We Surveyed More Than 300 Security Leaders on AI Identity. The Findings Are Counterintuitive

/ Blog

Light<br>Dark<br>System

Log In

Get a demo

Open main menu

Education<br>We Surveyed More Than 300 Security Leaders on AI Identity. The Findings Are Counterintuitive<br>FusionAuth surveyed more than 300 technology and security leaders on AI identity security and found a striking pattern—the most confident organizations had the highest breach rates, and deployment architecture predicts outcomes better than governance maturity.

Authors

Andrew Hatfield

Published: June 9, 2026

Two-thirds of the organizations we surveyed experienced a confirmed AI identity breach in the past year. That number alone should be alarming. But it's not the finding that changed how I think about AI security.

I've spent close to 30 years in tech: infrastructure and developer tooling startups, Fortune 500s, public sector organizations. Security has been central to that work throughout. It shapes how I read security data, and it shaped what I expected going into this research. I expected larger, more mature organizations to show higher breach rates: better tooling, more mature SOC functions, and stronger forensic capabilities mean finding more incidents. In security, detection maturity and confirmed incident rates move together. Finding more incidents is what a well-instrumented security program looks like.

So when FusionAuth surveyed more than 300 technology and security leaders on AI identity security, I expected the most confident, most invested, most governance-mature organizations to show more incidents for exactly that reason.

That's not what we found.

The Data#

We asked respondents how confident they were in their organization's AI security. Then we looked at how many had experienced a confirmed security incident in the past 12 months.

Confidence LevelConfirmed Breach RateExtremely confident84%Very confident64%Somewhat confident14%Not so confident17%<br>Eight out of ten of the most confident organizations had a confirmed AI identity-related incident in the past year. Breach rates decline from there, with only slight variance at the two lowest tiers.

The obvious counter-argument: the most confident organizations are also the largest and most mature. Better detection programs mean more incidents found. Their higher breach rate could just be a higher detection rate. But that argument collapses against the size-based data. If detection maturity explained the gap, it would be worst in the largest organizations. It's not.

Revenue BandConfident + Breached RateUnder $10M95%$10M–$49M88%$50M–$199M59%$200M–$500M71%$500M–$1B76%$1B+*0%<br>Only 7 respondents — not statistically significant.

There is no correlation between organizational size and the confidence gap. The smallest organizations have the worst gap, not the largest. Something structural is happening, and understanding it matters, because the organizations most at risk are the ones least likely to believe they are.

What it's telling you is this: the most confident organizations aren't just detecting more. They're also genuinely more exposed. The reason they're more exposed is the same reason they're most confident: they're moving the fastest.

Confidence Tracks Velocity. Velocity Builds Attack Surface#

Understanding the data requires one piece of context. Every organization in this survey operates under real pressure to move fast on AI. The board wants to know why competitors are shipping AI features and you're not. Investors are watching. Your own teams see peers using AI in ways that look like competitive advantage. That pressure drives faster hiring, faster deployment, and governance documentation designed to satisfy auditors, even when the underlying infrastructure isn't ready for what it's being asked to do.

It also explains the 80% shadow AI rate we found. Employees aren't connecting unauthorized AI tools to internal systems because they're careless. Their career survival demands demonstrating AI fluency. The organizational pressure has become a personal one. When that happens, the perimeter is much harder to protect.

The hiring data reinforces the relationship. Organizations hiring externally for AI talent had an 85% confirmed breach rate. Organizations training their existing teams had 33%. That's 2.6 times lower, and it held even when controlling for investment levels and policy maturity. Hiring velocity drives deployment velocity. The attack surface follows.

The organizations at the top of the confidence scale share a profile. Ninety-two percent in the highest-maturity cohort have comprehensive AI governance policies. Eighty-eight percent are investing significantly in AI security. On paper, they're doing everything right. They're also the organizations that have moved AI into production fastest, with more approved AI tools across more departments, more AI-powered product features serving real users, more agents making API calls to internal systems. The governance...