CyberArk released research showing a major disconnect between organizations’ confidence in their privileged access programs and the actual effectiveness of their daily practices, as AI increasingly broadens the identity-focused attack surface.
Despite 76% of organizations stating their privileged access management (PAM) strategies are ready for AI, cloud and hybrid environments, many continue to rely heavily on always-on access assumptions that were designed for far less dynamic operating environments.
Organizations Overestimate Their Readiness for AI and Cloud
The study, which surveyed 500 U.S. practitioners in PAM, identity and infrastructure roles, shows that while modernization efforts are underway, very few organizations have adopted adaptive, time-bound access models aligned with Zero Trust principles. Key findings include:
- Only 1% have fully implemented a modern Just-in-Time (JIT) privileged access model.
- 91% report that at least half of their privileged access is always-on, providing unrestricted, persistent access to sensitive systems.
- 45% apply the same privileged access controls to AI agents as they do to human identities.
- 33% say they lack clear AI access policies.
Shadow Privilege and Tool Sprawl Accelerate Risk
The research highlights the widespread and growing issue of ‘shadow privilege’ — unmanaged, unknown or unnecessary privileged accounts and secrets that accumulate silently over time.
- 54% of organizations uncover unmanaged privileged accounts and secrets every week.
- 88% manage two or more identity security tools, creating fragmentation that introduces blind spots.
- 66% say traditional privileged access reviews delay projects.
- 63% admit employees bypass controls to move faster.
“Dynamic, evolving environments mean the nature of privileged access — and how to secure it — has fundamentally changed,” said Matt Cohen, CEO of CyberArk. “With only one percent of organizations having fully implemented a Just-in-Time access model, it’s clear that industry-wide modernization is overdue. As AI agents and non-human identities take on increasingly sensitive tasks, applying the right privilege controls to each identity — and governing every privileged action — is now essential.”
To reduce risk while supporting innovation at scale, organizations should focus on evolving how privileged access is applied without abandoning foundational controls:
- Minimize standing privileges by implementing dynamic, risk-based access.
- Adopt automated and orchestrated Just-in-Time access for high-risk or sensitive actions.
- Apply appropriate privilege controls across human, machine and AI identities, based on context and risk.
- Simplify and consolidate identity platforms to improve visibility and governance.
Learn what the future of privileged access is here at the website.
Related News:
CyberArk Introduces TLS Certificate Scan to Tackle Rising IT Costs and Outages
CyberArk Unveils AI Identity Security with Advanced Privilege Controls
About the Research:
The research was conducted by Censuswide, based on a sample of 500 U.S. workers. The data was collected between November 11, 2025 and November 21, 2025. Respondents included DevOps Engineers, IAM Architects, DevOps Security Managers, Database Administrators, Site Reliability Engineers, Cloud Security Architects/Engineers, IT Support Specialists, and Software Engineers. Participants represented foundational PAM and modern infrastructure roles across the buying center — including decision makers, champions, influencers, and end‑users — and were aged 27–64. Censuswide abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Censuswide is also a member of the British Polling Council.
