Two-thirds of the organizations we surveyed experienced a confirmed AI identity breach in the past year. That number alone should be alarming. But it's not the finding that changed how I think about AI security.
I've spent close to 30 years in tech: infrastructure and developer tooling startups, Fortune 500s, public sector organizations. Security has been central to that work throughout. It shapes how I read security data, and it shaped what I expected going into this research. I expected larger, more mature organizations to show higher breach rates: better tooling, more mature SOC functions, and stronger forensic capabilities mean finding more incidents. In security, detection maturity and confirmed incident rates move together. Finding more incidents is what a well-instrumented security program looks like.
So when FusionAuth surveyed more than 300 technology and security leaders on AI identity security, I expected the most confident, most invested, most governance-mature organizations to show more incidents for exactly that reason.
That's not what we found.
The Data#
We asked respondents how confident they were in their organization's AI security. Then we looked at how many had experienced a confirmed security incident in the past 12 months.
| Confidence Level | Confirmed Breach Rate |
|---|---|
| Extremely confident | 84% |
| Very confident | 64% |
| Somewhat confident | 14% |
| Not so confident | 17% |
Eight out of ten of the most confident organizations had a confirmed AI identity-related incident in the past year. Breach rates decline from there, with only slight variance at the two lowest tiers.
The obvious counter-argument: the most confident organizations are also the largest and most mature. Better detection programs mean more incidents found. Their higher breach rate could just be a higher detection rate. But that argument collapses against the size-based data. If detection maturity explained the gap, it would be worst in the largest organizations. It's not.
| Revenue Band | Confident + Breached Rate |
|---|---|
| Under $10M | 95% |
| $10M–$49M | 88% |
| $50M–$199M | 59% |
| $200M–$500M | 71% |
| $500M–$1B | 76% |
| $1B+* | 0% |
Only 7 respondents — not statistically significant.
There is no correlation between organizational size and the confidence gap. The smallest organizations have the worst gap, not the largest. Something structural is happening, and understanding it matters, because the organizations most at risk are the ones least likely to believe they are.
What it's telling you is this: the most confident organizations aren't just detecting more. They're also genuinely more exposed. The reason they're more exposed is the same reason they're most confident: they're moving the fastest.
Confidence Tracks Velocity. Velocity Builds Attack Surface#
Understanding the data requires one piece of context. Every organization in this survey operates under real pressure to move fast on AI. The board wants to know why competitors are shipping AI features and you're not. Investors are watching. Your own teams see peers using AI in ways that look like competitive advantage. That pressure drives faster hiring, faster deployment, and governance documentation designed to satisfy auditors, even when the underlying infrastructure isn't ready for what it's being asked to do.
It also explains the 80% shadow AI rate we found. Employees aren't connecting unauthorized AI tools to internal systems because they're careless. Their career survival demands demonstrating AI fluency. The organizational pressure has become a personal one. When that happens, the perimeter is much harder to protect.
The hiring data reinforces the relationship. Organizations hiring externally for AI talent had an 85% confirmed breach rate. Organizations training their existing teams had 33%. That's 2.6 times lower, and it held even when controlling for investment levels and policy maturity. Hiring velocity drives deployment velocity. The attack surface follows.
The organizations at the top of the confidence scale share a profile. Ninety-two percent in the highest-maturity cohort have comprehensive AI governance policies. Eighty-eight percent are investing significantly in AI security. On paper, they're doing everything right. They're also the organizations that have moved AI into production fastest, with more approved AI tools across more departments, more AI-powered product features serving real users, more agents making API calls to internal systems. The governance investment and the deployment velocity are happening at the same time, and the attack surface grows faster than the governance layer can cover it.
I've watched a lot of technology cycles from the front lines. Kubernetes and the cloud-native wave felt impossibly fast: new tools, new frameworks, new startups every week. Teams on the cutting edge were often replacing what they'd just deployed before they'd finished deploying it. But Kubernetes was a technology story that lived inside your infrastructure team. Your CFO didn't know what a pod was.
AI isn't contained that way. New models supersede each other within days, not quarters. It's reshaping how legal drafts contracts, how finance reviews proposals, how your sales team writes outreach, how support answers tickets. Every leader in every function has an opinion about it. Most are already using it and they didn't ask IT first. The hype from vendors and investors hasn't been this disconnected from operational reality since the late '90s.
Moving carefully and building capability deliberately produces measurably better security outcomes. The data is clear about this. But that's a hard recommendation to carry into a board meeting where your competitors shipped AI features last quarter and you haven't.
