Identity risk surged to the forefront in 2025. Dormant accounts, weakly protected credentials, and unchecked entitlements created gaps that adversaries increasingly exploited. Additionally the proliferation of Non-Human Identities and AI agents within organizations has created new vectors of access risk and significantly expanded the overall attack surface. Understanding the scale of these risks is now essential for every security leader, and they’re looking for data to guide their identity security posture in 2026.
The 2026 State of Identity & Access Report compiles one of the most extensive datasets available on real-world identities, entitlements, and access patterns across human and non-human identities in modern enterprises. The findings reveal where organizations are most exposed, how identity debt is accumulating, and which trends will shape identity security strategies in the year ahead. The report reveals three key highlights:
The staggering scale of identity debt:
38% of dormant accounts and 8% of orphaned identities creating a massive attack surface that is ripe for exploitation by ransomware adversaries.- Explosion of machine identities:
Non-human identities outnumber human identities by a factor of 17:1, multiplying identity risks that traditional governance tools cannot visualize. - Ungoverned permissions sprawl:
Billions of permissions burying real risks inside vast entitlement noise.
