Sophos has found that 73% of organisations in Asia Pacific and Japan (APJ) suffered at least one identity-related security breach in the past 12 months, slightly above the global average of 71%, as the proliferation of non-human identities (NHIs) driven by agentic AI compounds existing gaps in credential management.
The findings come from the State of Identity Security 2026, a vendor-agnostic survey of 5,000 IT and cybersecurity leaders across 17 countries conducted in Q1 2026. On average, breached organisations reported three separate incidents in the year, with 5% globally experiencing six or more.
Ransomware’s Identity Problem
Two thirds of ransomware victims (67%) confirmed their incident originated from an identity attack, establishing credential compromise as the primary ransomware delivery vector. The financial toll is significant: mean recovery costs reached US$1.64 million, with a median of US$750,000. Nearly three quarters of affected organisations (73%) faced recovery costs of US$250,000 or more.
In APJ specifically, 15% of breached organisations failed to detect and stop their most significant identity attack before damage occurred, compared with a global failure rate of 14%.
Human Error and NHI Mismanagement Drive Breaches
Human error — primarily employees tricked into surrendering credentials — was cited in nearly 43% of incidents. Weak NHI management, including API keys stored in code, static credentials and orphaned service accounts, accounted for 41%. Organisations with weak NHI management are 22% more likely to experience financial theft and pay approximately US$150,000 more to recover than the average victim.
The NHI problem is accelerating. AI agents can autonomously spin up sub-agents, each generating credentials with broad, persistent access and limited human oversight. Yet only one in three organisations regularly rotates or audits service accounts and non-human identities, and just 11% do so continuously.
“Identity has become the primary attack surface in modern cybersecurity, and this data shows most organisations are losing ground. The non-human identity problem is particularly urgent. AI agents are being granted privileges faster than security teams can track them, and organisations that fail to get ahead of this will find it an increasingly costly gap to close.” — Ross McKerchar, Chief Information Security Officer, Sophos
Sectors and Visibility Gaps
Critical infrastructure sectors reported the highest breach rates globally: energy, oil/gas and utilities at 80%, and federal and central government at 78%. Visibility remains a systemic weakness — only 24% of organisations continuously monitor for unusual login attempts, while more than half check every three months or less.
Compliance difficulty also correlates with breach exposure. Organisations that found compliance requirements very challenging had a breach rate of 82.4%, a full 14 percentage points higher than those with lower compliance difficulty.
Recommended Controls
Sophos recommends a multi-layered approach addressing both human and non-human identities. Core steps include enforcing multi-factor authentication across all accounts, applying least-privilege access principles, and promptly disabling inactive identities. For NHIs, organisations should inventory and classify all non-human identities, replace long-lived credentials with short-lived alternatives, and deploy secrets management platforms. As agentic AI accelerates NHI proliferation, Sophos flags Identity Threat Detection and Response (ITDR) capabilities and Zero Trust architecture as increasingly critical layers of defence.
