Identity risks are on the rise: How vulnerable is your organization?

As artificial intelligence use continues to surge, new applications and strategies are demonstrating their value across a variety of scenarios. While AI can provide significant gains in efficiency, productivity and insight, it can also introduce considerable deployment risks, and sophisticated cyberattacks become much easier to orchestrate for threat actors. These challenges are increasing the emphasis on effective identity security strategies that strengthen controls and permissions in an increasingly difficult risk environment. 

Recent data shows that the threat is very real. In RSM’s 2026 Attack Vectors Report, identity-related weaknesses provided successful access in more than 80% of the firm’s more than 650 offensive security engagements conducted throughout 2025. However, despite this elevated level of identity risk, only 23% of respondents to the RSM US Middle Market Business Index Special Report: Cybersecurity 2026 listed digital identity as a top-three cybersecurity and data privacy initiative for the fiscal year.

While the concept of digital identity and the implementation of related controls isn’t new, identity must be a focal point of cybersecurity risk strategies as the amount of nonhuman identities companies encounter continues to grow. Together, identity program elements, including privileged access, multifactor authentication, identity governance and secure authentication, form a robust and integrated framework that can help your organization manage risk while also driving operational efficiency.      

“Identity is a continuous conversation,” says RSM US Principal Autumn Hurley. “Many organizations are early in their journey to building out a mature identity program. It takes a lot of thoughtful strategic planning to lay the foundation for a successful program.”

Having a clear perspective on digital identity has never been more important as threats continue to develop. Therefore, periodically reviewing your digital identity approach is a critical exercise in understanding your specific risks and identifying potential gaps. 

Is your identity strategy keeping pace with risks?

Use the following diagnostic questions to assess your identity security posture. If you answer "no" or "don't know" to more than three questions, your organization may face elevated risk.

Active directory and identity infrastructure

• Have you conducted an Active Directory Certificate Services (ADCS) security audit within the past 12 months, specifically checking for ESC1, ESC4, ESC8 and ESC11 misconfigurations?
• Do you maintain an accurate, current inventory of all service accounts, including records of when passwords were last changed?
• Are all privileged service accounts configured to use gMSA or equivalent credential rotation mechanisms?

Multifactor authentication

• Have you deployed phishing-resistant MFA (FIDO2, certificate-based or passwordless authentication) for all privileged accounts and administrators?
• Does your MFA implementation prevent legacy protocol authentication (IMAP, SMTP, POP3) that can bypass MFA requirements?
• Do your help desk procedures require multistep, out-of-band verification before resetting MFA for any privileged user?

Nonhuman and AI identities

• Can you identify all locations where service account credentials, API keys or access tokens are stored (scripts, repositories, environment variables, infrastructure-as-code (IaC) templates)?
• Do your AI agents and automated systems operate with unique, auditable identities rather than shared service accounts?
• Can you instantly revoke credentials for compromised service accounts or AI agents across all systems?

Detection and response

• Do you have active detection rules for MFA fatigue attacks, suspicious certificate issuance and Kerberoasting activity?
• Can your security team detect and respond to a credential-based attack within minutes rather than hours or days?

Scoring

• 9-11 “yes” answers: Strong foundation, but continuous validation is essential
• 6-8 “yes” answers: Moderate risk, prioritize quick wins in weak areas
• 0-5 “yes” answers: Elevated risk, consider a comprehensive identity security assessment