{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://askmeidentity.com/resources/state-of-identity/data.json","name":"The State of Identity, live","description":"Live, citable benchmarks for enterprise identity programs — MFA coverage, privileged access posture, audit-evidence cadence, breach economics, and AI agent identity adoption. Sourced to IBM Cost of a Data Breach 2025, Verizon DBIR 2025, FIDO Alliance State of Passkeys 2026, CyberArk Identity Security Landscape 2025, Microsoft Digital Defense Report 2025, and askmeidentity practice observations.","publisher":{"name":"askmeidentity","url":"https://askmeidentity.com"},"license":"CC-BY-4.0","licenseUrl":"https://creativecommons.org/licenses/by/4.0/","version":"2026.05.2","datePublished":"2026-05-01","dateModified":"2026-05-20","pageUrl":"https://askmeidentity.com/resources/state-of-identity/","citation":{"apa":"askmeidentity. (2026). The State of Identity, live (v2026.05.2). Retrieved from https://askmeidentity.com/resources/state-of-identity/","bibtex":"@misc{askmeidentity_state_of_identity_2026_05.2,\n  title  = {The State of Identity, live},\n  author = {{askmeidentity}},\n  year   = {2026},\n  note   = {Version 2026.05.2},\n  url    = {https://askmeidentity.com/resources/state-of-identity/}\n}"},"categories":{"workforce-iam":"Workforce IAM & Access","privileged-access":"Privileged Access & PAM","customer-identity":"Customer Identity (CIAM)","audit-compliance":"Audit, Compliance & Evidence","breach-economics":"Breach Economics & Risk","market-signals":"AI Agent Identity & Market"},"stats":[{"id":"workforce-mfa-coverage","category":"workforce-iam","label":"Workforce MFA coverage (large enterprises)","value":"87%","context":"Share of organizations with 10,000+ employees that have rolled out workforce MFA. SMB adoption sits closer to 34%. Coverage gaps remain on legacy on-prem apps and admin accounts.","source":{"name":"JumpCloud MFA Trends + Microsoft Digital Defense Report","url":"https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2025","year":2025},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-workforce-mfa-coverage"},{"id":"phishing-resistant-share","category":"workforce-iam","label":"Phishing-resistant MFA share","value":"14%","context":"Share of workforce passwordless authentication using phishing-resistant factors (FIDO2, passkeys). Up from 8.6% the prior year — a 63% YoY jump driven primarily by Okta FastPass and platform passkeys.","source":{"name":"Okta Secure Sign-in Trends Report 2025","url":"https://www.okta.com/newsroom/articles/secure-sign-in-trends-report-2025/","year":2025},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-phishing-resistant-share"},{"id":"sso-app-catalog-coverage","category":"workforce-iam","label":"SSO catalog coverage","value":"67%","context":"Average share of an enterprise SaaS catalog behind SSO. The long tail of un-federated apps remains the single largest off-boarding risk.","methodology":"Aggregated across 84 IGA / Access engagements completed 2024-Q1 through 2026-Q1. Median across financial services, government, and healthcare clients.","source":{"name":"askmeidentity practice observations","year":2026},"lastReviewed":"2026-05-20","practitionerObservation":true,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-sso-app-catalog-coverage"},{"id":"jml-automation-share","category":"workforce-iam","label":"HRIS-triggered JML automation","value":"41%","context":"Share of regulated enterprises with fully HRIS-triggered joiner/mover/leaver workflows on Tier-1 systems. Manual ticketing still drives the majority of access provisioning.","source":{"name":"askmeidentity practice observations","year":2026},"lastReviewed":"2026-05-20","practitionerObservation":true,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-jml-automation-share"},{"id":"time-to-deprovision-median","category":"workforce-iam","label":"Median time to deprovision","value":"38 min","context":"Median elapsed time from HR offboarding event to access revocation on a Tier-1 system. Best-in-class organizations hit < 5 minutes via Lifecycle Workflows.","source":{"name":"askmeidentity practice observations","year":2026},"lastReviewed":"2026-05-20","practitionerObservation":true,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-time-to-deprovision-median"},{"id":"standing-privilege-prevalence","category":"privileged-access","label":"Privileged access that is always-on","value":"91%","context":"Share of organizations where at least half of privileged access is \"always-on\" — providing unrestricted, persistent access to sensitive systems. Just-in-time elevation remains the exception, not the default.","source":{"name":"CyberArk 2025 Identity Security Landscape","url":"https://www.cyberark.com/threat-landscape/","year":2025},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-standing-privilege-prevalence"},{"id":"pam-vault-coverage","category":"privileged-access","label":"PAM vault coverage","value":"58%","context":"Average share of privileged credentials brought under vault management at enterprises with a deployed PAM platform. The remaining 42% sit in spreadsheets, password managers, or untracked admin tooling.","source":{"name":"askmeidentity practice observations","year":2026},"lastReviewed":"2026-05-20","practitionerObservation":true,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-pam-vault-coverage"},{"id":"jit-elevation-adoption","category":"privileged-access","label":"Full JIT elevation adoption","value":"1%","context":"Share of organizations that have fully implemented just-in-time privileged access. CyberArk attributes the gap to legacy systems built for time-bound access, tool sprawl (88% of orgs manage 2+ identity tools), and weekly discovery of unmanaged privileged accounts.","source":{"name":"CyberArk 2025 Identity Security Landscape","url":"https://www.cyberark.com/press/new-study-only-1-of-organizations-have-fully-adopted-just-in-time-privileged-access-as-ai-driven-identities-rapidly-increase/","year":2025},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-jit-elevation-adoption"},{"id":"machine-vs-human-identity-ratio","category":"privileged-access","label":"Machine-to-human identity ratio","value":"80:1","context":"Median ratio of machine (non-human) identities to human identities in mid-large enterprises. 68% of orgs lack identity security controls for AI agents specifically.","source":{"name":"CyberArk 2025 Identity Security Landscape","url":"https://www.cyberark.com/press/machine-identities-outnumber-humans-by-more-than-80-to-1-new-report-exposes-the-exponential-threats-of-fragmented-identity-security/","year":2025},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-machine-vs-human-identity-ratio"},{"id":"session-recording-share","category":"privileged-access","label":"Privileged session recording","value":"34%","context":"Share of privileged sessions on PHI- or PCI-adjacent systems that are recorded by default. Required by HIPAA Security Rule administrative safeguards but inconsistently enforced.","source":{"name":"askmeidentity practice observations","year":2026},"lastReviewed":"2026-05-20","practitionerObservation":true,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-session-recording-share"},{"id":"passkey-consumer-enrollment","category":"customer-identity","label":"Consumers with at least one passkey","value":"75%","context":"Share of consumers who have enabled a passkey on at least one of their accounts. 49% use passkeys regularly when offered. 5 billion passkeys are now in use worldwide.","source":{"name":"FIDO Alliance — State of Passkeys 2026","url":"https://fidoalliance.org/wp-content/uploads/2026/05/The-State-of-Passkeys-Global-Consumer-and-Workforce-Report-1.pdf","year":2026},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-passkey-consumer-enrollment"},{"id":"enterprise-passkey-deployment","category":"customer-identity","label":"Enterprise passkey deployment","value":"87%","context":"Share of organizations that have either deployed or are currently deploying passkeys for workforce sign-ins — 47% deployed, 40% in active rollout. Up from a small minority two years ago.","source":{"name":"FIDO Alliance — State of Passkeys 2026","url":"https://fidoalliance.org/wp-content/uploads/2026/05/The-State-of-Passkeys-Global-Consumer-and-Workforce-Report-1.pdf","year":2026},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-enterprise-passkey-deployment"},{"id":"b2b-saas-using-orgs-pattern","category":"customer-identity","label":"B2B SaaS using Organizations","value":"63%","context":"Share of B2B SaaS products with an Auth0/Okta CIC tenant that have adopted the Organizations multi-tenancy pattern. The remaining sites carry custom tenancy that creates upgrade debt.","source":{"name":"askmeidentity practice observations","year":2026},"lastReviewed":"2026-05-20","practitionerObservation":true,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-b2b-saas-using-orgs-pattern"},{"id":"consumer-ato-prevalence","category":"customer-identity","label":"US adults hit by ATO (annual)","value":"29%","context":"Share of US adults who experienced an account takeover in 2024 — roughly 77 million people. ATO fraud losses hit $2.9B, the fastest-growing identity-fraud category. Akamai recorded 193+ billion credential-stuffing attempts in one year.","source":{"name":"Akamai State of the Internet — Security + AARP fraud data","url":"https://www.akamai.com/security-research/the-state-of-the-internet/security","year":2025},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-consumer-ato-prevalence"},{"id":"first-pass-audit-rate","category":"audit-compliance","label":"IAM first-pass audit rate (regulated)","value":"~78%","context":"Share of regulated US enterprises that pass their annual IAM-related audit on the first cycle without remediation. Findings concentrate on access-cert sampling, JML latency, and stale privileged accounts. Practitioner aggregate, not a single source.","source":{"name":"askmeidentity practice observations across FFIEC / FedRAMP / HIPAA engagements","year":2026},"lastReviewed":"2026-05-20","practitionerObservation":true,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-first-pass-audit-rate"},{"id":"audit-evidence-manual-share","category":"audit-compliance","label":"Audit evidence still manual","value":"61%","context":"Share of IAM audit evidence produced by manual screenshot collection at quarter-end. Evidence-as-code remains the exception in financial services and healthcare.","source":{"name":"askmeidentity practice observations","year":2026},"lastReviewed":"2026-05-20","practitionerObservation":true,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-audit-evidence-manual-share"},{"id":"continuous-monitoring-adoption","category":"audit-compliance","label":"ConMon-aligned IAM programs","value":"32%","context":"Share of regulated programs that produce IAM evidence continuously rather than at quarter-end. The shift is fastest in FedRAMP-authorized programs.","source":{"name":"askmeidentity practice observations","year":2026},"lastReviewed":"2026-05-20","practitionerObservation":true,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-continuous-monitoring-adoption"},{"id":"breach-cost-global-avg","category":"breach-economics","label":"Average breach cost (global)","value":"$4.44M","context":"Global average total cost of a data breach in 2025 — down 9% from $4.88M in 2024. IBM attributes the decline to faster containment powered by AI-driven detection. US ($10.22M) and healthcare ($7.42M) remain well above average.","source":{"name":"IBM Cost of a Data Breach Report 2025","url":"https://www.ibm.com/reports/data-breach","year":2025},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-breach-cost-global-avg"},{"id":"phishing-top-attack-vector","category":"breach-economics","label":"Phishing as #1 attack vector","value":"16%","context":"Phishing overtook stolen credentials as the top initial attack vector in 2025 — 16% of breaches. Stolen credentials dropped to #2 but still drive the longest dwell time at 292 days.","source":{"name":"IBM Cost of a Data Breach Report 2025","url":"https://www.ibm.com/reports/data-breach","year":2025},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-phishing-top-attack-vector"},{"id":"human-element-breaches","category":"breach-economics","label":"Breaches involving a human element","value":"60%","context":"Share of breaches involving a human element — phishing, social engineering, lost credentials, or misuse. Down from 68% in the 2024 DBIR — but Verizon notes click rates were unaffected by security awareness training.","source":{"name":"Verizon Data Breach Investigations Report 2025","url":"https://www.verizon.com/business/resources/reports/dbir/","year":2025},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-human-element-breaches"},{"id":"credential-abuse-share","category":"breach-economics","label":"Breaches starting with credential abuse","value":"22%","context":"22% of breaches began with credential abuse and a further 16% began with phishing — together accounting for 38% of all breaches. 88% of Basic Web Application attacks involved stolen credentials.","source":{"name":"Verizon Data Breach Investigations Report 2025","url":"https://www.verizon.com/business/resources/reports/dbir/","year":2025},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-credential-abuse-share"},{"id":"mttr-credential-incidents","category":"breach-economics","label":"Stolen-credentials MTTR","value":"292 days","context":"Mean time to identify and contain a breach involving stolen credentials. The slowest-to-contain attack type, attributed to attackers \"logging in rather than hacking in.\"","source":{"name":"IBM Cost of a Data Breach Report 2025","url":"https://www.ibm.com/reports/data-breach","year":2025},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-mttr-credential-incidents"},{"id":"ai-agent-identity-programs","category":"market-signals","label":"Orgs lacking AI agent identity controls","value":"68%","context":"Share of organizations that lack identity security controls for AI agents specifically. Only 45% apply the same privileged access controls to AI agents as they do to human identities; 33% have no clear AI access policies at all.","source":{"name":"CyberArk 2025 Identity Security Landscape","url":"https://www.cyberark.com/press/machine-identities-outnumber-humans-by-more-than-80-to-1-new-report-exposes-the-exponential-threats-of-fragmented-identity-security/","year":2025},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-ai-agent-identity-programs"},{"id":"service-account-untracked","category":"market-signals","label":"Untracked service accounts","value":"3.4x","context":"Median ratio of discovered service accounts to documented service accounts on first PAM discovery scan. The undocumented majority is the single biggest privileged-identity gap.","source":{"name":"askmeidentity practice observations","year":2026},"lastReviewed":"2026-05-20","practitionerObservation":true,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-service-account-untracked"},{"id":"iam-market-size","category":"market-signals","label":"Global IAM market (2026)","value":"$25.3B","context":"Global identity & access management software market size in 2026 — projected to reach $77.9B by 2034 at a 15.1% CAGR. Multiple firms converge on a $24-28B range for 2026; we use the Fortune Business Insights midpoint.","source":{"name":"Fortune Business Insights — IAM Market Report","url":"https://www.fortunebusinessinsights.com/industry-reports/identity-and-access-management-market-100373","year":2026},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-iam-market-size"},{"id":"mfa-blocks-unauthorized","category":"market-signals","label":"Identity attacks blocked by phishing-resistant MFA","value":">99%","context":"Microsoft data on the effectiveness of phishing-resistant MFA at blocking unauthorized access attempts. Identity-based attacks rose 32% in H1 2025; 97% are simple password-spray attempts that MFA would have stopped outright.","source":{"name":"Microsoft Digital Defense Report 2025","url":"https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2025","year":2025},"lastReviewed":"2026-05-20","practitionerObservation":false,"anchor":"https://askmeidentity.com/resources/state-of-identity/#stat-mfa-blocks-unauthorized"}],"counts":{"total":26,"practitionerObservations":10,"publicStudies":16}}