IT Brief US - Technology news for CIOs & IT decision-makers
United States
Security operations analyst network locks attack paths
#
Digital Transformation
#
PAM
#
Cloud Security

Identity attack path management gains ground, survey finds

Wed, 29th Apr 2026 (Today)
Author image
By Shannon Williams, News Editor

SpecterOps has published new research on identity security spending and adoption of identity attack path management, finding that more organisations have fully implemented the approach than a year earlier.

The survey, conducted by Omdia on behalf of SpecterOps, drew on responses from more than 500 cybersecurity decision-makers. It found that 35% of organisations had fully implemented an identity-based attack path management solution, up from 21% in 2025, while another 30% were researching or evaluating one.

Spending is also rising. Three-quarters of respondents said their organisations were increasing identity security budgets, while 46% said improving visibility into attack paths and privilege relationships was a top cybersecurity priority over the next 12 months.

The findings suggest a market shift from early testing to broader operational use. They also indicate that many companies now view identity risk as a central security issue as hybrid technology environments, machine identities and AI-related workflows add complexity.

Hybrid infrastructure remains a major challenge. Identities, credentials and trust relationships are spread across on-premise and cloud systems, making it harder for security teams to track how attackers might move through an organisation after initial access.

That challenge persists even where tools are in place. While 65% of organisations said they used risk-based prioritisation and 58% said they used automated remediation tools, many still reported difficulty turning visibility into action.

Some 41% said they struggled to prioritise attack paths for remediation. Another 37% cited bandwidth constraints and team overwhelm, while 32% pointed to tool complexity and the same share identified integration challenges.

AI pressure

The survey also linked identity security work to broader AI adoption. Two of the top three business priorities for 2026 were improving visibility into attack paths and privilege relationships, cited by 46% of respondents, and integrating generative and agentic AI into the business, cited by 43%.

Elsewhere, 40% named security for AI and generative AI as a top area for innovation, while 38% said identity security was a leading innovation need. The figures suggest companies are addressing identity weaknesses at the same time as they introduce new AI systems that may create additional accounts, permissions and trust relationships.

SpecterOps said this combination is increasing the urgency of making identity attack path management part of routine security operations rather than a stand-alone project. The research suggests adoption of the technology is advancing faster than the organisational processes needed to support it.

A key issue is what happens after a threat actor has authenticated or gained a foothold. The report found post-authentication attack paths remain difficult to identify and remediate, particularly in mixed on-premise and cloud environments where visibility is fragmented.

That has implications for how security teams organise their work. The data suggests organisations are not only buying tools but also trying to establish ownership, governance and workflows that allow them to reduce risk over time.

Jared Atkinson, chief technology officer at SpecterOps, said the focus was shifting beyond simple detection. "As identity becomes the control plane for more of the enterprise, the challenge is no longer just getting visibility," he said. "Organisations are now working to build cross-functional discipline to prioritize findings and drive remediation, reducing attack paths over time. This effort becomes even more important as AI adoption introduces more non-human identities and trust relationships, and therefore more legitimate paths for an attacker to take."

The results point to a market entering a more mature phase, where the operational demands of identity attack path management are becoming clearer. In that phase, the ability to connect findings with remediation appears to be as important as the ability to discover risky relationships in the first place.

Atkinson said visibility alone would not solve the problem. "Identity risk is not a point-in-time problem and visibility alone does not reduce risk," he said. "Organisations are moving to the next step: building a durable practice around Identity APM, one that connects technology, ownership, and remediation workflows in a way that can keep pace with modern environments."

Related stories
AI now powers most dangerous cyber threats, warns SANS
Ricoh launches A3 monochrome printers with cloud tools
Freshworks data shows after-hours IT support gap widens
Black Ore opens Tax Autopilot to thousands of CPA firms
Sonny's CTO warns against AI-generated code without review

Top stories

Sage buys Doyen AI to speed finance software rollout
Constructive launches agentic-db for AI agents
Simbian cyber defence benchmark finds all 11 AI models fail
Cornelis adds federal partners for AI & HPC networking
AI medical devices widen healthcare cyber risk gap