SYDNEY, Australia – 14 May 2026 — Semperis, the identity-driven cyber resilience and crisis response company, today published the results of a global study of 1,100 organisations in many industries, aiming to understand AI’s effect on the attack surface of identity systems including Active Directory, EntraID and Okta. The study shows that in Australia, AI is quietly redrawing the boundaries of identity attack surfaces and organisations are giving AI agents the keys to critical systems faster than they are putting guardrails around those new identities.
The State of Identity Security in the AI Era study found that 4 in 5 (80%) of Australian organisations believe AI will increase attacks on identity infrastructure. In addition, 95% of Australian organisations already use or plan to use AI agents for sensitive security tasks such as password resets and VPN access. Ninety-two percent say AI is installed on at least some local machines with access to SSH and encryption keys, yet only 21% are very confident they could regain control if AI exposes admin credentials, compared to 32% globally. Alarmingly, 1 in 10 Australian organisations (10%) said they were unconfident in regaining control.
“The accelerated use of AI is introducing a bevy of new agents, each with its own non-human identity (NHI) throughout global enterprises and many companies are just way too optimistic about their ability to recover their identity infrastructure following a breach, even as they expand this landscape of NHIs,” said Alex Weinert, Semperis Chief Product Officer.
Only half of Australian organisations (52%) say their AI identities are fully registered, authenticated, and authorised in a formal system, compared to 65% globally. In organisations that do track AI identities, 62% use the same system as for human identities, while 38% authenticate and authorise them using a separate system from human users.
“The data reveals that Australian organisations are lagging behind their international peers when it comes to governing AI-related identities. Locally, organisations are racing to introduce AI identities, despite lacking the visibility and controls needed to securely manage them at scale. Compared to their global counterparts, Australian organisations also express less confidence in their ability to regain control of their identity systems if AI were to expose their admin credentials. It is clear that AI is changing the identity threat landscape faster than Australian organisations can adapt,” said Gerry Sillars, Vice President of APJ, Semperis.
“What is striking about the Semperis AI Study is not just how quickly AI is being integrated into identity systems but how unprepared many organisations are to recover when things go wrong. Introducing AI at the identity layer offers operational advantages, but it must be accompanied by guardrails, observability, and recovery readiness. It is a new dimension of an old question, really: Are you resilient enough to respond in the event of critical disruption,” said Grace Cassy, Partner, Ten Eleven Ventures.
Are organisations ready for AI-fuelled identity breaches?
What is concerning from the study is that AI is being placed close to sensitive identity infrastructure and that too few organisations are prepared for the potential consequences. Almost a quarter of surveyed Australian organisations (24%) already use AI agents to manage security‑related help desk tickets including password resets and VPN access. Another 69% intend to do so within the next year. In parallel, 92% of respondents say that some percent of their workforce has AI installed on local machines where it can access SSH and encryption keys.
“The pattern of global organisations overestimating how quickly they can recover from a cyberattack is real, especially when identity is within the blast radius. On paper, organisations have plans and backups; in practice, identity failures turn technical incidents into prolonged business crises, exposing a dangerous gap between perceived resilience and reality,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor.
On the plus side, 79% of respondents indicated that AI identity governance is a priority for them in the coming months. So, how can organisations govern these hard-to-control identities? For now, best practices include:
- Treat agents explicitly as NHIs in the identity fabric.
- Enforce least‑privilege, just‑enough, and just‑in‑time access for agents as rigorously as for humans.
- Segregate agent and human trust boundaries where appropriate.
- Use UEBA‑style analytics to detect “zombie” or anomalous agent behaviour.
- Ensure that your organisation can quickly recover identity systems to a trustworthy state if they are breached.
The full AI Study can be obtained here: https://www.semperis.com/the-state-of-identity-security-in-the-AI-era/
