Skip to content

Where AI Expands Access, Breaches Run Four Times the Rate

Johannes Keienburg Johannes Keienburg , CEO & Founder
Published July 14, 2026
Copied

1Access Is Outrunning the Ability to Govern It

Two 2026 surveys, one from a security vendor and one from an independent professional body, measured how companies are handing access to AI. In June, the identity-security firm Netwrix reported on 2,317 security professionals across 1,889 organizations. In May, the IT governance association ISACA polled more than 3,400 practitioners worldwide. Read together, they describe one gap: companies are giving AI and agents access to their systems faster than they can govern or take it back.

Among organizations where AI significantly expanded the number of identities requiring access, breach rates reached 43% over the past twelve months, compared with 11% where AI had not materially changed access patterns.

Netwrix 2026 Data and Identity Security Report

Netwrix, which sells non-human-identity governance and access products, frames that as a correlation, not proof that AI caused the breaches. The rest of its data points at why the gap exists. Only 19% of organizations say they fully govern their non-human identities, the service accounts and agent credentials that now act inside company systems. And 76% cannot immediately revoke standing access once it is no longer needed. Access goes in fast and stays.

2Most Teams Can't Say How They Would Stop It

The ISACA poll measured the other half of the problem, which is control after AI is deployed. More than half of the professionals surveyed, 56%, did not know how long it would take to halt an AI system during a security incident.

39% say they do not know whether they have a documented process for shutting down or overriding AI systems if things go wrong.

ISACA 2026 AI Pulse Poll

Adoption is not what lags. In the same poll, 38% of organizations reported having a formal, comprehensive AI policy, up from 28% a year earlier. Companies are writing the policies. What is missing is the ability to stop or scope what the AI does once it is already running.

Both reports land in the same place. Companies are granting AI access at the speed of adoption and governing it at the speed of paperwork. The access is standing, broad and hard to pull back. In Netwrix's data, that tracks with a higher breach rate.

Source: Netwrix, "2026 Data and Identity Security Report", June 2026. ISACA, "2026 AI Pulse Poll", May 2026.