Delinea’s 2026 Identity Security Report: Uncovering the Hidden Risks of the AI Race.

Organizations are under growing pressure to accelerate AI adoption, deploy agentic AI systems, and modernize operations to remain competitive. According to Delinea’s 2026 Identity Security Report: Uncovering the Hidden Risks of the AI Race, many organizations are advancing AI faster than their identity governance and security controls can evolve.

The report highlights what Delinea calls the “AI security confidence paradox.” – Organizations express strong confidence in their AI security readiness while simultaneously admitting major gaps in identity visibility, governance, privilege management, and monitoring.

In partnership with Censys, Delinea ran a global survey of 2,001 IT decision-makers who are actively using or piloting AI in their environments across the UK, US, Germany, France, Australia, Singapore, and India. The major finding of the survey:

Organizations are introducing substantial identity-related risks—much of which remains outside the scope of traditional visibility and governance processes.

The AI security confidence paradox

The findings reveal that organizations express high confidence in their security readiness for AI while simultaneously admitting they lack the fundamentals to back up that confidence. Broadly, 87% of respondents reported that their identity security posture is prepared to support AI-driven automation at scale. Only 2% said they’re not prepared at all. Yet many of these same organizations—46%—admit their identity governance is deficient around AI systems.

This paradoxical thinking indicates organizations may be advancing agentic AI without fully modernizing the identity controls required to support it. They may not yet realize the level of risk incurred by agentic AI. As the rest of the survey results show, this is likely because their beliefs are built around incomplete information.

The identity visibility gap: What you don’t know can hurt you
90% an overwhelming amount of respondents admit to having at least some sort of identity visibility gap at their organization. The number one gap was machine and NHI accounts, including those used by AI agents. Respondents reported that the identity discovery gaps most likely to persist over time were in AI-related environments, at nearly double the rate of legacy and on-premises systems.

Rampant shadow AI

The rapid, runaway adoption of OpenClaw in early 2026 indicates that the use cases for these unapproved apps are growing increasingly risky. Users aren’t just doing quick spell checks with Grammarly or asking ChatGPT simple questions. They’re running full-fledged agents with sweeping permissions. As an open-source AI assistant that can modify files and execute commands without any intervention, OpenClaw has persistent memory and broad permissions. It’s typically granted direct connections to the networks and enterprise services used by the machine it’s installed on.

Gartner analysts estimate that by 2030, some 40% of organizations will suffer security incidents due to shadow AI risks.

The struggle to detect access granted to unauthorized AI agents can pose a significant risk to organizations, as shadow AI is difficult to distinguish from normal activity. This creates decentralized deployment with centralized risk, creating significant visibility and governance challenges for risk management teams.

AI fueling unchecked NHI activity

NHIs were an identity governance challenge long before agentic AI took the scene. IoT devices, microservices, API connectors, and automated software engineering processes all require machine accounts with varying degrees of privilege. Trying to gain visibility into NHI access was already overwhelming the legacy identity security processes rooted in human-centric identity controls.

Two years ago, analysts estimated NHIs outnumbered human accounts 46 to 1. A year ago, the industry estimate almost doubled to 82 to 1.

Rapid adoption of agentic AI expands the number of non-human identities (NHIs) within the identity estate and introduces new layers of operational risk. AI agent accounts don’t follow the pre-programmed, deterministic steps characteristic of previous generations of automation. AI Agents make contextual decisions and initiate actions that weren’t explicitly scripted.

According to Cloud Security Alliance’s 2026 State of NHI and AI Security report, less than a quarter of organizations today have documented and formally adopted policies for creating or removing AI identities.

Identity at the core of AI’s biggest risks

As governance gaps emerge around machine and AI identities, attackers are increasingly targeting these access paths. AI agents are rapidly becoming part of privileged infrastructure, and unmanaged or over-privileged identities represent a high-value target.

Broadly, 92% of organizations believe that AI will amplify identity-related threats over the next several years, with credential stuffing and password attacks (33%) and privileged account compromise (31%) leading their concerns.

Breaches increasingly originate from legitimate access—such as valid credentials, tokens, OAuth grants, and automated pipelines—rather than traditional exploitation of vulnerabilities. This shift to runtime risk is reshaping the dynamics of identity and trusted access. Non-human identities and AI-driven systems are expanding trust relationships faster than governance frameworks can adapt—especially when agents clone workflows, share permissions, and replicate across environments.

Clear visibility into identity sprawl, privilege drift, and governance gaps enables informed insight into why visibility and controls must be made before incidents force reactive action.

AI security is becoming an identity governance problem

Many organizations still approach AI security primarily from the perspective of models, prompts, and infrastructure. But the Delinea report reinforces a much larger issue emerging across modern environments: AI dramatically expands the identity attack surface.

AI agents, automation platforms, service accounts, APIs, and non-human identities increasingly operate with broad permissions across cloud, SaaS, CI/CD, and production environments. Yet many organizations still lack real-time visibility into how these identities behave, what systems they access, and whether those privileges remain appropriate over time.

At Reputiva, we believe secure AI adoption requires organizations to modernize identity governance alongside AI adoption itself. That means:

improving visibility into non-human identities
reducing standing privilege
strengthening privileged access management
implementing Zero Trust principles
improving cloud identity governance
monitoring AI-related access patterns
securing AWS, Azure, and GCP environments at machine speed

The AI race is accelerating quickly, but organizations that ignore identity governance risk creating massive blind spots that attackers can exploit through legitimate access paths instead of traditional intrusion methods.

Prepare your organization for AI-Driven identity risk

As organizations accelerate AI adoption, identity security is becoming one of the most important foundations of cyber resilience. Reputiva helps organizations strengthen: