Notifications
Clear all
Topic starter
07/06/2026 9:00 pm
TL;DR: Identity security is at a breaking point, with leaders reporting low preparedness, ongoing identity-related incidents, and rising expectations that AI will reshape detection and response across IGA, NHI, and least-privilege programmes, according to Lumos’ 2026 research. The real issue is not more automation, but governance models that still assume identity risk is slow, visible, and human-paced.
NHIMG editorial — based on content published by Lumos: AI, Automation, and Risk in 2026: Identity at a Breaking Point
By the numbers:
- 133 survey respondents were included in the research, from organisations ranging from 500 to over 10,000 employees.
Questions worth separating out
Q: How should security teams measure whether identity governance is actually reducing risk?
A: Measure outcomes that reflect attacker friction, not policy activity.
Q: Why do non-human identities make legacy IAM and IGA models less effective?
A: Because many legacy models assume access is assigned to a person, reviewed on a human cadence, and retired through predictable offboarding.
Q: What do organisations get wrong about using AI in identity governance?
A: They often assume automation can compensate for weak identity data.
Practitioner guidance
- Re-baseline identity preparedness on control outcomes Measure whether your identity programme can actually shorten attacker dwell time, remove stale access, and detect lateral movement through valid accounts.
- Inventory non-human identities by service ownership Build an authoritative view of which teams own each service account, API key, token, and certificate, then tie each identity to a business purpose and expiry condition.
- Use AI only where identity telemetry is complete enough to trust Before automating access decisions, confirm that your logs, entitlement data, ownership metadata, and exception tracking are current.
What's in the full report
Lumos' full report covers the survey detail this post intentionally leaves out: the underlying respondent base, the full question set, and the report's own recommendations for identity leaders.
- Survey structure and methodology from 133 respondents, useful if you need to judge how strongly the findings map to your own environment.
- The report's full breakdown of identity attack methodology trends for 2025, including where attackers are concentrating their effort.
- The section on AI-driven access reviews and autonomous identity operations, which goes beyond the strategic framing covered here.
- The report's recommendations for leaders managing non-human identities, least privilege, and compliance readiness.
👉 Read Lumos' 2026 report on AI, automation and identity risk →
Identity risk in 2026: are current IAM controls keeping up?
Explore further
08/06/2026 8:45 am
Preparedness scores are often a governance illusion, not a security measure. When identity leaders say they are “prepared,” they may be measuring process presence rather than control effectiveness. The article’s framing fits a broader pattern we see in identity programmes: organisations confuse having reviews, policies, and automation with actually shrinking attack paths. That distinction matters because attackers care about valid access paths, not control documentation.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Should teams prioritise non-human identity lifecycle management before broader AI governance?
A: Yes, when machine credentials, service accounts, and automation tokens are already numerous or poorly owned. Those identities often create immediate exposure through persistence and over-privilege. Strong lifecycle control for NHIs gives teams a practical baseline for any broader automation or AI governance programme.
👉 Read our full editorial: AI, automation and identity risk in 2026: the breaking point
