Almost three-quarters of organisations suffered at least one identity-related breach in the past year, and on average businesses reported three separate incidents, according to a report from cybersecurity firm Sophos.

The research found that repeat victimisation reached a notable level, with 5% even reporting six or more breaches. These attacks are driven primarily by human error and weak management of non-human identities, a vulnerability that is growing rapidly as agentic AI accelerates attack processes.

Two thirds of the ransomware victims (67%) responding to the survey confirmed their ransomware incident stemmed from an identity attack, establishing identity compromise as a primary delivery mechanism for ransomware. Sophos said the financial consequences are steep, estimating a mean recovery cost of around US$1.64m, with 73% of those affected facing costs of US$250,000 or more.

Ross McKerchar, chief information security officer at Sophos, said: “Identity has become the primary attack surface in modern cybersecurity, and this data shows most organisations are losing ground. The non-human identity problem is particularly urgent. AI agents are being granted privileges faster than security teams can track them, and organisations that fail to get ahead of this will find it an increasingly costly gap to close.”

Among the other findings from the State of Identity Security 2026 report, 10% of organisations reported an identity breach that impacted their business in the last year with the primary consequences being data theft (49%), ransomware (48%), and financial theft (47%).

---