Sophos has reported findings on identity-related breaches in its State of Identity Security 2026 survey, which included responses from 5,000 IT and cybersecurity leaders across 17 countries. The results indicate that 71% of organisations experienced at least one identity-related breach in the past year.
The research highlights an increase in identity-based attacks, linked in part to human error and challenges in managing non-human identities (NHIs). The report also notes that the growing use of AI technologies may be contributing to increased complexity in this area.
According to the survey, 67% of organisations affected by ransomware attributed the incident to identity-related breaches, identifying identity compromise as a common entry point for ransomware attacks. The average recovery cost was reported at $1.64 million, with a median cost of $750,000. In addition, 73% of respondents reported recovery expenses above $250,000.
Key findings from the survey
- Data and financial impact: 10% of respondents reported major business impact from identity breaches. The main outcomes included data theft (49%), ransomware (48%), and financial theft (47%).
- Monitoring practices: 24% of organisations continuously monitor logins, while more than half review them on a quarterly basis or less frequently.
- Detection outcomes: 14% reported not detecting or stopping their most significant breaches in a timely manner, with smaller organisations more affected.
- Sector exposure: Higher reported breach rates were seen in sectors including energy, oil and gas, utilities, and government.
- Compliance perceptions: 82.4% of organisations that find compliance challenging reported breach incidence, compared with 68.3% among those that do not report compliance as difficult.
Human error, including unauthorised credential sharing, was identified in 43% of incidents. Issues related to non-human identity management—such as exposed API keys and orphaned service accounts—accounted for 41%.
The report also notes increasing complexity in managing NHIs, including situations where AI agents can create additional sub-agents and credentials, which can complicate oversight. Current identity management practices vary: 33% of organisations regularly rotate service account credentials, while 11% do so continuously.
The survey suggests a combined approach to identity security covering both human and non-human identities. Commonly cited measures include multi-factor authentication, least-privilege access controls, and faster deactivation of inactive identities.
For NHIs specifically, recommendations include maintaining complete inventories, replacing long-lived credentials, and using dedicated secret management tools. The report also highlights Identity Threat Detection and Response (ITDR) and Zero Trust security models as relevant approaches in environments where AI contributes to increased creation of non-human identities.
The survey covered organisations with 100 to 5,000 employees across multiple industries in countries including the U.S., U.K., and Germany.
