Semperis, the identity-driven cyber resilience and crisis response company, today published findings from a global study examining how artificial intelligence is reshaping the attack surface of enterprise identity systems, including Active Directory, Entra ID and Okta. The study shows that AI is quietly redrawing the boundaries of global identity attack surfaces and organizations are giving AI agents the keys to critical systems faster than they are putting guardrails around those new identities.
The State of Identity Security in the AI Era study, surveyed 1,100 organizations across the US, UK, France, Germany, Italy, Spain, Australia and Singapore. It found that 66% of organizations in Singapore believe AI will increase attacks on identity infrastructure. At the same time, as high as 93% of the organizations either already use or plan to use AI agents for sensitive security tasks such as password resets and VPN access.
“Singapore organizations have been quick to explore AI across business and security operations, but every AI agent introduced into the enterprise also creates a new identity that must be governed, monitored and recovered if compromised,” said Gerry Sillars, Semperis Vice President of Asia Pacific and Japan. “It’s encouraging that 90% of Singapore respondents see AI identity governance as a priority, but priority must translate into practical controls. As AI moves closer to privileged systems, identity resilience needs to be built into AI adoption from the start,” said Gerry Sillars, Semperis Vice President of Asia Pacific and Japan.
Singapore trends reflect a broader global concern: as organizations deploy AI agents across more sensitive workflows, they are dramatically increasing the number of non-human identities connected to critical systems.
“The accelerated use of AI is introducing a bevy of new agents, each with its own non-human identity (NHI) throughout global enterprises and many companies are just way too optimistic about their ability to recover their identity infrastructure following a breach, even as they expand this landscape of NHIs,” said Alex Weinert, Semperis Chief Product Officer.
Globally, only 65% of organizations say AI identities are fully registered, authenticated, and authorized in a formal system, while 6% admit they do not track them at all. In organizations that do track AI identities, 57% use the same system as for human identities, while 43% authenticate and authorize them using a separate system.
This adds a new layer of complexity for security teams in Singapore. AI agents may not behave like human users, but they can still hold access, interact with sensitive systems and become part of the organizations’ identity fabric. Without clear registration, authentication, authorization and recovery processes, these non-human identities can widen the attack surface and complicate incident response.
Are organizations ready for AI-fueled identity breaches?
The study found that AI is already being placed close to sensitive identity infrastructure. More than a quarter of surveyed organizations (29%) already use AI agents to manage security‑related help desk tickets, including password resets and VPN access. Another 65% intend to do so within the next year. In parallel, 92% of respondents say that some percentage of their workforce has AI installed on local machines where it can access SSH and encryption keys.
For Singapore organizations, where AI adoption is increasingly being explored across business operations, security and productivity use cases, this reinforces the need to treat AI agents as part of the enterprise identity environment rather than as standalone tools.
“The pattern of global organizations overestimating how quickly they can recover from a cyberattack is real, especially when identity is within the blast radius. On paper, organizations have plans and backups; in practice, identity failures turn technical incidents into prolonged business crises, exposing a dangerous gap between perceived resilience and reality,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor.
On the plus side, 90% of respondents in Singapore indicated that AI identity governance is a priority for them in the coming months. So, how can organizations govern these hard-to-control identities? For now, best practices include:
- Treat AI agents explicitly as non-human identities in the identity fabric
- Enforce least‑privilege, just‑enough and just‑in‑time access for agents as rigorously as for humans
- Segregate agent and human trust boundaries where appropriate
- Use UEBA‑style analytics to detect “zombie” or anomalous agent behaviour
- Ensure that your organization can quickly recover identity systems to a trustworthy state if they are breached
The full AI Study can be obtained here:
The State of Identity Security in the AI Era.
Methodology
To conduct this study, Semperis partnered with Censuswide, an international market research consultancy. In early 2026, Censuswide surveyed 1,100 organizations across the US, UK, France, Germany, Italy, Spain, Australia and Singapore.