survey respondents were included in the research, from organisations ranging from 500 to over 10,000 employees.

Questions worth separating out

Q: How should security teams measure whether identity governance is actually reducing risk?

A: Measure outcomes that reflect attacker friction, not policy activity.

Q: Why do non-human identities make legacy IAM and IGA models less effective?

A: Because many legacy models assume access is assigned to a person, reviewed on a human cadence, and retired through predictable offboarding.

Q: What do organisations get wrong about using AI in identity governance?

A: They often assume automation can compensate for weak identity data.

Practitioner guidance

• Re-baseline identity preparedness on control outcomes Measure whether your identity programme can actually shorten attacker dwell time, remove stale access, and detect lateral movement through valid accounts.
• Inventory non-human identities by service ownership Build an authoritative view of which teams own each service account, API key, token, and certificate, then tie each identity to a business purpose and expiry condition.
• Use AI only where identity telemetry is complete enough to trust Before automating access decisions, confirm that your logs, entitlement data, ownership metadata, and exception tracking are current.

What's in the full report

Lumos' full report covers the survey detail this post intentionally leaves out: the underlying respondent base, the full question set, and the report's own recommendations for identity leaders.

• Survey structure and methodology from 133 respondents, useful if you need to judge how strongly the findings map to your own environment.
• The report's full breakdown of identity attack methodology trends for 2025, including where attackers are concentrating their effort.
• The section on AI-driven access reviews and autonomous identity operations, which goes beyond the strategic framing covered here.
• The report's recommendations for leaders managing non-human identities, least privilege, and compliance readiness.

👉 Read Lumos' 2026 report on AI, automation and identity risk →

Identity risk in 2026: are current IAM controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →