Cybersecurity firm Sophos said 71% of organizations surveyed worldwide experienced at least one identity-related security breach in the past year, with human error and poor management of non-human identities emerging as the main causes of attacks.
In its “State of Identity Security 2026” report, Sophos surveyed 5,000 IT and cybersecurity leaders across 17 countries and found that organizations suffered an average of three identity-related incidents during the period. Five percent of respondents reported six or more breaches.
The report also showed that identity compromise has become a major entry point for ransomware attacks. About 67% of ransomware victims said their incidents originated from identity attacks, according to the survey.
Sophos said the financial impact of such breaches remains significant, with average recovery costs reaching $1.64 million and median costs at $750,000. Nearly three-fourths of affected organizations incurred losses of at least $250,000.
“Identity has become the primary attack surface in modern cybersecurity, and this data shows most organizations are losing ground,” said Ross McKerchar, chief information security officer at Sophos.
“The non-human identity problem is particularly urgent. AI agents are being granted privileges faster than security teams can track them, and organizations that fail to get ahead of this will find it an increasingly costly gap to close,” he added.
The study identified employee credential compromise as the leading cause of identity-related incidents, accounting for nearly 43% of cases. Weak management of non-human identities — including API keys stored in code, static credentials, and orphaned service accounts — was cited in 41% of incidents.
Sophos warned that the rapid growth of agentic AI is worsening the problem as AI systems autonomously create sub-agents and credentials that may not be properly monitored by security teams. The report found that only one in three organizations regularly rotate or audit service accounts and non-human identities, while just 11% do so continuously.
Among industries surveyed, the energy, oil and gas, and utilities sectors recorded the highest breach rate at 80%, followed by federal and central government agencies at 78%.
The report also found that only 24% of organizations continuously monitor unusual login attempts, while more than half review such activity only every three months or less.
Sophos recommended that organizations adopt stronger identity protection measures, including mandatory multi-factor authentication, least-privilege access policies, regular auditing of non-human identities, and implementation of Zero Trust security frameworks.
