Rebecca PY A new Sophos report surveying 5,000 cybersecurity leaders across 17 countries has found that 71% of organisations suffered at least one identity-related breach in the past year, with two thirds of ransomware incidents traced back to identity compromise. The findings point to a rapidly widening gap in how enterprises manage non-human identities, particularly as agentic AI accelerates credential proliferation beyond the reach of existing security frameworks.
MALAYSIA, 25 MAY 2026 – Identity has overtaken endpoints and networks to become the defining battleground in modern cybersecurity, and most organisations are losing. That is the central finding of the State of Identity Security 2026, a vendor-agnostic report published by global cybersecurity leader Sophos, based on a survey of 5,000 IT and cybersecurity leaders across 17 countries.
The numbers are stark. Seventy-one percent of organisations reported suffering at least one identity-related breach in the past year. On average, organisations experienced three separate incidents, and 5% reported six or more breaches within the same period, pointing to a pattern of repeat victimisation that signals systemic, unresolved vulnerabilities rather than isolated events.
The consequences extend well beyond reputational damage. Among ransomware victims surveyed, 67% confirmed their incident originated from an identity attack, establishing identity compromise as the primary delivery mechanism for ransomware. The financial toll is severe: the mean recovery cost reached $1.64 million, with a median of $750,000, and 73% of those affected faced costs of $250,000 or more.
Ross McKerchar, Chief Information Security Officer at Sophos, described identity as the primary attack surface in modern cybersecurity and warned that most organisations are currently losing ground. He pointed specifically to the non-human identity problem as a matter of particular urgency, noting that AI agents are being granted privileges faster than security teams can track them.
The Human and Non-Human Identity Problem
Human error remains a leading contributor to identity breaches, cited in nearly 43% of incidents — typically employees being tricked into surrendering credentials. But the report flags the growing threat posed by weak management of non-human identities, including API keys stored in code, static credentials, and orphaned service accounts, cited in 41% of incidents.
The consequences of poor non-human identity management are quantifiably worse. Organisations with weak practices in this area are 22% more likely to experience financial theft and pay approximately $150,000 more to recover than average.
The problem is intensifying as agentic AI enters enterprise environments. AI agents can autonomously spin up sub-agents, each generating new credentials with broad, persistent access and limited human oversight. Existing identity frameworks were not designed with this in mind, and organisations are already behind: only one in three regularly rotate or audit service accounts and non-human identities, and just 11% do so continuously.
Visibility and Detection Gaps
The report also exposes significant gaps in monitoring and detection. Only 24% of organisations continuously monitor for unusual login attempts, while more than half check every three months or less. Fourteen percent of breached organisations were unable to detect and stop their most significant identity attack before damage was done, with smaller organisations of 100 to 250 employees nearly twice as likely to fail at detection compared to mid-sized peers.
The primary consequences of identity breaches reported were data theft at 49%, ransomware at 48%, and financial theft at 47%. Critical infrastructure sectors were among the hardest hit, with energy, oil and gas, and utilities reporting a breach rate of 80%, and federal and central government at 78%.
The report also found a direct correlation between compliance difficulty and breach rates. Organisations that found compliance requirements very challenging recorded a breach rate of 82.4%, a full 14 percentage points higher than those experiencing lower compliance difficulty.
A Path Forward
Sophos recommends a multi-layered approach covering both human and non-human identities. For human identities, essential steps include enforcing multi-factor authentication across all user accounts, applying least-privilege access principles, and promptly disabling inactive identities. For non-human identities, organisations are advised to inventory and classify all assets, replace long-lived credentials with short-lived alternatives, and implement secrets management platforms at scale. As agentic AI continues to accelerate credential proliferation, deploying Identity Threat Detection and Response capabilities and adopting a Zero Trust security model are described as increasingly critical layers of defence.
The State of Identity Security 2026 was conducted in Q1 2026 across organisations with 100 to 5,000 employees spanning 14 industries, including respondents from the United States, United Kingdom, Germany, France, Australia, Japan, India, and Brazil.