Gaps in MFA, confidence, cybersecurity training make organizations vulnerable

How secure is digital identity? It’s a primary question in discussions about mass adoption. So-called AI has only complicated the matter. But Cisco Duo is here to help.

The affiliated companies have released two reports addressing the topic – Duo’s 2025 State of Identity Security: Challenges and Strategies from IT and Security Leaders report, and the Cisco 2025 State of AI Security report.

The first is based on a survey of 650 IT and security leaders across North America and Europe. A blog from Duo presents key findings – all of which see the industry facing significant challenges as identity threats escalate, and over half (51 percent) of organizations say they have suffered financial losses due to identity-related breaches.

First, increased complexity has led to a crisis of confidence in identity providers’ ability to provide thorough protection. “Only a third (33 percent) of leaders are confident that their current identity provider (IdP) can prevent identity-based attacks.”

Second, AI is both a major threat and a catalyst for change in identity security. Forty four percent of leaders name phishing, supercharged by AI, as one of the top identity threats for 2025, along with insider threats and supply chain attacks. Yet 85 percent are adopting security-first identity practices to counter AI-driven threats, proving that “AI is a powerful catalyst, driving organizations to address long-standing gaps in their identity security strategies.”

Persistent phishing threats remain “a perennial issue, driving the deployment of multi-factor authentication (MFA). But “while 87 percent of leaders believe phishing-resistant MFA is critical to their security strategies, only 30 percent are highly confident in their phishing controls.” More than 60 percent want to go passwordless – but only 19 percent of companies have deployed FIDO2 tokens, “the gold standard in phishing-resistant MFA.”

Finally, the survey identified a need for security-first IAM, to handle “identity sprawl, shadow IT, and irregular identity lifecycles.” Almost three quarters of leaders admit identity security is often an afterthought in infrastructure planning. That can result in additional costs, complexity, and misalignment that decreases overall visibility. Many teams are consolidating vendors – but 86 percent of leaders worry about inadequate controls for contractors and third-party access.

The findings, says Duo, expose a stark reality: “while leaders acknowledge the vital role of identity security, glaring gaps in confidence and execution leave many organizations dangerously vulnerable.”

AI policy beginning to reflect reality

The second report, Cisco’s 2025 State of AI Security, identifies several related risks: “security risk to AI models, systems, applications, and infrastructure from both direct compromise of AI assets as well as vulnerabilities in the AI supply chain,” the emergence of specific AI tools designed to large language models (LLMs) and the “use of AI to automate and professionalize threat actor cyber operations, particularly in social engineering.”

Cisco acknowledges the complexity of solving the problem in an ecosystem wherein every player brings their own demands and concerns. “Each business will have to tailor its AI security strategy around distinct implementation parameters. For example, what models and datasets are you leveraging? What is the specific AI use case? How sensitive is the data being handled?”

That complexity, says Cisco, is starting to be reflected in policy, as leaders begin to acknowledge the practical nature and scale of the threat.

Cybersecurity a very particular set of skills: RSM podcast

The latest episode of RSM’s podcast, Identity at the Center (IDAC), also addresses that complexity in a discussion about the growing importance of digital identity in cybersecurity.  Tauseef Ghazi, the risk consulting practice leader at RSM, argues that cybersecurity works on an apprenticeship model – but that the workforce doesn’t encourage IT leaders to stick around at companies long enough to provide the necessary mentorship.

“You’ve gotta bring back the apprenticeship model more,” Ghazi says. His concern is that academic training, while improved on cybersecurity, doesn’t provide practical experience needed to handle real-world challenges. “It’s not a skill you can just learn off the books. If you look at some of the other countries that are ahead of us in tech development, that are moving faster than we are, everywhere you look, the apprenticeship model is intact.”

Article Topics

AI  |  Cisco  |  cybersecurity  |  digital identity  |  Duo Security  |  identity access management (IAM)  |  identity security  |  passwordless authentication