79% of IT Pros Feel Ill-Equipped to Prevent Attacks Via Non-Human Identities, Cloud Security Alliance and Oasis Security Survey Finds.
SEATTLE – Jan. 27, 2026 –The Cloud Security Alliance (CSA), the world’s leading not-for-profit organization committed to AI, cloud, and Zero Trust cybersecurity education, today released a new survey report, The State of Non-Human Identity and AI Security, which reveals critical process and technology gaps for agentic access management. Commissioned by Oasis Security, the identity security platform, the survey shows how a lack of AI governance policies and outdated IAM solutions open organizations up to significant risk amid the rapid-fire adoption of AI.
Key findings include:
- Governance and ownership gaps leave AI identities exposed. 78% of organizations don’t have documented and formally adopted policies for creating or removing AI identities.
- Legacy IAM infrastructure constrains AI readiness. 92% of respondents are not confident that their legacy IAM solutions can effectively manage the risks associated with AI and NHIs.
- IT and security professionals can’t keep up. The majority (79%) of organizations rated their confidence in their ability to prevent attacks via NHIs as low or moderate.
“Organizations with limited visibility and unclear ownership are feeling the strain of AI-driven identities and securing identities in the AI era. Establishing strong identity foundations now is critical to reducing risk and confidently scaling AI use” said Hillary Baron, AVP of Research, Cloud Security Alliance.
As AI becomes embedded across the business, the scale of identity creation and access will grow exponentially, compounding existing visibility and control gaps.
Among the survey’s key findings:
- Governance and ownership challenges persist. 39% of respondents cited governance as their chief concerns around AI systems and identity. 51% of organizations reported no clear ownership or accountability and over-permissioned access (51%) as their most significant pain points.
- Manual, static processes create risk and stall innovation. Even where processes exist, automation is limited—14% said the creation and removal of AI-related identities are fully automated, 41% rely on semi-automated workflows, and 27% handle these processes entirely by hand. This lack of automation makes effective governance difficult, as manual processes limit visibility, consistency, and accountability.
- Token sprawl and slow remediation expand risk. More than 16% of organizations don’t track when new AI-related identities are created. Even when these identities are known, lifecycle management is slow. Nearly one-quarter (24%) of organizations take more than 24 hours to rotate or revoke a credential after a potential exposure, and 30% take over a day to triage a high-severity credential leak.
“AI turns identity into a high-velocity system,” said Danny Brickman, CEO and Co-Founder of Oasis Security. “Every new agent, workflow, or integration can mint credentials and permissions in minutes. Too many organizations still govern that with spreadsheets and unsophisticated processes. That’s not an AI strategy–that’s an incident backlog.
“The fix is simple,” he continued. “Assign clear ownership, lock policy in writing, and automate the lifecycle before machine access scales beyond control.”
Oasis commissioned CSA to develop a survey and report to better understand the industry’s knowledge, attitudes, and opinions regarding NHI security and AI agents. Oasis financed the project and co-developed the questionnaire with CSA research analysts. The survey was conducted online by CSA in August and September 2025 and received 383 responses from IT and security professionals from organizations of various sizes and locations. CSA’s research analysts performed the data analysis and interpretation for this report.
Download the State of Non-human Identity and AI Security.
