

























FusionAuth’s 2026 State of AI and Identity Report finds that nearly two-thirds of organizations have experienced a confirmed AI identity breach in the past year, and among those who feel most secure, the rate jumps to 84%.
This headline result details how AI is reshaping identity infrastructure, security posture, and enterprise trust. The findings reveal a profound and counterintuitive crisis: the organizations that feel most prepared are getting hit the hardest.
65% of respondents reported a confirmed AI identity-related cyber incident in the past 12 months, with another 23% reporting a near miss. Only 12% emerged from the past year without an incident or close call. But the headline finding is not the breach rate alone; it is who is getting breached.
Among organizations that rated themselves ‘extremely confident’ in their AI security posture, 84% had already experienced a confirmed incident. That figure drops to 64% among those ‘very confident’, and to just 17% among those who are ‘not so confident’. The gradient is near-perfect says FusionAuth: confidence and breach rates move together.
Key findings include:
“Confidence appears to be tracking deployment velocity and governance activity, not actual protection,” said Brian Bell, CEO of FusionAuth. “The faster organizations move, the more confident they feel. The faster they move, the larger their attack surface. Written policies don’t answer the questions that matter: can you scope what each agent can access? Can you see what it’s doing? Can you prove what it accessed after the fact? Can you revoke access before a near miss becomes something worse? Architecture answers those questions. Policy alone does not.”
The report also notes that organizations with more mature security programmes are better at detecting incidents, meaning lower-confidence organizations may not be safer, but simply have less visibility into what is already happening.
The deployment model an organization uses for its identity platform correlates strongly with breach outcomes. Organizations using multi-tenant SaaS identity platforms report confirmed incidents at more than twice the rate of those using self-hosted or on-premises deployments: 83% vs 38%.
In a shared SaaS environment, a single compromised token or misconfigured policy does not stay contained. It cascades across every AI workflow connected to the identity layer, model access, data pipelines, automation actions, and downstream services, creating a fundamentally different blast radius than a self-hosted or isolated deployment.
The highest-risk profile in the study is not a low-maturity organization. It is the opposite: companies running AI in production, using AI broadly across the workforce, and operating on multi-tenant SaaS identity infrastructure. In this cohort, 90% reported a confirmed incident and 96% faced shadow AI challenges.
AI identity risk has moved beyond the security team. 85% of respondents have faced customer, partner, or regulatory demands to demonstrate tenant isolation at least occasionally, while 56% face it frequently. Tenant isolation has shifted from a backend implementation detail to a commercial requirement that now determines whether enterprise deals close.
Among organizations where AI is the primary driver of identity reevaluation and customers frequently demand proof of isolation, 99% reported a confirmed incident, and 95% are planning significant increases in investment, pointing to a buying motion driven by urgency rather than planning.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。