The majority (93%) of global organizations use or plan to use AI agents for security tasks such as password resets and VPN access despite the potential for serious breaches and data leaks, according to Semperis.
The security vendor polled 1100 organizations in the US, UK France, Germany, Spain, Italy, Singapore and Australia to produce its State of Identity Security in the AI Era study.
As well as using agents for sensitive security work, or planning to within 12 months, the majority (92%) of respondents admitted AI is installed on at least some local machines with access to SSH and encryption keys, further exposing them to security risk.
At the same time, 74% agreed that AI will increase attacks on identity infrastructure.
Read more on identity threats: Hackers Exploit Compromised Enterprise Identities at Industrial Scale, Warns SentinelOne.
Despite exposing their organization to AI-shaped risks, only a third (32%) of respondents said they were “very confident” that they could regain control after an AI-driven credential exposure.
“What is striking about the study is not just how quickly AI is being integrated into identity systems but how unprepared many organizations are to recover when things go wrong,” said Grace Cassy, partner at cybersecurity venture capital firm Ten Eleven Ventures.
“Introducing AI at the identity layer offers operational advantages, but it must be accompanied by guardrails, observability and recovery readiness. It is a new dimension of an old question, really: are you resilient enough to respond in the event of critical disruption?”
Too Many Agents, Too Many Permissions
An explosion in non-human identities (NHIs) including AI agents is complicating the task of identity governance for security teams.
The challenge is that their proliferation means plenty of abandoned “zombie” agents and shadow NHIs which threat actors could hijack. It doesn’t help that many are over-permissioned as they’re granted the same rights as human users, the report explained.
It revealed that only 65% of organizations fully register, authenticate and authorize their AI identities in a formal system, while 6% don’t track them at all. Of those that do over half (57%) use the same system as for human identities.
What Best Practice Looks Like for AI Identity
The good news is that AI identity governance is a priority for 83% of global organizations in the next 12 months, according to the study. But it’s unclear what measures they will take to control, monitor and secure usage.
For now, Semperis recommended organizations to:
- Treat agents as NHIs rather than human identities
- Enforce least‑privilege, just‑enough and just‑in‑time access for agents in the same way human identities are governed
- Segregate agent and human trust boundaries where appropriate
- Use user and entity behavior analytics (UEBAs) or similar tools to detect zombie or suspicious agent behavior
- Ensure the organization can quickly recover identity systems to a trustworthy state if they are breached
