Axiad has released Blind Spots, a research report based on a survey of 312 senior security and IT leaders at U.S. enterprises with 500 or more employees. The findings reveal a disconnect between confidence in identity security and the ability to respond effectively during an incident. While 38% of respondents reported experiencing an identity-related breach with measurable financial or operational consequences, 41% said they still lack a defensible estimate of their organization’s exposure.
Nearly two-thirds of respondents (64%) said they have a complete, real-time picture of identity risk across their environment. Yet fewer than half (43%) said they could assess the full blast radius of a compromised, high-privilege account within minutes. The majority require hours or days, and a small share could not do it reliably at all.
“Believing you can see your identity risk surface is not the same as being able to act on it,” said David Canellos, CEO at Axiad. “When an incident unfolds, organizations that need hours or days to understand the scope of exposure take the hardest hits. That gap between perceived visibility and operational readiness is exactly what this research quantifies.”
The cost is not theoretical. More than a third of respondents (38%) reported experiencing an identity-related security incident with a measurable financial or operational impact. An additional 39% reported narrowly avoiding an incident but said remediation required significant unplanned resources to contain.
Few can put a number on the risk. Effective security investment requires quantifying exposure in financial terms. Yet 41% of respondents said they have no defensible, methodology-backed dollar estimate of their identity risk exposure.
Even among those who claim a financial estimate, the data reveals a tension: “lack of financial context to justify remediation investment” ranks as the third-largest barrier to acting on identity risk gaps, suggesting many estimates aren’t as actionable as they appear. And 34% say their existing tools surface issues but lack the context to prioritize by business impact, leaving security teams generating findings they cannot act on decisively.
AI is widening the gap. 85% of respondents expressed concern that AI-accelerated vulnerability discovery is outpacing their organization’s ability to prioritize and respond, with more than half very or extremely concerned. The volume of findings is rising faster than human teams can manually triage them.
The market is ready to act. 94% of respondents said building a more complete, financially quantified view of their identity risk posture is a top or high priority in the next 12 months.
Related News:
Q&A: Identity Risk Prevention with Axiad CEO David Canellos
Netwrix Data and Identity Report Reveals Gaps in AI Security Readiness
Methodology
The survey was commissioned by Axiad and conducted through Centiment, a B2B panel provider, in May 2026. It reached 312 senior security and IT leaders, including CISOs, CIOs, and VPs/Directors of Security and Identity & Access Management, at U.S. enterprises with 500 or more employees. Technology respondents were capped at approximately 20% of the sample to prevent vertical skew. All respondents confirmed direct involvement in evaluating, selecting, or overseeing identity security solutions.
