A sweeping new survey of 5,000 cybersecurity leaders reveals that identity theft has quietly become the defining threat of the modern internet, and the rise of AI agents is pouring gasoline on the fire.

by Kasun Illankoon, Editor in Chief at Tech Revolt

[For more news, click here]

The breach did not begin with a sophisticated zero-day exploit or a team of elite foreign hackers working through the night. It began, as so many do, with a password. Someone clicked something they should not have. A credential was handed over. A door swung open. And by the time the organization understood what had happened, the ransomware was already spreading.

This is not a hypothetical. It is the story that played out across thousands of companies, hospitals, government agencies, and energy utilities in the past twelve months, and the numbers are now staggering enough to demand serious attention.

A new global survey from cybersecurity firm Sophos, drawing on responses from 5,000 IT and security leaders across 17 countries, paints a picture of an industry in genuine crisis. Seven out of ten organizations experienced at least one identity-related breach in the past year. The average organization was not hit once, but three separate times. Five percent of respondents reported six or more distinct incidents in a single year. That is not a problem of bad luck. That is a problem of infrastructure.

What Is an Identity Attack, and Why Does It Keep Winning?

To understand why identity has become the dominant attack surface in cybersecurity, it helps to think about what has changed in the past decade. Networks used to have clear perimeters. You were either inside the firewall or you were not. Protecting data meant protecting the wall.

That model is effectively dead. Cloud computing, remote work, mobile devices, and interconnected third-party services have dissolved the perimeter entirely. Now, the primary question is not "are you inside our network?" but "who are you, and do you have permission to be here?" Identity, in other words, has become the new perimeter.

Attackers figured this out before most defenders did. Why spend months probing for a technical vulnerability when you can simply trick an employee into handing over their login credentials? The Sophos data confirms this dynamic plainly: nearly 43 percent of identity-related incidents were initiated through human error, specifically employees being deceived into surrendering their credentials. Phishing emails, fake login pages, voice calls impersonating IT staff, text messages claiming urgent action is required. The techniques are not new. They keep working because people, under pressure and distracted, make mistakes.

The financial consequences of those mistakes are not abstract. The survey found that the mean recovery cost from an identity breach reached $1.64 million, with a median of $750,000. Nearly three-quarters of affected organizations faced costs of $250,000 or more. These are not rounding errors on a corporate balance sheet. For mid-sized businesses, they are existential.

Ransomware's Dirty Secret

For years, ransomware has been discussed as though it were its own separate category of threat, an opportunistic digital plague with its own logic. The Sophos findings complicate that framing in an important way: two-thirds of ransomware victims in this survey confirmed that their ransomware attack began with an identity compromise. The ransomware was not the beginning of the attack. It was the end of it. The real breach had already happened, silently, through a stolen credential or a compromised account, before anyone deployed the encrypting payload.

This reframing matters for how organizations think about defense. If ransomware is primarily an identity problem, then the conventional focus on endpoint detection and network monitoring, while still necessary, is missing the more fundamental layer. The lock that needs strengthening is not on the server room door. It is on the front door, the one that opens when someone proves they are who they say they are.

The Non-Human Identity Problem Nobody Is Talking About

If human error is the known devil, non-human identities represent the unknown one, and the Sophos data suggests that unknown is becoming considerably more dangerous.

Non-human identities, commonly called NHIs, are the credentials, API keys, service accounts, and tokens used by software systems to authenticate to each other. Every time an application calls a database, a cloud service talks to a payment processor, or a script runs automatically in the background, it is using some form of non-human identity. These credentials are often harder to track than human ones, because they are embedded in code, inherited from old systems, or created automatically during software deployments. They tend to have broad access permissions and, crucially, they tend to never expire.

The problem is not hypothetical. The survey found that weak NHI management was cited as a contributing factor in 41 percent of identity incidents. Organizations with poor NHI hygiene were 22 percent more likely to experience financial theft, and paid approximately $150,000 more to recover from breaches than their peers with stronger practices. Only one in three organizations regularly rotates or audits their service accounts and non-human identities. Just 11 percent do so continuously.

