Estimated reading time: 8 minutes
Identity risk can start with a seemingly routine call. At 9:17 a.m., the help desk phone rings. The voice sounds calm, familiar, and slightly annoyed. It belongs to the CFO. Or seems to. He says he is locked out and needs access restored right away. The technician recognizes the voice and sends the reset link. Minutes later, the real CFO walks into a meeting and says he never called. That small breach of trust exposes the urgent new reality detailed in the 2026 State of Passwordless Identity Assurance report from HYPR and 451 Research, a S&P Global company: generative AI and agentic AI have overtaken stolen credentials as top enterprise identity security concerns. Now, organizations must rethink their impersonation, authentication, and cyber defense strategies, such as cyber insurance, immediately.
The report makes it clear: the industry is no longer fighting a human-scale battle over leaked passwords. Now, it faces a relentless, industrial-scale onslaught from automated agents, deepfakes, and synthetic media. In the report’s alarming words, “attackers aren’t breaking in; they’re logging in.”
Identity Verification Becomes Core Cybersecurity Control
AI-driven attacks now dominate the threat landscape, demanding immediate enterprise response. For the first time in the report’s history, 53% of organizations identified generative AI as the top identity security concern, while 45% identified agentic AI. These technologies have quickly displaced stolen credentials as the most pressing threat.
Security teams increasingly face automated phishing campaigns, deepfake impersonations, and voice cloning fraud. Attackers use AI to generate convincing messages that mimic the voices of executives or internal staff.
The report states that 65% of organizations that experienced AI-driven incidents said personalized phishing emails were the most common form of AI-enabled attack.
Synthetic media also poses a growing identity risk. Organizations reported encountering several deepfake formats:
- 45% saw prerecorded deepfake videos used in scams or impersonation attempts
- 43% experienced deepfake audio during live calls
- 40% reported manipulated voice messages or cloned audio
Nearly 9 in 10 organizations affected by AI attacks reported encountering some form of deepfake media.
Researchers urgently warn that AI acts as a threat multiplier, not just a replacement for traditional attacks. While phishing and ransomware have not gone away, AI drastically accelerates and amplifies their scale, creating an immediate, unprecedented risk.
Surges Across Enterprises
Identity impersonation incidents are surging at an alarming rate as attackers aggressively exploit weak authentication processes. Organizations must act now to counter these rapidly evolving tactics.
Credential misuse remains the most common impersonation method, with more than half of organizations experiencing such incidents.
However, new forms of identity fraud have emerged. According to 39% of organizations, fraudulent job applicants are the second-most-common type of impersonation threat.
Remote hiring and hybrid work environments create verification gaps. Attackers now use AI-generated personas to apply for jobs or access internal systems.
The report sounds an urgent alarm about a growing verification challenge. “The shift toward hybrid and remote work has created verification blind spots,” researchers wrote, warning that attackers will exploit every gap unless immediate countermeasures are taken.
Deepfake audio and video also support impersonation attacks against call centers and help desks. Voice cloning enables attackers to impersonate employees or executives during authentication.
Detection Improves But Attack Speed Increases
Security tools now detect identity-based attacks faster than before.
According to the report, 65% of identity-related attacks are detected within a few hours, and 28% are identified immediately.
Third-party security tools, such as identity and access management (IAM) systems, detect most incidents. Employees, audits, and external reports also contribute to discovery.
However, improved detection has not cured identity risk. Today, AI-driven automation enables attackers to exfiltrate data at alarming speed—often before security teams even have a chance to respond. The window for action is rapidly closing.
Researchers note that attackers can steal credentials, establish persistence, and access sensitive data faster than incident response teams can react.
Watch the Cyber Insurance News Podcast Featuring HYPR CEO Bojan Simic
Passwordless Adoption Reaches A Plateau
The industry has promoted passwordless authentication for years. Yet enterprise adoption has slowed.
The report shows that 43% of organizations currently deploy passwordless authentication, while a larger 76% still use traditional usernames and passwords.
Several factors urgently demand attention. Cost and budget constraints are now the top barrier, cited by 40% of respondents. Legacy application support creates a stubborn obstacle that can no longer be ignored.
Despite the pause, the pipeline for passwordless adoption remains strong. Nearly one-third of organizations run pilot programs for passwordless authentication, the highest of any authentication technology.
Passkeys based on FIDO standards have gained strong industry support. Sixty-four percent of respondents now identify passkeys as the leading phishing-resistant authentication method, up from the previous year.
Identity Verification Gains Enterprise Momentum
Identity verification (IDV) technologies have emerged as a central defense against impersonation attacks.
The report shows that 65% of organizations now use identity verification tools, making IDV one of the most widely deployed identity security controls among those surveyed.