They Don't Know What They Don't Know#
The highest-confidence cohort isn't just exposed; they genuinely believe they have a better handle on their AI security than the data shows. Ninety-nine percent of the most confident organizations describe themselves as "very or extremely confident." Ninety-six percent have comprehensive policies. They've formalized the lifecycle processes that govern how AI agents are provisioned, how permissions get scoped, how anomalous behavior is monitored, how credentials are rotated, how access is revoked, and how agent activity gets audited. In most cases, all six are formally documented. Investment levels that would satisfy any board-level security review.
And 84% of them had a confirmed breach in the past 12 months.
The gap between how prepared they feel and how their incident logs actually read is the most dangerous part of this finding. An organization that knows it's exposed can act. An organization that is confident it's protected has no such signal. The confidence itself becomes the blind spot. And the threat actors operating in this environment are accelerating at exactly the same rate: new tooling, new exploitation patterns, new ways to probe AI agent permissions. The blind spot is expanding as the threat surface grows.
This is the version of the problem that's hardest to fix with a policy or a process. You can mandate a governance framework. You can require formalized lifecycle procedures. You can add headcount and investment. None of that changes the underlying dynamic if the organization's confidence level is preventing it from asking the right questions.
The right questions are not:
- Do we have policies?
- Are we investing enough?
- Are our processes formalized?
They are:
- Can we scope exactly what each AI agent can access — at the individual agent level, in real time?
- Can we prove what a specific agent accessed, under what permissions, against which data?
- Can we see what each agent is doing before something escalates, not just after?
- Can we revoke access in time to matter?
Those are architecture questions. Most organizations right now are measuring governance inputs. The data measures security outputs. The gap between those two things is large, it's consistent, and it's showing up in incident logs.
The Architectural Variable Nobody Measured Until Now#
We asked respondents about their identity deployment model: whether they run identity on a multi-tenant SaaS platform, cloud single-tenant, or self-hosted infrastructure. Then we looked at confirmed incidents.
| Deployment Model | Very/Extremely Confident | Confirmed Breach Rate |
|---|---|---|
| Multi-tenant SaaS identity | 95% | 83% |
| Self-hosted / on-premises | 80% | 38% |
Organizations on multi-tenant SaaS identity platforms were breached at more than twice the rate of self-hosted organizations: 83% versus 38%. More predictive of AI security outcomes than governance maturity, policy coverage, or investment volume.
This survey cannot prove that deployment architecture directly causes breaches. Other factors, including organizational maturity, industry, regulatory requirements, and security culture may contribute to the relationship. What the data does show is that deployment architecture was more predictive of breach outcomes than governance maturity, policy coverage, or investment levels.
Multi-tenant SaaS identity is often the default choice, the most common, most available, lowest-friction path. You sign up, you integrate, you ship. Outsourcing identity infrastructure to a shared third-party platform is what many teams do because it mostly works, and getting to market quickly is a real priority.
The organizations running self-hosted or single-tenant identity made a deliberately different decision. It required more effort, more architecture thinking upfront, and a clear position that identity infrastructure was too critical to outsource. Identity is the control plane that determines what every AI agent, service, and user can access. These organizations chose greater control over that control plane rather than relying entirely on a shared platform.
The data doesn't say self-hosted eliminates risk. Deployment model is only part of the story. The real question is how identity is implemented inside the environment itself: how AI agents authenticate, how permissions are scoped, how authorization decisions are made, how machine identities are governed, and how access is monitored and revoked. Deployment architecture influences those controls, but it does not replace them.
A 38% confirmed breach rate is still meaningful. What it shows is that identity architecture matters. Deployment model influences who controls the infrastructure, but it also influences how organizations approach authentication, authorization, machine identities, visibility, and operational control. When AI systems begin acting autonomously across applications, data stores, and APIs, those architectural decisions become part of the security boundary itself.
The organizational culture difference shows up in the data too. Self-hosted organizations catch more threats before they escalate: 44% near-miss rate versus 10% for multi-tenant SaaS. They also face less shadow AI exposure: 56% versus 91%. Organizations that made the harder architectural choice also tend to run tighter security environments. Whether that reflects stronger security cultures, different operational priorities, or a greater desire for control is impossible to know from the survey alone. What is clear is that the architectural decisions organizations make around identity correlate strongly with how they experience AI-related security risk.
In a self-hosted or isolated deployment, you own the exposure boundaries. A failure in your environment reaches what your environment connects to. That's still a real risk, but it's scoped risk you control and can respond to.
