The State of Identity 2026

Identity is now the primary battleground in security. Not a feature of it, the battleground itself. The data from 2025 makes the case plainly, and the trajectory into 2026 is clear: attackers go after credentials, sessions, and the fast-growing population of machine and AI identities, because that is where the access is. This report reads the year in numbers, every figure sourced, and lays out what to prioritize. It is independent and vendor-neutral. The underlying data lives in our research hub.

The headline: credentials are still the front door

The single most durable fact in identity security is that attackers prefer to log in rather than break in. Stolen credentials were the most common initial access vector in the year's breach data, starting 22% of breaches, and within web-application breaches the picture is starker: 88% of web-app attacks used stolen credentials rather than an exploit (Verizon DBIR 2025). Microsoft frames it from the attack side: 97% of identity attacks are password attacks (Microsoft Digital Defense Report 2025).

Behind those numbers is the human element, present in 60% of breaches, through phishing, error, and social engineering. The lesson is not that people are the problem; it is that any control resting on a human typing a shared secret will be defeated at scale. The breach teardowns on this site are almost all variations on the same theme: a credential or a session, not a zero-day.

Phishing-resistant MFA works. Adoption is the gap.

If credentials are the disease, phishing-resistant authentication is the closest thing to a cure. Microsoft reports that phishing-resistant MFA blocks over 99% of identity attacks. That is among the highest-leverage controls in all of security.

The gap is adoption and quality. Plenty of organizations have "MFA" that is push-based or SMS-based, and both are routinely defeated, by MFA fatigue and by SIM swapping. The 2026 priority is not "turn on MFA," it is "move to phishing-resistant factors," meaning WebAuthn/FIDO2 and hardware-backed credentials, and close the exception list where legacy systems and service accounts still skip it. See the MFA rollout playbook.

Passkeys hit their tipping point

2025 was the year passkeys stopped being a demo. More than 15 billion online accounts can now use passkeys, consumer awareness reached 75%, and the experience data is decisive: a 93% sign-in success rate for passkeys versus roughly 63% for passwords (FIDO Alliance 2025). Passkeys are now both more secure and easier than the thing they replace, which is rare.

For 2026, the enterprise question has shifted from whether to deploy passkeys to how to do it without breaking recovery. The hard parts are enrollment and account recovery, exactly where social-engineering attacks like Scattered Spider strike. Our passkey rollout checklist and Passkeys 101 cover the sequence.

Machine and AI identity outran governance

The biggest structural shift in identity is that most identities are no longer human. Machine identities outnumber people roughly 80 to 1 (CyberArk 2025), and the arrival of AI agents is accelerating that curve. These identities, service accounts, workloads, API clients, and now autonomous agents, authenticate constantly, hold real privilege, and are governed far more loosely than human accounts.

The governance gap is quantified and alarming: 68% of organizations lack identity security controls for AI (CyberArk 2025). AI agents are a genuinely new identity type, neither a human nor a static service account. They act on a person's behalf, chain tools together, and need credentials that are scoped, carry the delegation chain, are auditable, and can be revoked instantly. This was the dominant theme at Identiverse 2026. The starting point is inventory and short-lived scoped credentials over standing privilege, covered in what is non-human identity.

Secrets sprawl is the machine-identity crisis in miniature

If you want to see the machine-identity problem in concrete form, look at secrets. GitGuardian detected 23.8 million secrets leaked on public GitHub in 2024, and, more damning, 70% of leaked secrets were still valid two years later (GitGuardian 2025). A secret that never expires is a credential that never stops being exploitable. Rotation, short-lived credentials, and a real secrets management program are the response, and the same discipline extends to the broader machine identity category.

The post-MFA attack: stolen sessions

The most important emerging threat is that attackers increasingly do not need your password or your MFA at all. Infostealer malware harvests live session cookies, and roughly 31% of credentials stolen by infostealers carry a live session cookie (Recorded Future 2025), with 1.8 billion credentials stolen in the first half of 2025 alone. A stolen session token lets an attacker resume an already-authenticated session, sailing past the login and the MFA prompt entirely.

This reframes the 2026 defensive agenda: authenticating the login is necessary but no longer sufficient. The session itself has to be protected through continuous evaluation, sender-constrained tokens, and identity threat detection. The infostealer and session hijacking teardown walks through how these attacks actually unfold.

The cost, and the third-party dimension

The financial stakes held high: the global average cost of a data breach was $4.44 million, with a mean time to identify and contain of 241 days (IBM 2025). And the blast radius is increasingly somebody else's: 30% of breaches involved a third party (Verizon DBIR 2025), while 44% of breaches involved ransomware, which overwhelmingly enters through identity. Third-party and supply-chain access is now a first-class identity governance problem, not a procurement footnote, a point the vertical guides return to across regulated industries.

What to prioritize in 2026

The data points to a short, high-leverage list:

1. Move to phishing-resistant authentication and eliminate the exception list. This is the highest-return control available. Start with privileged users and externally-facing apps.
2. Protect the session, not just the login. Adopt continuous evaluation and ITDR; treat a valid session as a credential that can be stolen.
3. Bring machine and AI identity under governance. Inventory non-human identities, kill standing privilege, and put scoped, short-lived, auditable credentials on agents and workloads.
4. Fix secrets hygiene. Rotate, expire, and centralize secrets; a two-year-old valid secret is an open door.
5. Govern third-party and privileged access with just-in-time elevation and evidenced access reviews.

The throughline for 2026: identity is the security control plane, and the center of gravity has shifted from authenticating humans to governing machines and agents continuously. The organizations that do well treat identity as continuous and risk-based rather than a one-time gate.

Methodology and sources

This report synthesizes publicly available, primary-source data published in 2025 by the organizations listed in the sidebar. Every figure is attributed and carries a source and year in our research hub, which is the canonical, updated record. We take no vendor sponsorship and sell nothing. Figures are reproduced as reported by their sources; where definitions differ between reports (for example, what counts as a "breach"), we note the source so readers can compare like with like. Corrections are welcome at [email protected].