Enterprises use IDV for several purposes:
- Account creation and onboarding
- High-risk transactions
- Credential resets and account recovery
Biometric verification is the top current IDV method, used by 67% of surveyed organizations, followed by government-issued document checks used by 64%.
However, implementation remains fragmented. On average, only 28% of employees use internal identity verification systems.
Security teams often restrict these tools only to executives or privileged users—leaving many enterprises dangerously exposed due to a lack of comprehensive, enterprise-wide identity verification workflows. Organizations must move quickly to close this gap.
HYPR CEO Bojan Simic described the scale of the shift in identity threats.
“In 2026, automated agents will leak more passwords than people,” Simic said. “We must move past point-in-time security and make identity verification a permanent part of how we manage every employee.”
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
The Industry Enters The “Age Of Industrialization”
Researchers frame the current moment as a transition in identity security maturity.
Organizations now understand the importance of phishing-resistant authentication and passwordless technologies. The next challenge involves deploying them across the entire enterprise.
The report’s foreword describes the shift as the “Age of Industrialization.”
Security leaders must integrate identity systems across HR, IT, legal, and security teams. Identity security now touches every stage of the workforce lifecycle.
These stages include onboarding, account recovery, device replacement, and access to critical applications.
The report warns that enterprises still carry a large “password debt.” Legacy credentials and fragmented controls leave organizations exposed to identity-based attacks.
Researchers conclude that enterprises must operationalize identity verification and passwordless authentication across the full workforce.
Without that transformation, organizations will continue to respond to breaches with reactive spending rather than proactive security.
Conclusion
The 2026 State of Passwordless Identity Assurance report highlights a dramatic shift in enterprise identity risk.
Artificial intelligence now powers impersonation attacks at an industrial scale. Deepfakes, voice cloning, and automated phishing campaigns continue to expand the threat surface.
At the same time, enterprises increasingly recognize the need for stronger identity verification and phishing-resistant authentication.
The tools already exist. The challenge now involves deploying them consistently across the enterprise.
As the report concludes, closing the identity deployment gap will determine whether organizations achieve durable resilience against modern identity threats.
FAQ
Identity Risk And AI Threats: Key Questions
Identity risk is the danger that attackers will misuse, steal, fake, or hijack a person’s digital identity to gain access to systems, data, or services. It includes stolen passwords, phishing, deepfakes, voice cloning, and fraudulent account recovery.
The report says AI has increased the speed and scale of identity attacks. Generative AI and agentic AI now help attackers produce convincing phishing messages, cloned voices, fake videos, and synthetic identities much faster than before.
The report found that generative AI and agentic AI have overtaken stolen credentials as the top identity security concerns for enterprises. It also found that 87% of organizations encountered audio or video deepfakes in identity-based attacks.
Yes. Passwords remain widely used across enterprises even as organizations invest in newer tools. The report found that 76% of respondents still rely on usernames and passwords, which leaves many organizations exposed to credential theft and phishing.
Passwordless authentication lets users sign in without entering a traditional password. Common methods include FIDO passkeys, hardware security keys, biometrics, and device-based authentication. These methods can reduce phishing risk when deployed correctly.
Identity Security And Enterprise Response
The report says awareness has improved, but scaling remains hard. Cost, legacy application support, account recovery concerns, and deployment complexity continue to slow enterprise-wide rollout. Many organizations are still stuck between pilot programs and full production.
Identity verification, or IDV, confirms that a person is really who they claim to be. Organizations use methods such as biometric checks, government-issued ID documents, and device recognition. IDV is becoming a key control for onboarding, account recovery, and high-risk transactions.
The report found that 65% of organizations use IDV, but internal deployment remains limited. Many companies apply it only to a small share of employees or specific workflows instead of using it across the full workforce.
Personalized phishing leads the list, according to the report. Organizations also reported prerecorded deepfake videos, deepfake audio during live calls, altered images, and manipulated voice messages. These attacks often target help desks, hiring teams, and identity recovery workflows.
The report points toward enterprise-wide execution. Organizations need stronger phishing-resistant authentication, broader identity verification, better coordination across HR, IT, IAM, and security, and less reliance on reactive spending after breaches. In short, they need to treat identity as a full lifecycle security issue, not just a login problem.
Related Cyber Insurance News Posts
- BreachRx Launches Warranty To Back Cyber Incident Response Programs
- Data Governance and Cyber Risk: Why Data Sprawl Is the Hidden Liability – NEW PODCAST
- Cyber Liability Insurance: Key Takeaways From PLUS Cyber Symposium
- Data Governance and Cyber Risk: Why Data Sprawl Is the Hidden Liability – NEW PODCAST
- Cyber Resilience Under Fire: New Data Exposes a Global Confidence Gap
