AI, Digital Identity and Cloud Misconfigurations Driving the Majority of Successful Cyberattacks According to RSM’s 2026 Attack Vectors Report

CHICAGO – (March 18, 2026) – RSM US LLP (“RSM”), the leading provider of assurance, tax and consulting services for the middle market, today released its 2026 RSM Attack Vectors Report, revealing that cybercriminals continue to exploit predictable weaknesses in digital identity, cloud and application environments – often amplified by human factors – to escalate initial access into enterprise-wide systems.

First launched in 2022, RSM’s Attack Vectors Report has become an annual cybersecurity research series grounded in insights from hundreds of offensive security engagements. Findings are based on approximately 650 offensive security engagements conducted across middle and upper‑ market organizations throughout 2025. By examining vulnerabilities’ ratings and attack vectors, RSM uncovered key trends shaping today’s threat environment.

The report provides organizations with insight into the cybersecurity challenges they face and a critical head start in developing a practical cybersecurity strategy to focus resources on areas that may be most at risk.

Key findings from the report:

• 82% of identity-related weaknesses provided reliable access, including environments that had invested in zero trust and multi-factor authentication (MFA).
  
  
• 73% of AI-integrated systems tested by RSM were susceptible to prompt manipulation, data exposure or credential leakage.
  
  
• 64% of application assessments identified flaws that enabled data theft or system compromise, commonly through basic exploitation of untrusted input and weak authorization checks.
  
  
• 78% of cloud-focused engagements revealed critical misconfigurations and accounted for 15% of all high-severity findings.
  
  
• 30% of identified vulnerabilities could enable attackers to gain privileged access to systems or steal sensitive data.

“The threat landscape in 2025 placed sustained pressure on organizations as AI adoption, cloud complexity and identity sprawl expanded attack paths across enterprise environments,” said Daniel Gabriel  , Head of Cyber Consulting at RSM.  “Even organizations with substantial security investment struggled to maintain consistent control effectiveness when governance, visibility and architecture failed to keep pace with technology adoption.”

Despite using recurring attack patterns, the digital threat landscape remains in constant flux, with adversaries continually adapting to outmaneuver security measures. 

“The report found that successful attacks rarely rely on a single critical vulnerability. Instead, threat actors chain together moderate-risk weaknesses across identity systems, applications, cloud environments and internal architecture to bypass layered defenses and gain privileged access,” noted Gabriel.   

AI accelerates time-to-compromise for attackers

The report also highlights a significant shift in attacker efficiency driven by widespread use of AI. AI-assisted scripting, exploitation chaining and tool development increased success rates by 40% and enabled testers to compress attack timelines from days to hours—or even minutes—outpacing many organizations’ detection and response capabilities. 

In addition, AI vishing (voice phishing) and voice-cloning impersonation increased over phone and conferencing platforms, where many organizations lacked the telemetry, processes and controls that exist for email. These channels often intersect directly with identity processes, particularly help-desk password resets and emergency access requests.

“Many security programs still assume they have hours or days to identify, investigate, contain and remove an active threat,” added Gabriel . “In practice, AI-enabled offensive techniques are rapidly shrinking that window toward hours or minutes, reducing the effectiveness of semi-manual response processes and exposing gaps in detection, escalation and containment that were designed for a slower threat tempo. In addition, without AI-assisted defensive capabilities, organizations will struggle to contain initial compromise before it escalates into broader impact.”

Staying vigilant

Organizations that adopt risk-based prioritization, invest in identity & access management, detection and response, embrace automation and continuously validate controls can materially reduce exposure and limit incident impact against evolving attack techniques. Perfect prevention is not achievable, however, by prioritizing resilience and rapid recovery, and embedding security into engineering and operations rather than treating it as a periodic compliance activity will improve the ability to remediate vulnerabilities before adversaries can exploit them.

About the report

The 2026 RSM Attack Vectors Report analyzed 2,047 vulnerabilities identified across approximately 650 offensive security engagements conducted between January and December 2025 across North America, Europe and Asia. The report provides practical insight into how modern attacks unfold and how organizations can better contain inevitable failures before they escalate into enterprise-wide incidents.  

In addition to the yearly Attack Vectors Report, which provides engagement-based insight into how cyberattacks unfold in practice, RSM publishes an annual Cybersecurity Report focused on enterprise risk, governance and resilience considerations for business leaders.