Workforce IAM coverage, privileged-access posture, audit-evidence cadence, breach economics, and AI-agent identity adoption — drawn from public studies (IBM, Verizon, FIDO Alliance, vendor research) and direct askmeidentity practice observations across 240+ engagements. Free to cite under CC BY 4.0.
Version
2026.05.2
Last reviewed May 20, 2026 · 26 stats tracked
87%
Workforce MFA coverage (large enterprises)
Share of organizations with 10,000+ employees that have rolled out workforce MFA. SMB adoption sits closer to 34%. Coverage gaps remain on legacy on-prem apps and admin accounts.
14%
Phishing-resistant MFA share
Share of workforce passwordless authentication using phishing-resistant factors (FIDO2, passkeys). Up from 8.6% the prior year — a 63% YoY jump driven primarily by Okta FastPass and platform passkeys.
67%
SSO catalog coverage
Average share of an enterprise SaaS catalog behind SSO. The long tail of un-federated apps remains the single largest off-boarding risk.
41%
HRIS-triggered JML automation
Share of regulated enterprises with fully HRIS-triggered joiner/mover/leaver workflows on Tier-1 systems. Manual ticketing still drives the majority of access provisioning.
38 min
Median time to deprovision
Median elapsed time from HR offboarding event to access revocation on a Tier-1 system. Best-in-class organizations hit < 5 minutes via Lifecycle Workflows.
91%
Privileged access that is always-on
Share of organizations where at least half of privileged access is "always-on" — providing unrestricted, persistent access to sensitive systems. Just-in-time elevation remains the exception, not the default.
58%
PAM vault coverage
Average share of privileged credentials brought under vault management at enterprises with a deployed PAM platform. The remaining 42% sit in spreadsheets, password managers, or untracked admin tooling.
1%
Full JIT elevation adoption
Share of organizations that have fully implemented just-in-time privileged access. CyberArk attributes the gap to legacy systems built for time-bound access, tool sprawl (88% of orgs manage 2+ identity tools), and weekly discovery of unmanaged privileged accounts.
80:1
Machine-to-human identity ratio
Median ratio of machine (non-human) identities to human identities in mid-large enterprises. 68% of orgs lack identity security controls for AI agents specifically.
34%
Privileged session recording
Share of privileged sessions on PHI- or PCI-adjacent systems that are recorded by default. Required by HIPAA Security Rule administrative safeguards but inconsistently enforced.
75%
Consumers with at least one passkey
Share of consumers who have enabled a passkey on at least one of their accounts. 49% use passkeys regularly when offered. 5 billion passkeys are now in use worldwide.
87%
Enterprise passkey deployment
Share of organizations that have either deployed or are currently deploying passkeys for workforce sign-ins — 47% deployed, 40% in active rollout. Up from a small minority two years ago.
63%
B2B SaaS using Organizations
Share of B2B SaaS products with an Auth0/Okta CIC tenant that have adopted the Organizations multi-tenancy pattern. The remaining sites carry custom tenancy that creates upgrade debt.
29%
US adults hit by ATO (annual)
Share of US adults who experienced an account takeover in 2024 — roughly 77 million people. ATO fraud losses hit $2.9B, the fastest-growing identity-fraud category. Akamai recorded 193+ billion credential-stuffing attempts in one year.
~78%
IAM first-pass audit rate (regulated)
Share of regulated US enterprises that pass their annual IAM-related audit on the first cycle without remediation. Findings concentrate on access-cert sampling, JML latency, and stale privileged accounts. Practitioner aggregate, not a single source.
61%
Audit evidence still manual
Share of IAM audit evidence produced by manual screenshot collection at quarter-end. Evidence-as-code remains the exception in financial services and healthcare.
32%
ConMon-aligned IAM programs
Share of regulated programs that produce IAM evidence continuously rather than at quarter-end. The shift is fastest in FedRAMP-authorized programs.
$4.44M
Average breach cost (global)
Global average total cost of a data breach in 2025 — down 9% from $4.88M in 2024. IBM attributes the decline to faster containment powered by AI-driven detection. US ($10.22M) and healthcare ($7.42M) remain well above average.
16%
Phishing as #1 attack vector
Phishing overtook stolen credentials as the top initial attack vector in 2025 — 16% of breaches. Stolen credentials dropped to #2 but still drive the longest dwell time at 292 days.
60%
Breaches involving a human element
Share of breaches involving a human element — phishing, social engineering, lost credentials, or misuse. Down from 68% in the 2024 DBIR — but Verizon notes click rates were unaffected by security awareness training.
22%
Breaches starting with credential abuse
22% of breaches began with credential abuse and a further 16% began with phishing — together accounting for 38% of all breaches. 88% of Basic Web Application attacks involved stolen credentials.
292 days
Stolen-credentials MTTR
Mean time to identify and contain a breach involving stolen credentials. The slowest-to-contain attack type, attributed to attackers "logging in rather than hacking in."
68%
Orgs lacking AI agent identity controls
Share of organizations that lack identity security controls for AI agents specifically. Only 45% apply the same privileged access controls to AI agents as they do to human identities; 33% have no clear AI access policies at all.
3.4x
Untracked service accounts
Median ratio of discovered service accounts to documented service accounts on first PAM discovery scan. The undocumented majority is the single biggest privileged-identity gap.
$25.3B
Global IAM market (2026)
Global identity & access management software market size in 2026 — projected to reach $77.9B by 2034 at a 15.1% CAGR. Multiple firms converge on a $24-28B range for 2026; we use the Fortune Business Insights midpoint.
>99%
Identity attacks blocked by phishing-resistant MFA
Microsoft data on the effectiveness of phishing-resistant MFA at blocking unauthorized access attempts. Identity-based attacks rose 32% in H1 2025; 97% are simple password-spray attempts that MFA would have stopped outright.
Cite this page
These benchmarks are licensed under CC BY 4.0 — free to cite, quote, and link to with attribution. Pick a format below.
askmeidentity. (2026). The State of Identity, live (v2026.05.2). Retrieved 2026-06-04 from https://askmeidentity.com/resources/state-of-identity/
"The State of Identity, live." askmeidentity, v2026.05.2, https://askmeidentity.com/resources/state-of-identity/. Accessed 2026-06-04.
@misc{askmeidentity_state_of_identity_2026_05.2, title = {The State of Identity, live}, author = {{askmeidentity}}, year = {2026}, note = {Version 2026.05.2, retrieved 2026-06-04}, url = {https://askmeidentity.com/resources/state-of-identity/} }
Two source classes only
Either a published study from a named source (IBM, Verizon DBIR, FIDO Alliance, vendor research) — or a direct practitioner observation from our delivery work, clearly labeled and accompanied by a methodology note. Nothing else makes it onto the page.
Monthly review cycle
On the first business day of each month, every stat is re-verified against its source and the lastReviewed date is bumped. Stats that no longer hold are either updated, replaced, or retired with a redirect note in the change log.
Stable URL, evolving data
The page URL never changes. Year-specific reports live at separate URLs (see the State of Identity 2026 annual report). This page is the perpetual reference, designed to be cited and re-cited.
We can map any of these benchmarks to where your program actually sits — and what it would take to move. Same-day reply during business hours.