Sophos published its State of Identity Security 2026 report this week, surveying organizations across 17 countries and 14 industries in Q1 2026. The numbers are not surprising if you have done incident response. They are still worth stating clearly.
71% of organizations suffered at least one identity-related breach in the past year. The mean recovery cost was $1,637,363. The median was $750,000. Five percent of organizations reported six or more separate identity breaches.
These are not outlier events. Identity compromise is the standard initial access path now.
The non-human identity problem
Here is the finding that matters most for 2026: non-human identity (NHI) weakness was the root cause in 41% of successful identity breaches.
Non-human identities include API keys, service accounts, OAuth application credentials, machine-to-machine authentication tokens, and, increasingly, AI agent credentials. These identities are not managed by the same processes as human user accounts. They often lack expiry dates. They are rarely rotated. Anomalous usage is rarely monitored in real time. In many organizations, they live in configuration files, environment variables, and CI/CD secrets stores that no single team owns end-to-end.
The ratio of NHIs to human identities in a typical enterprise already reaches 100:1. Sophos notes that only 24% of organizations continuously monitor for unusual login attempts - meaning the other 76% are relying on periodic reviews, automated alerting on known-bad patterns, or nothing at all.
AI agents make the NHI surface larger, faster
Every AI agent you deploy has credentials. Those credentials allow the agent to take actions on behalf of the organization: calling APIs, reading documents, triggering workflows, accessing data stores. In a well-governed deployment, those credentials are scoped to least privilege, monitored for anomalous use, and rotated on a schedule. In most current deployments, they are not.
The agentic AI wave is moving faster than identity governance practices. Organizations are spinning up AI agents to automate workflows, and each one adds to an NHI surface that is already poorly managed. The Sophos report captures this at a systemic level: the root cause of 41% of breaches is already NHI weakness, before most organizations have deployed significant agentic AI infrastructure.
The attack surface is growing faster than the governance is.
The ransomware-identity pipeline
Sophos also quantifies the ransomware connection: 67% of ransomware victims report the incident was directly tied to their most significant identity attack. A single compromised credential, human or non-human, is frequently the entry point that ends in full-scale encryption and extortion.
This is not a coincidence. Ransomware operators routinely begin with credential theft - a phishing payload, a token harvested from a misconfigured CI/CD pipeline, an API key found in a public repository - and walk through the network using those credentials. The identity attack and the ransomware attack are not two incidents. They are two phases of the same operation.
What to do about it
The Sophos report recommends continuous monitoring for unusual login attempts (not periodic review), strict governance of NHI lifecycles (rotation schedules, expiry policies, scope limits), and audit of all external application integrations for the access scope they have been granted. For organizations deploying agentic AI: build identity governance for AI agent credentials into the deployment process, not as an afterthought.
The cost of not doing this is now documented in dollars: $1.6M mean recovery, and that is before regulatory exposure, reputational damage, or business disruption.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to discuss identity governance practices for agentic AI deployments.