AI expansion lifts breach rate to 43%, Netwrix says

Netwrix has published its 2026 Data and Identity Security Report, which found a sharp breach gap between organisations where AI expanded access and those where it did not.

The report drew on responses from 2,317 IT and security professionals representing 1,889 organisations across more than 60 industries. Organisations where AI significantly expanded the number of identities requiring access recorded a 43% breach rate over the past year, compared with 11% at organisations where AI had not materially changed access patterns.

According to the findings, that disparity remained visible even among organisations that were more advanced in areas such as data visibility and non-human identity governance. Netwrix said the results pointed to an "AI readiness gap" driven by the speed at which AI creates new identities, access routes and governance demands.

Only 11% of organisations said they had fully operationalised AI governance through continuous enforcement and monitoring. At the other end of the scale, 17% said they remained entirely unprepared, while 45% were still developing governance programmes.

The study also highlighted broader weaknesses in identity and data oversight. Some 76% of organisations said they do not fully govern or monitor non-human identities, while 74% said they lack a unified view of sensitive data and the identities that can access it.

Another 70% said they have no unified strategy linking identity and data visibility, leaving many without a clear view of what AI systems are accessing or which users and machine identities can reach sensitive information.

Access control emerged as a recurring issue across the research. Netwrix said 75% of sensitive data exposures begin with compromised identities or misconfigured permissions, and 76% of organisations cannot immediately revoke standing access when it is no longer needed.

Response times also appeared slow in many cases. Only 23.5% of organisations said they could respond at the speed attackers move, while nearly 63% said they need between one and three days to remediate identified risks.

Sector patterns

The report also broke out differences by company size and industry. Organisations with 500 to 999 employees posted a 40.3% breach rate, the highest among the size segments measured.

By industry, technology, healthcare and construction recorded the highest breach rates. The summary figures released did not include detailed breach counts for each sector.

Regional loss figures also pointed to material financial consequences for affected businesses. In North America, 24% of breached organisations reported losses of at least USD $100,000 over the past year, while 12% reported losses above USD $250,000.

The underlying dataset was weighted towards the Americas, which accounted for 68% of respondents. EMEA made up 23% and APAC 9%.

Governance strain

The findings suggest AI adoption is compounding longstanding security problems rather than replacing them. As organisations add more automated tools, machine accounts and data connections, governance systems appear to be struggling to keep pace.

One area of concern is shadow AI. Only 20% of organisations said they fully monitor employee use of unsanctioned AI tools, suggesting many may not know which external services staff are using to process company information.

Non-human identities presented a similar challenge. Just 19% of organisations said they fully govern those identities, despite their growing role in application access, automation workflows and AI systems.

Grady Summers, Chief Executive Officer at Netwrix, linked the breach gap to the pace of change in AI-led access growth.

"Organisations where AI expanded access saw four times the breach rate of those where it didn't, 43% versus 11%," said Grady Summers, Chief Executive Officer at Netwrix.

"The root cause here is speed. AI adds identities and accesses data faster than human-paced reviews can track them, and attackers can create an impact in seconds. Governance has to run at that speed or it's just theater," Summers said.

Alongside the report, Netwrix launched a Data, Identity & AI Security Assessment. The benchmarking tool measures organisations across 12 security dimensions and five maturity tiers tied to AI readiness.

The company said the assessment is designed to give participants a view of their current security posture, areas of exposure and recommended next steps. Its release reflects a broader effort by security vendors to package benchmarking and readiness scoring around AI-related risks.

For businesses trying to manage AI deployment, the report's central finding is that access expansion is moving faster than control frameworks. Only 11% of organisations said they had reached full AI governance readiness.