Report: Execs Rank AI Identity Threats as Top 2026 Risk

Fifty-four percent of executives cite AI-enhanced identity threats as their top concern heading into 2026. Yet only 3 percent of organizations say they are “very prepared” to defend against AI-driven identity attacks.

Those findings come from The Identity Underground’s 2026 Annual Pulse report, underscoring a clear disconnect between rapidly emerging AI-based identity threats and the preparedness of many organizations to defend against them.

Identity and access as a risk target in 2026

According to the report, organizations are constrained by legacy infrastructure and manual processes, preventing them from modernizing their identity security measures, particularly those powered by AI.

“These systems were never designed for today’s threat landscape,” said Simon Moffatt, founder and research analyst at The Cyber Hut. 

“IAM has become a strategic enabler for the business but it’s also become a prime target. Without unified visibility and adaptive response across identity systems, privilege misuse and credential compromise proliferate faster than teams can contain them,” Moffatt added.

The Annual Pulse 2026 is based on a survey of more than 150 members of The Identity Underground — a closed community of leading IAM practitioners and identity security executives worldwide. 

Adapting legacy systems to today’s AI threats

As AI adoption has become widespread, many organizations are recognizing that legacy systems and infrastructure are posing identity risks across their businesses.

In particular, 82 percent of respondents say legacy infrastructure actively creates identity security risk. 

Meanwhile, 61 percent cite NTLM authentication as their primary legacy challenge, citing its role in enabling lateral movement and its lack of native MFA support.

“As the IAM ecosystem expanded, silos multiplied: Instead of a unified approach, identity security has become increasingly fragmented,” said Hed Kovetz, chief executive officer and co-founder of Silverfort.

“While defenders try to secure the silos separately, attackers look at the entire attack surface, turning silos into their advantage. What was once dangerous has become untenable,” Kovetz continued.

Adding to the challenge is the rapid growth of non-human identities such as service accounts, API keys, workloads, and automated processes, many of which fall outside the scope of traditional identity governance systems and models.

For example, 37 percent of organizations reported having 21 or more third-party organizations with access to their systems, dramatically expanding the identity attack surface. Meanwhile, only 5 percent said they were confident they had a complete inventory of non-human identities.

Next steps: consolidation and evolving privileged access

With the widening gap between legacy defenses and rising identity threats, executives are consolidating fragmented security systems and tightening privileged access controls.

Fifty-five percent are implementing unified identity security platforms, moving away from point solutions toward centralized visibility and control. 

In addition, 69 percent are deploying SIEM platforms with identity analytics to improve detection and context across environments.

Meanwhile, 57 percent of respondents say they have implemented stronger boundaries between privileged and standard access. 

Just-in-time (JIT) access is also gaining traction, with 40 percent saying they are building toward JIT strategies where privileges exist only when needed and expire immediately after use.

Why organizations need to focus on identity security in 2026

Taken together, the findings underscore the need for organizations to strengthen identity security and adapt to today’s emerging AI-driven threats. The Identity Underground emphasizes that simply managing access is no longer enough to protect identities.

“Organizations that continue to rely on fragmented tools, static policies, and manual response will struggle as attacks accelerate and AI agents multiply,” the community said in its report.

“Those that consolidate identity visibility, integrate security systems, and enforce controls inline—without adding friction—will be best positioned to move forward safely.”