New Semperis Study Reveals AI’s Effects on the Identity Attack Surface

Study shows companies are giving AI agents the keys to critical systems faster than they establish safeguards. Without comprehensive identity system security, attackers can accelerate compromise of Active Directory, EntraID or Okta.

Semperis, the identity-driven cyber resilience and crisis response company, today published results of a multi-industry global study of 1,100 organizations with the aim of understanding AI’s effect on the attack surface of identity systems such as Active Directory, Entra ID and Okta. The study shows that AI is quietly redrawing the boundaries of global identity attack surfaces and organizations are giving AI agents the keys to critical systems faster than they are putting guardrails around those new identities.

The State of Identity Security in the AI Era study found that 74% of organizations in the U.S., U.K., France, Germany, Spain, Italy, Singapore and Australia believe AI will increase attacks on identity infrastructure. In addition, 93% already use or plan to use AI agents for sensitive security tasks such as password resets and VPN access. Ninety-two percent say AI is installed on at least some local machines with access to SSH and encryption keys, yet globally only 32% are very confident they could regain control if AI exposes admin credentials. In the US, 53% of companies expressed confidence in regaining control and in France the number plummeted to 12%.

“The accelerated use of AI is introducing a bevy of new agents— each with its own non-human identity (NHI)— throughout global enterprises and many companies are just way too optimistic about their ability to recover their identity infrastructure following a breach, even as they expand this landscape of NHIs,” said Alex Weinert, Semperis Chief Product Officer.

Globally, only 65% of organizations say AI identities are fully registered, authenticated and authorized in a formal system, and 6% admit they do not track them at all. In organizations that do track AI identities, 57% use the same system as for human identities, while 43% authenticate and authorize them using a separate system.

“What is striking about the Semperis AI study is not just how quickly AI is being integrated into identity systems but how unprepared many organizations are to recover when things go wrong. Introducing AI at the identity layer offers operational advantages, but it must be accompanied by guardrails, observability and recovery readiness. It is a new dimension of an old question, really: Are you resilient enough to respond in the event of critical disruption,” said Grace Cassy, Partner, Ten Eleven Ventures.

A concerning revelation from the study is that AI is being placed close to sensitive identity infrastructure—and too few organizations are prepared for the potential consequences. More than a quarter of surveyed organizations (29%) already use AI agents to manage security‑related help desk tickets including password resets and VPN access. Another 65% intend to do so within the next year. In parallel, 92% of respondents say that some percent of their workforce has AI installed on local machines where it can access SSH and encryption keys.

“The pattern of global organizations overestimating how quickly they can recover from a cyberattack is real, especially when identity is within the blast radius. On paper, organizations have plans and backups; in practice, identity failures turn technical incidents into prolonged business crises, exposing a dangerous gap between perceived resilience and reality,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor.

On the plus side, 83% of respondents indicated that AI identity governance is a priority for them in the coming months.

How can organizations govern these hard-to-control identities?

For now, best practices include:

Treat agents explicitly as NHIs in the identity fabric.

Enforce least‑privilege, just‑enough, and just‑in‑time access for agents as rigorously as for humans.

Segregate agent and human trust boundaries where appropriate.

Use UEBA‑style analytics to detect “zombie” or anomalous agent behavior.

Ensure that your organization can quickly recover identity systems to a trustworthy state if they are breached.

Access the full AI Study here: https://www.semperis.com/the-state-of-identity-security-in-the-AI-era/

Methodology

To conduct this study, we partnered with experts at Censuswide, an international market research consultancy. In early 2026, Censuswide surveyed 1,100 organizations across the U.S., U.K., France, Germany, Italy, Spain, Australia and Singapore.

Semperis is the identity-driven cyber resilience and crisis management company trusted by the world’s largest enterprises and government agencies to protect critical identity systems. Purpose-built for multi-cloud and hybrid identity environments—including Active Directory, Entra ID, Okta, and Ping Identity—Semperis helps organizations prevent, detect, respond to, and recover from identity-based cyberattacks.

Modern cyberattacks are won or lost at the identity layer, where failures now escalate into full-scale business crises. Semperis’ AI-powered platform unifies identity lifecycle defense and crisis management—hardening identity infrastructure, detecting and containing active threats, enabling rapid, trusted recovery, and supporting secure, out-of-band coordination when core systems are disrupted—all reinforced by a world-class identity forensics and incident response team.

As part of its mission to help organizations achieve true cyber resilience, Semperis supports the broader cyber community through the award-winning Hybrid Identity Protection (HIP) Conference and Podcast, and free identity security tools including Purple Knight and Forest Druid. More than 1,200 organizations—including over 25% of the 100 largest U.S. companies—rely on Semperis. The company is privately held, headquartered in Hoboken, New Jersey, and serves customers in more than 40 countries.

Credit: Semperis