TL;DR: Identity security leaders are split between AI-driven threat planning and day-to-day credential abuse, while only 5% of organisations say they have a complete NHI inventory, according to The Identity Underground Annual Pulse 2026. The gap is structural: programmes built for review cycles and legacy estates cannot govern identities that are proliferating faster than they can be seen.
NHIMG editorial — based on content published by Silverfort: The Identity Underground Annual Pulse 2026
By the numbers:
- 54% of executives cite AI-enhanced threats as their top concern for 2026.
- 43% of practitioners say credential stuffing and password spraying are still their most frequent attacks.
- Only 5% of organizations feel confident they have a complete inventory of non-human identities.
Questions worth separating out
Q: How should security teams handle identity risk when legacy infrastructure and AI threats collide?
A: They should treat this as a single governance programme with two time horizons.
Q: Why do non-human identities create more governance risk than many teams expect?
A: Because they often lack a clear human owner, a visible lifecycle, or consistent review points.
Q: What breaks when identity teams rely on manual response during an attack?
A: Manual response breaks when attackers move faster than analysts can correlate logs across IdP, PAM, IGA, and SIEM.
Practitioner guidance
- Inventory non-human identities as governed assets Establish ownership, business purpose, and lifecycle state for service accounts, API keys, workload identities, and third-party OAuth access.
- Prioritise legacy authentication removal Identify NTLM and other legacy identity paths that still support critical workflows, then rank them by exposure and dependency.
- Reduce manual identity triage dependence Connect IdP, PAM, IGA, and SIEM telemetry so that suspicious identity activity can trigger pre-defined containment workflows.
What's in the full report
Silverfort's full report covers the operational detail this post intentionally leaves for the source:
- Survey methodology and respondent breakdown across more than 150 identity and security practitioners and executives.
- The full set of ranked concerns, including how executives and practitioners differ on identity risk priorities.
- Detailed commentary on platform consolidation, SIEM adoption, and where organisations are investing next.
- Additional practitioner quotes that show how teams are describing the gap between strategy and operations.
👉 Read Silverfort's analysis of The Identity Underground Annual Pulse 2026 →
Identity security’s visibility gap: are your controls keeping up?
Explore further
Identity security has become a split-brain discipline. Executive concern is moving toward AI-enhanced threats, while practitioners are still fighting credential stuffing and password spraying in live environments. That disconnect is not a communications problem. It is a programme design problem, because identity control priorities are being set against two different threat horizons at once. The implication is that governance teams must stop treating strategy and operations as separate lanes.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable for third-party access that outlives its intended use?
A: The organisation that granted the access remains accountable, even when the relationship was initiated through a vendor, app, or integration. If third-party access is not tied to ownership, offboarding, and periodic review, it becomes an unmanaged extension of the identity perimeter rather than a bounded exception.
👉 Read our full editorial: Identity security’s two axes of tension are widening in 2026