Organizations overestimate their preparedness in the area of privileged access while AI identities take over sensitive tasks. That’s the conclusion of CyberArk based on its own research.
One percent of organizations have implemented a Just-in-Time access model for sensitive systems. That’s what CyberArk has determined based on its own research. At the same time, at 91% of organizations, at least half of privileged access remains continuously active. Such permanent access increases the risk of identity attacks, especially now that AI identities are performing more and more critical tasks.
Little progress in temporary access
Although 76 percent of the organizations surveyed indicate that they are ready for AI, cloud and hybrid environments, the figures show that this preparedness is limited in practice. Temporary, risk-based access, crucial within zero trust principles, is hardly applied. For example, 45 percent use the same access rules for AI agents as for human users, while 33 percent have no policy at all for AI-based access.
In addition, the phenomenon of shadow privilege remains a problem. Unknown or unused access rights accumulate within organizations. More than half of respondents discover uncontrolled accounts and sensitive data on a weekly basis. Fragmentation also plays a role: 88 percent use multiple identity security tools, which leads to blind spots and delayed checks.
Call for modernization of access management
CyberArk is calling for a broader implementation of dynamic access management. According to the company, organizations must modernize their approach by applying context- and risk-based access, not only for people but also for machines and AI systems. Simplifying identity platforms would also contribute to a better overview and governance.
The research was conducted by Censuswide among 500 professionals in DevOps, cloud security and IT support, among others. The survey ran in November 2025.