Veza Identity & Access Research Report Reveals Identity Permissions Sprawl has Reached Critical Levels Amid Explosion of Machine and AI Agent Identities Across the Enterprise

The average identity now holds ~100K permissions, 38% of all accounts are dormant, 16.5% of total permissions belong to inactive users, and 27.8% of permissions remain ungoverned

REDWOOD SHORES, Calif.–(BUSINESS WIRE)–Veza, the pioneer in identity security, today released the definitive identity and access permissions research report showing that enterprises are facing a rapidly expanding and increasingly unmanageable identity attack surface—driven by uncontrolled growth in both human and non-human identities (NHIs), as well as associated permissions and entitlements across enterprise workloads. Built from Veza’s proprietary data analyzing millions of identities and billions of permissions and entitlements across global enterprises, the 2026 State of Identity & Access Report highlights broad exposure that is invisible to traditional Identity and Access Management (IAM), Identity Governance and Administration (IGA), and Privilege Access Management (PAM) tools.

“With billions of permissions to manage, security and identity teams are struggling to maintain and enforce the principle of least privilege across their organizations,” says Phil Venables, Cybersecurity Leader, Partner at Ballistic Ventures, and Former CISO, Google Cloud, “Excessive privileges, dormant accounts and over permissioning are running rampant all across the enterprise. The latest State of Identity and Access Report by Veza illustrates these threats and underscores a key tenet: identity risk is everywhere, and it’s growing faster than most teams realize. Every security leader should study this report and use it to inform their roadmap of understanding and countering these threats before they become impossible to address effectively.”

Identity Sprawl Is Out of Control Across Every Enterprise

Veza’s research report found that identity growth is accelerating across humans, machines, contractors, partners, and AI Agents. This is creating an attack surface that is expanding exponentially:

• Dormant accounts represent 38% of all accounts, providing backdoors for cyber attackers.
• The average identity now holds 96,000 entitlements, fueling least-privilege and oversight failures.
• 13% of users lack MFA, and thousands rely on weak SMS or email factors that are vulnerable to attack.
• 824,000 orphaned accounts (8% of all accounts) have no human owner in the HR systems, but still retain live entitlements.

As identity ecosystems expand, so does the attack surface area for credential misuse, privilege escalation, and lateral movement inside enterprise environments.

“We are on a collision course,” says Nicole Perlroth, Cybersecurity Author & Former New York Times Journalist. “Identity is not only the most vulnerable— and actively targeted— entry point in the enterprise, we must now also reckon with an explosion of ‘non-human identities’, including AI agents to sprawling cloud apps. The volume of permissions security teams are expected to manage has jumped from millions to billions almost overnight. Veza’s 2026 SOIA report lays bare the identity and access insights you simply can’t afford to ignore. The trends in this data are clear and accelerating: as organizations scale and attack surfaces diversify, securing identities and non-human identities isn’t just a ‘best practice’ anymore— it’s table stakes for survival.”

Non-Human Identities Are Reshaping the Enterprise Attack Surface

NHIs—workloads, service accounts, API keys, bots, tokens, automation tools, and certificates, —now dominate modern identity ecosystems. The continuous growth of NHIs fuels massive identity debt and expands the attack surface beyond what traditional IAM and IGA systems can monitor and secure.

Veza’s research report highlights the scale of the problem:

• Just 0.01% of NHIs control 80% of all cloud permissions, making privileged machine accounts disproportionately powerful.
• Machine identities now outnumber human users 17:1.
• NHIs typically persist indefinitely unless explicitly decommissioned, unlike human users who go through HR-managed offboarding.

“The findings underscore a stark reality: identity sprawl is an immediate business risk, and adversaries are exploiting it at unprecedented scale,” said Tarun Thakur, CEO and Co-Founder of Veza. “Organizations have surface-level understanding about their identity environment, but they don’t have the tools to reveal the true reality of permissions and effective access. The attack surface is far bigger than anyone realizes. Without precise, real-time access visibility into ‘who can do what,’ organizations are driving blind.”

The result: NHIs have become the dominant identities and the dominant risks inside modern enterprises.

The Path Forward: Identity Over-Permissioning as a Board-Level Metric

The report outlines five priority actions for CISOs, CIOs, and CEOs to regain control of their identity attack surface:

1. Make identity risk a board-level reporting metric
2. Establish continuous access visibility across all accounts
3. Establish programs to progressively reduce the number of dormant and orphaned accounts
4. Operationalize governance for AI agents and machine identities
5. Extend identity governance beyond the bare minimum for compliance towards a program that actually reduces true security risk

“Identity access and authorization is the control plane of the modern enterprise,” Thakur added. “Organizations that can quantify and manage identity debt will be the ones that actually shrink their attack surface and stay resilient.”

To read the full report, visit https://veza.com/resources/the-state-of-identity-access-2026/

Methodology

The 2026 State of Identity & Access Report is based on Veza’s proprietary analysis of millions of identities and billions of entitlements across large global enterprises in sectors including financial services, healthcare, technology, retail, and the public sector. Findings were normalized across tenants and validated against sources including Verizon DBIR 2025, CrowdStrike 2025 Global Threat Report, Expel IR data, and advisories from the NSA, CISA, and FBI.

About Veza

Veza is the leader in identity security, helping organizations secure access across the enterprise. Veza’s Access Platform goes beyond identity governance and administration (IGA) tools to visualize, monitor, and control entitlements so that organizations can stay compliant and achieve least privilege. Global enterprises like Wynn Resorts, Expedia, and Blackstone trust Veza to manage identity security use cases, including privileged access monitoring, non-human identity (NHI) security, access entitlement management, data system access, SaaS access security, identity security posture management (ISPM), next-generation IGA, and Agentic AI identity security. Veza has earned recognition from GigaOm’s ISPM Radar. Founded in 2020, Veza is headquartered in Los Gatos, California, and is funded by Accel, Bain Capital, Ballistic Ventures, Google Ventures (GV), New Enterprise Associates (NEA), Norwest Venture Partners, and True Ventures. Visit us at www.veza.com and follow us on LinkedIn, X, and YouTube.

Contacts

Media Contact
Alex Daigle

[email protected]