New findings from The Identity Underground reveals growing gap between reality of modern identity attacks and constraints of outdated, legacy infrastructure; highlights an industry in transition
GRAPEVINE, Texas, Jan. 20, 2026 /PRNewswire-PRWeb/ -- As enterprises race to prepare for AI-driven threats, a new global study released today reveals a stark disconnect between executive focus and the practitioners' reality. According to the 2026 Annual Pulse from The Identity Underground, only 3% of organizations say they are 'very prepared' for AI-related identity attacks—even as 54% of executives cite AI-enhanced identity threats as their top concern for the year ahead.
The Identity Underground Annual Pulse 2026 is based on a survey of more than 150 members of The Identity Underground, a closed community for leading IAM practitioners and identity security executives worldwide. This report marks the first time the community has shared insights outside the closed group.
The report paints a picture of an industry in transition: organizations are actively modernizing identity security for AI-era threats, while still constrained by legacy infrastructure and manual processes that slow progress.
"These systems were never designed for today's threat landscape," said Simon Moffatt, Founder and Research Analyst at The Cyber Hut. "IAM has become a strategic enabler for the business, but it's also become a prime target. Without unified visibility and adaptive response across identity systems, privilege misuse and credential compromise proliferate faster than teams can contain them."
AI is Executives' Focus, but Securing Legacy Infrastructure Remains Daily Bottleneck
Executives are focused on the AI future: seeking to leverage AI for the enterprise while their own concerns of AI-powered attacks rise. The data reveals a paradox: 54% of executives cite AI-enhanced threats as their top concern. Meanwhile, 33% creating governance frameworks for AI agent deployment and monitoring— a sign that AI adoption is outpacing security readiness.
Yet, as attention shifts, they acknowledge legacy systems remain a persistent source of identity risk across enterprises: 82% of organizations say legacy infrastructure actively creates identity security risk.
Practitioners living the day-to-day understand identity risks posed by their legacy infrastructure even more acutely:
- 61% cite NTLM authentication as their primary legacy challenge, due to its role in enabling lateral movement and its lack of native MFA support
- 43% encounter credential stuffing and password spraying as their most frequent attack—basic credential abuse that still works
"As the IAM ecosystem expanded, silos multiplied: Instead of a unified approach, identity security has become increasingly fragmented," said Hed Kovetz, CEO and Co-Founder of Silverfort, in his contribution. "While defenders try to secure the silos separately, attackers look at the entire attack surface, turning silos into their advantage. What was once dangerous has become untenable."
Axes of Tension: The Practitioner-Executive Constraints Dilemma
The report reveals a widening disconnect between executives and practitioners operating on two different axes of tension. On one axis: legacy systems vs. AI-era challenges. On the other: practitioners fighting daily credential attacks vs. executives managing board-level pressure to adopt AI agents.
Practitioners face credential stuffing, password spraying, the daily grind. Executives are torn between supporting their teams on these realities while addressing growing business demands for agentic AI adoption.
"You can't watch for the future when you're constantly putting out fires in old infrastructure," the report notes.
Non-human Identities Expand the Attack Surface
Compounding these challenges is the rapid growth of non-human identities—service accounts, API keys, workloads, and automated processes—which fall outside traditional identity governance models. Third-party vendor access sprawl further complicates an already increasingly complex attack surface:
- 37% of organizations report having 21 or more third-party organizations with access to their systems, dramatically expanding the identity attack surface.
- Only 5% of organizations feel confident they have a complete inventory of non-human identities
As enterprises adopt AI agents and automation at scale, the publication warns that identity programs designed around human users alone are no longer sufficient.
Detection is High. Response is Not.
The 2026 Annual Pulse shows that organizations are no longer blind to identity-based threats, but they are still struggling to act fast enough when those threats appear— 53% say that confidence relies on rapid manual remediation. The result, the publication notes, is that identity security teams increasingly act as "human APIs," stitching together context by hand while attackers move at machine speed.
- 68% of executives say they are confident in their ability to detect identity-based attacks
- Only 8% say real-time detection paired with automated response is what gives them confidence
A Wave of Consolidation is Happening
More than half of identity executives cite lack of integration between security tools as their top challenge during incident response. Organizations are making changes to address this—they are investing, consolidating, and modernizing identity security to reduce risk without breaking the business.
- 55% of organizations are implementing unified identity security platforms, moving away from fragmented point solutions toward centralized visibility and control
- 69% are deploying SIEM platforms with identity analytics, improving detection and context across environments
Signs of Progress: The Privileged Access Evolution
While the challenges are significant, the publication also shows clear momentum. Just-in-time (JIT) access is moving from theory to practice, with more than two-thirds of organizations deploying JIT at least in pilot form, and over one-third using it across critical systems or broadly for privileged access.
- 57% have implemented strong boundaries between privileged and standard access
- 40% are building toward just-in-time (JIT) strategies where privileges exist only when needed and expire immediately after
More Controls, More Friction—and New Risk
The publication highlights a growing paradox: while organizations have expanded identity security controls, the constraints of legacy infrastructure, systems, and incomplete implementation have led to unintended consequences, often disrupting the work they were intended to protect:
- 58% say access approval workflows cause more delays than actual security incidents
- 40% say security policies prevent legitimate work
- More than half cite identity controls as either blocking work or causing repeated authentication prompts
Outdated identity security tools like traditional PAM have compounded these challenges as traditional credential vaulting and session management add friction to every privileged action. The publication notes that when friction rises, users predictably seek workarounds—increasing exposure to the same credential-based attacks that remain the most common entry point for attackers.
However, organizations and executive leadership are not ignoring this friction, they're taking action to both understand and reduce these risks. Businesses are measuring the impact this friction has on teams, the security of the organization, and the business's bottom line. Quantifying business impact is the first step toward security that enables rather than blocks.
They're also taking a pragmatic approach to remediation: organizations are reducing exposure where they can, modernizing incrementally, and building the architectural foundation needed to support AI agents, non-human identities, and automated response.
A Turning Point for Identity Security
Taken together, the findings point to a clear conclusion: identity security is no longer just about managing access—it has become a real-time control plane for the enterprise.
Organizations that continue to rely on fragmented tools, static policies, and manual response will struggle as attacks accelerate and AI agents multiply. Those that consolidate identity visibility, integrate security systems, and enforce controls inline—without adding friction—will be best positioned to move forward safely.
About The Identity Underground Annual Pulse 2026
The Annual Pulse is published by The Identity Underground, a closed community where identity security practitioners and executives speak candidly about what works, what breaks, and why. This is the first time the community has made its survey data public, offering an unfiltered look at the state of identity security as organizations head into 2026.
About The Identity Underground
The Identity Underground is a global, invite-only community of IAM and identity security leaders, powered by Silverfort, yet independently run, giving members space for candid conversations and genuine peer connection. It exists to foster honest, practitioner-driven conversations about the real challenges facing identity teams—no vendor pitches no sponsors.
Media Contact
Jessica Stone, The Identity Underground, 1 8324920305, [email protected], www.theidentityunderground.com
SOURCE The Identity Underground
Share this article