Lack of visibility into AI agents and identities brings threats to orgs, says Permiso

Organizations are already integrating non-human identities, such as AI agents, and the trend is likely to continue throughout 2026. The introduction of these technologies is opening new security frontiers: A recent survey from identity security company Permiso Security shows that 82 percent of surveyed organizations say that AI agents or automated systems have direct access to production or sensitive data.

​Although the vast majority of organizations (95 percent) believe they can track non-human identities (NHIs), Permiso’s research suggests that they likely lack visibility into their operations. NHIs include service accounts, API keys, access tokens, certificates and AI agents.

“Organizations are deploying AI systems faster than they can secure them, granting access faster than they can track it, and generating identities faster than they can manage them,” Paul Nguyen, the firm’s co-CEO, says in a statement. “Most organizations don’t have visibility into which AI systems have access, what permissions they hold, or what they’re doing with the data they can access.”

Almost all organizations participating in the survey said that their AI systems can create or modify identities and permissions. Despite this, organizations rank non-human identities as least risky despite managing thousands of them. While they don’t fall for phishing, these identities often get hardcoded in repositories and retain excessive permissions indefinitely. This represents a significant perception gap, says Permiso.

The issue is not just non-human identities. Organizations generally lack insight into their identity infrastructure, resulting in serious impacts on security, according to the Permiso State of Identity Security 2026 report.

The research, which surveyed 512 organizations, showed that companies use an average of two to three identity providers, such as Okta, Ping Identity and Microsoft Entra, and an equal number of cloud service providers.

This results in a fragmented authentication landscape with limited visibility into potential threats to identity. Despite a large number of security incidents related to identity, only 43 percent of organizations can detect identity-based risks before incidents occur.

“Organizations keep asking us for faster threat detection,” said Jason Martin, co-CEO at Permiso Security. “But when we dig into what’s slowing them down, it’s always the same answer: fragmented visibility. You can’t detect what you can’t see, and you can’t respond quickly when you’re spending hours correlating data manually.”

Permiso claims that organizations have other security misconceptions when it comes to identity threats.

Identity-related attacks happen when threat actors gain unauthorized access to an organization’s data and systems by using stolen login credentials belonging to employees, external vendors, or automated accounts like AI agents.

Most companies believe that the majority of risks come from employees, but concerns about third-party vendors have risen sharply after major breaches, such as SolarWinds, Okta, MOVEit, which involved compromised vendor credentials.

SaaS continues to have the worst visibility when it comes to identities, compared to IaaS, PaaS, on-premise systems and identity providers, which score lowest on the risk level, according to the research.

“If employees are your biggest risk and SaaS is your biggest visibility gap, then the intersection represents your highest-risk, lowest-visibility attack surface. That’s precisely where attackers operate,” says the report.

According to Permiso’s data, 79 percent of organizations can confirm identity-based threats within 24 hours, while 18 percent say they can do the same within one hour. These numbers represent a large improvement compared to 2024, when only 61 percent claimed they could detect a threat within one day.  However, 16 percent still need up to seven days, while four percent need more than a week to detect identity threats.

Another task organizations face is assessing the potential fallout of a security threat, which determines the next steps. Less than a third can determine the complete blast radius within minutes when compromise is detected, while more than half need hours. A minority of 16 percent need days.

Visibility into identity accounts also plays a role in this. More than 80 percent of organizations say that security alerts are triggered by unmanaged accounts, shadow identities and misconfigured permissions. As security teams investigate false alarms, this takes away time from dealing with real threats and creates “alert fatigue.”

AI has static identity verification in its crosshairs. Now what?

Article Topics

AI agents  |  cybersecurity  |  digital identity  |  identity access management (IAM)  |  identity management  |  identity security  |  non-human identities  |  Permiso