Artificial intelligence is rapidly multiplying non-human identities across enterprise systems in Singapore, creating an identity attack surface that organisations are struggling to secure, according to a new global study by Semperis.

The State of Identity Security in the AI Era report, which surveyed 1,100 organisations across eight markets including Singapore, found that 66% of Singapore respondents believe AI will increase attacks on identity infrastructure. At the same time, 93% already use or plan to use AI agents for sensitive security tasks such as password resets and VPN access — raising urgent questions about governance and recovery readiness.

AI Agents Creating Ungoverned Identities

The study found that organisations are deploying AI agents at speed while governance lags behind. Globally, only 65% of organisations say AI identities are fully registered, authenticated, and authorised in a formal system. Six per cent admit they do not track them at all.

More than a quarter of surveyed organisations (29%) already use AI agents to manage security-related helpdesk tickets, including password resets and VPN access, with another 65% intending to do so within the next year. In parallel, 92% of respondents say some portion of their workforce has AI installed on local machines where it can access SSH and encryption keys.

“Singapore organisations have been quick to explore AI across business and security operations, but every AI agent introduced into the enterprise also creates a new identity that must be governed, monitored and recovered if compromised. It’s encouraging that 90% of Singapore respondents see AI identity governance as a priority, but priority must translate into practical controls.” — Gerry Sillars, Vice President, Asia Pacific and Japan, Semperis

Overconfidence in Recovery Poses a Systemic Risk

A recurring concern in the study is the gap between perceived resilience and actual recovery capability. Organisations report having plans and backups in place, but Semperis warns that identity failures routinely escalate into prolonged business crises rather than contained technical incidents.

“The accelerated use of AI is introducing a bevy of new agents, each with its own non-human identity throughout global enterprises, and many companies are just way too optimistic about their ability to recover their identity infrastructure following a breach.” — Alex Weinert, Chief Product Officer, Semperis

Chris Inglis, the first US National Cyber Director and a Semperis Strategic Adviser, echoed the concern, noting that on paper organisations have plans and backups, but in practice identity failures turn technical incidents into prolonged business crises.

What Organisations Should Do

Semperis recommends that enterprises treat AI agents explicitly as non-human identities within their identity fabric, enforce least-privilege and just-in-time access as rigorously as for human users, and ensure they can rapidly recover identity systems to a trustworthy state after a breach. The firm also advises using behavioural analytics to detect anomalous or dormant agent activity.

The full report is available via the Semperis website. The study was conducted in partnership with Censuswide in early 2026.