Estimated reading time: 5 minutes
“Leap and the net will appear,” urges action before certainty arrives. The Identity Underground’s Annual Pulse 2026 report says 97% lack full preparedness for AI-driven identity attacks. Given the maturity of AI investment, leaders now seem to be hoping the net shows, or is set up, quickly to address AI risk.
(EDITORIAL NOTE: It’s not without irony that we note the line “Leap and the net will appear,” is often attributed to naturalist John Burroughs.)
Two Timelines Collide Inside Identity Security
The Identity Underground’s latest findings expose a widening gap between today’s fast-moving identity attacks and the slow drag of legacy infrastructure, signaling an identity security market in active transition. The survey draws on an invite-only community of identity practitioners and executives. The group shared its findings publicly for the first time.
The report looks back at 2025 as the baseline year. It treats 2025 as a period of rebuilding and course correction. It sums up that reality with a simple theme: “Looking After the Old While Keeping an Eye Out for the Future”.
When the Board Wants Agents, Attackers Want Passwords
Executives put AI agent security at the top of their 2026 agenda. The report shows 50% rank it as their top priority. The accompanying release reports 54% for AI-enhanced identity threats. Practitioners track a stubborn entry point. Credential stuffing and password spraying accounted for 43% of reported attacks.
Legacy pressure drives the conflict between current and future priorities. The report notes, “You can’t watch for the future when you’re constantly putting out fires in old infrastructure.” As a result, teams are split between modernization and incident response. At the same time, boards push for fast adoption of AI agents while teams continue cleaning up old authentication paths.
Legacy Drag and the NTLM Problem
Legacy infrastructure continues to drive identity exposure across enterprises, posing a continued risk from outdated systems still in use. The report says 82% of organizations report significant legacy risk. These legacy risks are substantial: 43% of organizations report that 10% to 25% of their infrastructure is legacy, 30% report 25% to 50%, and 9% report over 50%.
NTLM remains the most cited legacy security obstacle, with 61% listing NTLM authentication as their primary challenge. The report connects this legacy protocol to risks such as lateral movement and limited native MFA support, highlighting how continued NTLM use increases exposure to threats. To address these legacy risks, teams modernize cautiously to preserve uptime: 57% use gradual modernization with parallel measures, 48% add monitoring and compensating controls, and 24% accelerate replacement due to security concerns.
MFA Coverage Climbs, Yet Friction Creates Exposure
Many programs now offer strong MFA (multi-factor authentication); the report says that over 30% reached 90%-100% coverage. This baseline coverage reduces many simple takeovers, but friction still rises as controls stack up.
Access approvals create a major drag for users and admins. The report says 58% see approval workflows causing more delays than incidents. Another 40% say policies prevent legitimate work. Teams also report repeated prompts and broken focus. The report links exhaustion to bypass behavior. Users reuse passwords and find shortcuts when work stalls.
Non-Human Identities Multiply Faster Than Governance
Non-human identities expand rapidly in modern environments. Service accounts, API keys, cloud roles, and automation credentials fuel this growth. Visibility remains the first hurdle for defenders, with 45% citing a lack of insight into non-human identities.
Secret scanning shows uneven maturity. Eighteen percent run comprehensive scanning. Thirty-seven percent regularly review code and documents. Credentials still leak into scripts and shared channels, widening breach scope and recovery cost.
Third-party access sprawl adds another risk multiplier. The report says 37% have 21 or more third-party companies with access. Each vendor brings integrations and tokens. That sprawl complicates containment decisions. It also complicates notification timelines.
Watch Our Podcast on AI Risk and Cyber Liability Insurance
Detection Improves, Response Still Depends on Humans
Security leaders report improved detection capability. The report says 68% feel confident in detecting identity-based attacks. The report ties that progress to investments in SIEM and analytics. Response speed still lags behind detection speed.
Most confidence still rests on manual action. The report says 53% rely on rapid manual remediation. Only 8% cite real-time detection paired with automated response. Tool sprawl slows action further. Fifty-two percent cite weak integration between security tools.
Practitioners describe incident work as manual correlation: they pull IdP logs, check privileged access tools, query entitlement systems, and match timestamps. The report refers to identity teams as “human APIs during incidents.” Because attackers can move faster than these manual workflows, and AI-driven automation further accelerates their pace, response speed remains a critical issue.
Consolidation Moves From Plan to Practice
Organizations now consolidate identity security tooling to achieve speed and clarity. The report says 55% implement unified identity security platforms and 69% deploy SIEM with identity analytics. This consolidation targets faster correlation, cleaner context, and reduces handoffs between siloed tools, supporting prior points on incident response challenges.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
Industry voices in the report underline the urgency. Simon Moffatt says, “These systems were never designed for today’s threat landscape”. Hed Kovetz says, “Attackers look at the entire attack surface”. He warns that silos help adversaries scale.
Bottom Line: Fix the Foundation, Then Build
The report closes with a leadership message for 2026: Teams know what to do and are moving that way. Final guidance: “Fix the foundation. Build what comes next.” This supports safer AI adoption and stronger incident outcomes.
Related Cyber Insurance Posts
- Ransomware Gangs Drop Encryption And Lean Into Data Theft Extortion
- Feds: Uber’s Ex-Security Chief Covered Up Hack and Deserves Criminal Punishment
- Companies Hoping Government Will Cover Cyber Losses: Survey
- Schools Slammed By Cyber Attacks, Struggle to Qualify for Affordable Cyber Insurance
- Cyber Insurers Not Exiting Market, Despite Challenges: Survey
