Semperi recently published a study examining AI’s impact on identity systems. The research included input from 1,100 organisations across multiple industries and reports on how AI is influencing identity-related attack surfaces globally.
The State of Identity Security in the AI Era study indicates that 74% of organisations across the US, UK, France, Germany, Spain, Italy, Singapore, and Australia believe AI is likely to increase attacks on identity infrastructure. It also reports that 93% of respondents currently use or plan to use AI for security-related functions such as password resets and VPN access.
At the same time, 32% of participants say they are very confident in their ability to restore control if AI were to expose administrative credentials. This varies by region, with 53% of US companies expressing confidence in their contingency plans compared with 12% in France.
The study also highlights how organisations are integrating AI agents into identity systems. Many enterprises now use AI agents that operate as non-human identities (NHIs), though 65% report that these have been fully integrated into formal authentication systems. Around 6% of organisations say they do not track AI identities.
Among those that do track them, 57% use the same systems as for human identities, while 43% use separate authentication approaches.
In terms of operational use, 29% of organisations currently use AI agents to manage security-related help desk tickets, and this is expected to rise to 65% within the next year. The report also notes that 92% of company devices host AI systems with access to SSH and encryption keys.
The study suggests that while adoption is increasing, organisations vary in how consistently they have adapted governance and contingency processes for AI-driven identity systems. It also notes that contingency plans may differ in how effectively they can be executed in practice.
In response to these developments, 83% of respondents say they are prioritising AI identity governance in the coming months. The study outlines several commonly cited approaches to reducing risk, including:
- Treating AI agents as non-human identities within identity systems
- Applying least-privilege, just-enough, and just-in-time access controls
- Separating trust boundaries between AI agents and human users where appropriate
- Using analytics to detect anomalous or inactive (“zombie”) agent behaviour
- Ensuring rapid restoration of identity systems following security incidents
Overall, the findings describe increasing adoption of AI within identity and security systems alongside evolving governance and control practices.
