The Cloud Security Alliance (CSA) released new survey findings in The State of Non-Human Identity and AI Security, highlighting significant gaps in agentic access management. Commissioned by Oasis Security, the report shows that insufficient AI governance and legacy IAM tools are leaving organizations increasingly exposed as AI adoption accelerates.
92% of respondents are not confident that their legacy IAM solutions can effectively manage the risks associated with AI and NHIs.
Key findings from The State of Non-Human Identity and AI Security Report include:
- Governance and ownership gaps leave AI identities exposed. 78% of organizations don’t have documented and formally adopted policies for creating or removing AI identities.
- Legacy IAM infrastructure constrains AI readiness. 92% of respondents are not confident that their legacy IAM solutions can effectively manage the risks associated with AI and NHIs.
- IT and security professionals can’t keep up. The majority (79%) of organizations rated their confidence in their ability to prevent attacks via NHIs as low or moderate.
“Organizations with limited visibility and unclear ownership are feeling the strain of AI-driven identities and securing identities in the AI era. Establishing strong identity foundations now is critical to reducing risk and confidently scaling AI use” said Hillary Baron, AVP of Research, Cloud Security Alliance.
As AI becomes embedded across the business, the scale of identity creation and access will grow exponentially, compounding existing visibility and control gaps.
Among the survey’s key findings:
- Governance and ownership challenges persist. 39% of respondents cited governance as their chief concerns around AI systems and identity. 51% of organizations reported no clear ownership or accountability and over-permissioned access (51%) as their most significant pain points.
- Manual, static processes create risk and stall innovation. Even where processes exist, automation is limited—14% said the creation and removal of AI-related identities are fully automated, 41% rely on semi-automated workflows, and 27% handle these processes entirely by hand. This lack of automation makes effective governance difficult, as manual processes limit visibility, consistency, and accountability.
- Token sprawl and slow remediation expand risk. More than 16% of organizations don’t track when new AI-related identities are created. Even when these identities are known, lifecycle management is slow. Nearly one-quarter (24%) of organizations take more than 24 hours to rotate or revoke a credential after a potential exposure, and 30% take over a day to triage a high-severity credential leak.
“AI turns identity into a high-velocity system,” said Danny Brickman, CEO and Co-Founder of Oasis Security. “Every new agent, workflow, or integration can mint credentials and permissions in minutes. Too many organizations still govern that with spreadsheets and unsophisticated processes. That’s not an AI strategy–that’s an incident backlog.”
“The fix is simple,” he continued. “Assign clear ownership, lock policy in writing, and automate the lifecycle before machine access scales beyond control.”
Oasis commissioned CSA to develop a survey and report to better understand the industry’s knowledge, attitudes, and opinions regarding NHI security and AI agents. Oasis financed the project and co-developed the questionnaire with CSA research analysts. The survey was conducted online by CSA in August and September 2025 and received 383 responses from IT and security professionals from organizations of various sizes and locations. CSA’s research analysts performed the data analysis and interpretation for this report.
Related News:
Oasis Security Debuts NHI Management Fundamentals Certification
Oasis Security and Sequoia Launch AAM Framework for AI Governance
