71% of Organizations Hit by Identity Breaches, Largely Due to Weak AI Agent Security
Seven in ten organizations suffered at least one identity-related breach in the past year, according to Sophos's State of Identity Security 2026 report released May 12. The survey of 5,000 IT and cybersecurity leaders found that weak management of non-human identities-digital credentials issued to software, systems, and AI agents-now ranks as the second-leading cause of breaches.
Non-human identity (NHI) management failures accounted for 40.6 percent of breach root causes, trailing only human error at 42.7 percent. This gap is narrowing as organizations deploy AI agents faster than security teams can track them.
The NHI Problem
An NHI is a digital credential issued to automated processes, API keys, service accounts, or AI agents to access organizational resources without human involvement. Unlike passwords, NHIs use non-human credentials to verify identity. Once stolen, they can be misused exactly like human login details.
The problem intensifies because AI agents can create new agents to complete sub-tasks, spawning new NHIs without human oversight. This unpredictability makes detection harder.
Organizations with weak NHI management faced measurable consequences. They were 27.9 percent more likely to experience financial theft and 24.4 percent more likely to face extortion. Recovery costs ran nearly $150,000 higher than the average $1.64 million.
Audit and Rotation Gaps
Only one-third of organizations (34 percent) regularly rotate or audit service accounts and NHIs. Just 11 percent do this continually.
The report examined five core identity management activities. Results showed significant gaps between best practice and current practice:
- Review identity governance policies: 33.4 percent quarterly, 10.55 percent continually
- Rotate/audit service accounts and NHIs: 37.7 percent quarterly, 11.1 percent continually
- Monitor for credential leaks: 31.4 percent quarterly, 17.9 percent continually
- Check for common passwords: 30.4 percent quarterly, 19.2 percent continually
- Monitor for unusual logins: 28.2 percent quarterly, 24.1 percent continually
Broader Breach Patterns
Weak human identity management for employees (38.6 percent) and lack of visibility into external application permissions (35.7 percent) also drove breaches. Attackers now use AI and automation to accelerate attacks.
Energy, oil and gas, and utilities showed the highest breach rates at 80.3 percent. Construction and property (76.1 percent) and manufacturing (73.6 percent) followed. Technology and healthcare organizations had lower rates at 63.1 and 63.4 percent respectively.
Smaller organizations (100-250 employees) were 72 percent less likely to identify an identity attack compared to large organizations with more than 1,000 employees.
Organizations breached once often became repeat victims. The average organization reported three separate incidents, with 5 percent reporting at least six.
Ransomware Connection
Data theft was the most likely breach consequence at 48.8 percent, followed closely by ransomware involving stolen credentials at 48.4 percent. Extortion affected 43.9 percent of breached organizations.
Sixty-seven percent of ransomware victims said their incident stemmed from an identity attack, making identity compromise a primary ransomware delivery mechanism.
For managers overseeing security strategy, the data points to one clear gap: NHI governance has not kept pace with AI deployment. Sophos's chief information security officer Ross McKerchar said organizations "that fail to get ahead of this will find it an increasingly costly gap to close."
Your membership also unlocks:
