Stolen passwords have long been considered the biggest identity threat facing enterprises, but new research suggests the focus is now moving more toward AI driven attacks. According to a new report from HYPR, generative AI and automated agents have overtaken stolen credentials as the top identity security concern for organizations.
The findings come from HYPR’s sixth annual State of Passwordless Identity Assurance report. According to the study, 53 percent of security leaders now see generative AI as the biggest identity related risk, while 45 percent point to agentic AI. Both rank ahead of stolen credentials, which have historically been viewed as the leading enterprise security threat.
SEE ALSO: Think your password is safe? AI could break it before you blink
HYPR describes the development as an “AI crossover,” marking the first time automated and AI driven threats have overtaken traditional credential misuse as the primary identity concern. The report suggests that organizations are increasingly dealing with attacks that operate at a scale far beyond human driven threats.
The research suggests that automation is accelerating both the speed and volume of attacks. Around 65 percent of identity related attacks are now detected within hours, but AI tools allow attackers to steal data before human teams have a chance to respond. This situation is described as a “velocity paradox,” whereby detection is improving but automated attacks are moving even faster.
Identity threats and impersonation
One of the biggest emerging issues is the problem of impersonation. According to the report, 87 percent of organizations have encountered audio or video deepfakes during identity based attacks. Synthetic media, including prerecorded video deepfakes, is considered a major enterprise threat by 45 percent of respondents.
AI generated voice manipulation is also becoming far more common. Around 40 percent of organizations have reported incidents involving voice cloning, whereby attackers create manipulated audio clips to target call centers and the like.
The report also suggests that automated agents could soon become a bigger source of password leaks than people. Machine driven processes are on track to leak more credentials this year than human mistakes, taking the nature of identity risk away from individual errors toward large scale automated activity.
“Technical literacy is no longer the bottleneck; the challenge now lies in the mechanics of scaling across the enterprise,” said Bojan Simic, CEO and co founder of HYPR. “In 2026, automated agents will leak more passwords than people, shifting identity risk from human scale errors to industrial scale machine automation. We must move past point in time security and make identity verification a permanent part of how we manage every employee, from onboarding to offboarding.”
Organizations are increasingly turning to identity verification systems as a way to address these threats. The report says 65 percent of enterprises now use identity verification as part of their security strategy, although this remains limited to small segments of the workforce.
Passwordless authentication continues to grow, although adoption has slowed in some environments. While 64 percent of security leaders say they now understand passkeys, enterprise wide adoption is only at 43 percent.
The research also shows that many companies still rely on traditional passwords. Around 76 percent of organizations continue to use legacy credential systems, although in brighter news, 71 percent say they are moving toward passwordless authentication.
The State of Passwordless Identity Assurance report is based on a survey of more than 950 IT and security leaders across multiple industries.
What do you think about AI becoming the top identity security concern for enterprises? Let us know in the comments.
