Companies are failing to keep up with AI’s identity sprawl, creating entry points for hackers

Dive Brief:

The rate of data breaches at companies that widely use AI tools is significantly higher than the rate at companies that don’t — 43% compared with 11% over the past 12 months — the identity security firm Netwrix said in a report published on Wednesday.
AI tools such as agents significantly increase organizations’ “identity footprint,” creating more gaps that hackers can exploit, Netwrix said.
At the same time, Netwrix found, the companies using AI the most widely are also the ones taking identity management the most seriously.

Dive Insight:

Netwrix’s report highlights the security risks of the sprawling web of user accounts and other identities that companies must create to use agents, copilots and other AI tools.

“AI agents are now acting on behalf of humans against sensitive data,” Netwrix researchers wrote. “Non-human identities need the same operational rigor long applied to privileged human access.”

And yet many companies aren’t taking identity management seriously, the report found. Roughly three-quarters lack “a single, unified view of sensitive data and which identities have access to it,” researchers said. More than half of organizations lack an up-to-date database of sensitive data, 71% can’t quickly determine which identities can access which data and 70% don’t have a security strategy linking data protection with identity governance.

Identity management is far from a new challenge for enterprises, but AI has magnified it, and companies are not always keeping pace. Three-quarters of organizations aren’t fully overseeing what AI identities are doing in their systems, even as 41% say they’re letting AI agents access sensitive data and perform vital tasks.

Netwrix’s report highlights how hackers have used identity security weaknesses as entry points in target networks. Three-quarters of incidents in which hackers access sensitive data involve compromises of identities or misconfigured account permissions. But despite widespread corporate awareness of this threat, most companies aren’t mitigating it.

Seventy-six percent of organizations can’t immediately revoke inactive accounts’ data access, according to the report, and 72% say their accounts have excessive permissions or they’re unsure which permissions their accounts have. Even more worrisome, roughly two-thirds of organizations said they believe at least some of their accounts have unnecessary access to vital data. Only one-quarter of companies said they were fully confident in their ability to detect potentially dangerous account access permissions.

The report — which also includes data about companies’ readiness to govern their AI systems and the frequency of unauthorized-identity-access incidents in different organization size segments — is based on a worldwide survey of 2,317 security professionals at 1,889 organizations in 60 industries.