Fast AI adopters breach at 43%, four times the 11% rate of slower peers, despite outperforming them on every security fundamental Netwrix measured.

Key Takeaways

• Companies that have broadly deployed AI breach at 43%, four times the 11% rate for companies that have not
• Fast AI adopters are ahead on security fundamentals, yet they breach more; AI deployments are creating new automated accounts and AI agents faster than security teams can track and control them
• 76% of organizations do not fully track or control the AI agents and automated systems running inside their networks
• 41% already have AI agents running in production, with those agents accessing company data on behalf of employees
• 74% have no clear picture of which AI agents and accounts can access their sensitive data
• Only 11% have AI governance that is fully enforced with consistent controls over who and what can access company data, applied in real time
• Mid-size companies (500-999 employees) report the highest breach rate of any company size at 40%

Netwrix, a data security company, released its 2026 Data & Identity Security Report, finding that organizations in which AI has significantly increased the number of digital identities in their environments reported a 43% breach rate over the past 12 months. In security terms, an identity is any account with access to company systems: a human employee, an AI agent, a bot, or an automated service. Organizations where AI has not meaningfully expanded that number reported 11%. Netwrix surveyed 2,317 security and IT professionals across more than 60 industries worldwide.

Fast AI adopters are ahead on security fundamentals, yet they breach more

The gap is not explained by weaker security practices among faster AI adopters. Organizations leaning hardest into AI are measurably ahead on identity security fundamentals:

• 46% lack a current picture of what data they hold and where it is stored, versus 60% among slower peers
• 75% have strong controls over AI agents and automated systems with access to company data, versus 56% among slower peers
• Only 13% cannot see which AI tools employees are using without company approval, versus 25% among slower peers

“They invested in the playbook. They got breached anyway,” wrote Grady Summers, Netwrix chief executive officer and a former Fortune 500 chief information security officer (CISO), in the report’s executive summary.

AI creates identities faster than governance tools can keep up

Summers says the problem is structural. Identity governance tools were built for environments where identities grew at the pace of hiring. AI agents, copilots, and automated services add new identities at the pace of software deployment. Every new agent is a new identity requesting access to sensitive data. Static or periodically reviewed permission models were not designed for that cadence.

The supporting data reflects that gap. 76% of respondents say they do not fully govern or monitor non-human identities in their environments. 41% say they already run AI agents in production, with those agents accessing company data on behalf of employees. 74% lack a single, unified view of sensitive data and which identities can reach it.

Mid-market breach risk is highest; only 11% have reached full governance maturity

The breach risk is highest in the mid-market. Organizations with 500 to 999 employees reported a 40% breach rate, the highest among company size ranges in the survey. Large enterprises with 10,000 or more employees reported 27.3%. Organizations with fewer than 500 employees reported 17.8%.

The report maps organizations across five AI governance maturity tiers. Just 11% have reached the level the report calls fully operational, meaning enforced, continuous, and proactive governance over every identity and the data it can reach.

With 41% of organizations already running AI agents in production and just 11% at full governance maturity, most are still building the controls that AI is already outpacing.