The State of Identity Security 2026 report warns that identity compromise remains the dominant route for cyberattacks and ransomware.
The study found that 71% of organisations suffered at least one identity-related breach in the past year, with respondents reporting three separate incidents on average. Repeat victimisation is also rising, with 5% of organisations reporting six or more identity breaches.
(all breaches), n=207 (breaches involving NHIs)
Source: State of Identity Security 2026, Sophos
Sophos attributes most attacks to a combination of human error and poor management of non-human identities (NHIs)—including service accounts, API keys and other machine-to-machine credentials. The problem is intensifying as agentic AI accelerates attack workflows, potentially granting or scaling privileges faster than security teams can track and revoke access.
A critical finding links identity attacks to ransomware outcomes. Two thirds of ransomware victims (67%) responding to the survey said their ransomware incident stemmed from an identity attack, reinforcing identity compromise as a primary ransomware delivery mechanism.
The financial impact is substantial: the report cites a mean recovery cost of $1.64 million and a median of $750,000, with 73% of affected organisations facing costs of $250,000 or more.
“Identity has become the primary attack surface in modern cybersecurity, and this data shows most organizations are losing ground,” said Ross McKerchar, chief information security officer at Sophos.
He added that the non-human identity problem is “particularly urgent”, warning that AI agents are being granted privileges faster than security teams can monitor them.
Beyond headline breach rates, the report highlights ongoing operational weaknesses. Only 24% of organisations continually monitor for unusual login attempts, while more than half check no more often than every three months. Detection gaps persist: 14% of breached organisations were unable to detect and stop their most significant identity attack before damage occurred.
Sophos also notes that compliance difficulty correlates with higher breach rates, and that energy, oil/gas and utilities (80%) as well as federal/central government (78%) recorded the highest breach exposure across surveyed sectors.
To reduce identity-based risks, Sophos recommends a multi-layered approach: enforce MFA for all users, apply least-privilege access, rapidly remove inactive identities, and harden NHI estates through inventory and classification, short-lived credentials, secrets management, identity threat detection and response (ITDR), and Zero Trust controls.