The highest-risk profile in the entire dataset is not a low-maturity organization. It's the opposite: companies running AI in production, AI deployed widely across the workforce, operating on multi-tenant SaaS identity infrastructure. In this cohort, 90% had a confirmed incident. Ninety-six percent face shadow AI: employees connecting AI tools without IT or security review. Ninety-eight percent are very or extremely confident in their security posture.
Why the Scale Problem Makes This Worse#
The deployment model choice carries higher stakes today because the volume and type of identities organizations must govern has changed fundamentally.
Non-human identities (AI agents, automated services, and machine actors) now outnumber human identities 144 to 1 in the average enterprise, according to Entro Labs' NHI & Secrets Risk Report H1 2025. A year ago that ratio was 92 to 1, a 57% increase in a single year. Every AI agent, every automated service, every machine identity is an identity that needs to be authenticated, scoped, monitored, and eventually revoked. Most of them aren't being managed that way.
Traditional identity infrastructure was designed for human users. Users log in. Sessions are managed. Credentials are issued and rotated on a human timescale. That model was adequate when the identity count was in the thousands and nearly all of them were people. That's how the majority of identity solutions have been built. Now they're bolting on AI support.
It was not designed for a world where agents act autonomously across multiple systems without a human in the loop, accumulate permissions over time, and operate at a scale where manual oversight is structurally impossible. The identity question has changed. "Can users log in?" is no longer enough. The question now is: "Can every human, machine, service, and AI agent in this environment be trusted, scoped, isolated, monitored, and revoked?"
Most organizations built their identity infrastructure to answer the first question.
The Commercial Consequence#
There's a meaningful difference between risks that live in a quarterly executive risk register and ones that kill deals. This is the latter.
Eighty-five percent of the organizations we surveyed face demands from customers, partners, or regulators to prove tenant isolation. Fifty-six percent face those demands frequently, not in high-stakes moments, but as a routine part of enterprise sales and procurement.
When AI features access customer data for personalization, recommendations, or analysis, enterprise buyers start asking questions they never asked about a login screen. "Is my data isolated at the infrastructure level, or just contractually?" Enterprise security reviewers know the difference between a contractual commitment and an architectural guarantee. They're asking for proof.
For some organizations, this has already stopped being theoretical. Where both forces converge (AI is the primary driver of identity reevaluation, and enterprise customers are regularly demanding proof of isolation), the data becomes acute:
- 99% have had a confirmed breach
- 93% are running on multi-tenant SaaS identity infrastructure
- 95% are planning significant investment in the next 12–18 months
These organizations have already worked out what the data shows. They're not waiting for another incident. They're in active architecture reevaluation, because winning enterprise deals depends on how they answer the isolation question.
Identity architecture is no longer a backend conversation. It's a revenue conversation. The deployment model decision made years ago as an operational preference is now showing up in security questionnaires and determining whether deals advance.
What the Market Is Already Doing#
The organizations under the most pressure are already moving. Ninety-one percent of organizations expect identity investment to increase over the next 12–18 months. Sixty-six percent are planning significant increases, not incremental adjustments. The top evaluation criteria have shifted: machine identity at scale (72%), deployment flexibility (57%), fine-grained authorization (54%). Cost of ownership ranks last, at 11%.
When cost is the lowest-ranked evaluation criterion and machine identity scale is the highest, the market is telling you something about what's actually broken. This is a market-wide recognition that the identity infrastructure built for human users at human scale needs to be rebuilt for AI agents at AI scale.
The organizations driving that investment fall into two modes. Some are reacting to active pain: confirmed incidents, customer pressure, platform decisions that no longer fit the risk they're carrying. Others are building ahead of that crisis by making deliberate architectural choices before external pressure forces the decision. The full report covers both profiles and includes a framework for diagnosing which one you're in.
Whether you're already feeling the pressure or not, the data points to the same conclusion. Brian Bell, our CEO, put it plainly:
"Confidence appears to be tracking deployment velocity and governance activity, not actual protection. The faster organizations move, the more confident they feel. The faster they move, the larger their attack surface. Written policies don't answer the questions that matter: Can you scope what each agent can access? Can you see what it's doing? Can you prove what it accessed after the fact? Can you revoke access before a near miss becomes something worse? Architecture answers those questions. Policy alone does not."
The most confident organizations in our survey have the governance. They have the investment. They have the processes.
What the data shows is that none of those things are the same as understanding your actual exposure.
For years, identity was treated as a backend implementation detail. AI may be turning it into one of the most important security decisions an organization makes.
The organizations that succeed with AI won't necessarily be the ones moving fastest. They may be the ones that can adapt their identity architecture fastest as the threat landscape changes.