Then comes the genuinely alarming part. AI agents are making this problem structurally worse, and they are doing so at speed.

Modern AI agents do not just complete tasks. They spin up sub-agents to help them complete those tasks. Each sub-agent needs credentials to operate. Those credentials need to be provisioned, tracked, and eventually revoked. In fast-moving AI deployments, this process happens faster than most security teams can follow. The result is an expanding cloud of machine identities, many with broad and persistent access to sensitive systems, governed by oversight frameworks that were designed for a world where software did not autonomously create more software.

Ross McKerchar, Sophos's chief information security officer, described the trajectory bluntly: "AI agents are being granted privileges faster than security teams can track them, and organizations that fail to get ahead of this will find it an increasingly costly gap to close."

The Industries Most Exposed

Not all sectors are equally vulnerable, though the breach rates across all of them are high enough to be alarming. Energy, oil and gas, and utilities reported the highest breach rates of any industry surveyed, at 80 percent. Federal and central government came close behind at 78 percent. These are not industries where a security failure carries only financial consequences. A compromised power grid or a breached government system carries consequences that ripple outward in ways that are difficult to contain.

The survey also surfaced a troubling relationship between regulatory compliance difficulty and breach rates. Organizations that found their compliance requirements very challenging had a breach rate of 82.4 percent, compared to 68.3 percent for those with lower compliance difficulty. This is a 14 percentage point gap, and it suggests that the organizations most burdened by regulatory complexity are simultaneously the least equipped to actually meet the security outcomes those regulations are meant to produce. Compliance, when treated as a checkbox exercise rather than a genuine security practice, may be consuming resources better spent on actual defense.

What Visibility Actually Looks Like, and What It Does Not

One of the more quietly damning findings in the survey concerns monitoring. Only 24 percent of organizations continuously monitor for unusual login attempts. More than half check every three months or less. In a threat environment where attackers move through compromised environments in hours, and sometimes minutes, a quarterly review of login anomalies is not a security posture. It is a post-incident archaeology exercise.

Detection gaps compound the problem. Fourteen percent of breached organizations could not detect and stop their most significant identity attack before damage was already done. Among smaller organizations, those with 100 to 250 employees, that failure rate was nearly double compared to mid-sized peers. Small organizations face an impossible math problem: the cost of comprehensive identity security tools is high relative to their budgets, but the cost of a breach, at six or seven figures, is potentially fatal to the business.

What Good Identity Security Actually Requires

The path forward is not a mystery, though it requires investment and sustained attention. The survey's recommendations cover both human and non-human identity management, and the good news is that some of the highest-impact interventions are not especially exotic.

Enforcing multi-factor authentication across all user accounts remains one of the highest-return security investments available. Applying least-privilege access principles, meaning that accounts and systems only have access to what they genuinely need, limits the damage that any single compromised credential can do. Promptly disabling inactive accounts closes the orphaned identity problem that attackers regularly exploit.

For non-human identities specifically, the prescription is more technically demanding. Organizations need a real inventory of all their NHIs, something many lack entirely. Long-lived credentials, the API keys and tokens that never expire, need to be replaced with short-lived alternatives that automatically rotate. Secrets management platforms can handle NHI credentials at scale in ways that manual processes cannot.

As AI agents proliferate, the emerging category of Identity Threat Detection and Response, ITDR, is becoming less optional. Combined with a Zero Trust security model that treats every access request as potentially suspicious until verified, these tools create the detection and response capability that most organizations currently lack.

None of this is cheap or simple. But the survey makes the alternative cost visible in a way that is hard to argue with. Three breaches per year, at an average recovery cost approaching $1.64 million each, adds up faster than most security budgets. The question organizations are increasingly being forced to answer is not whether they can afford to invest in identity security. It is whether they can afford not to.