Key Takeaways

• Identity security was identified as the top cybersecurity priority in ETR's 2026 State of Security Study, scoring 68, up from 64 in 2025.

• AI-focused security was the fastest-rising category, climbing nine points from 49 to 58 and narrowing the gap with data security to just two points.

• Data security (50%) and identity and access management (48%) rank as the most critical layers of enterprise AI and LLM security strategy.

• The top identity risks of agentic AI are agents acting outside their intended policy (57%) and agents being over-privileged (56%).

• 70% of the technology leaders surveyed are now actively evaluating tools to manage non-human identities, including AI agents.

Every year, the security budget gets a little more crowded. New categories appear, old ones get rebranded, and the perennial fight for attention plays out across endpoints, networks, data, and the cloud. So when one category pulls clearly ahead of the pack, it is worth asking what the market is actually responding to.

In the 2026 State of Security Study of over 500 technology leaders, identity security did exactly that. Each category in the survey carries a priority score, where a higher number means more of the surveyed technology leaders are treating that area as a leading focus. Identity security scored 68, up from 64 in 2025, and claimed the top spot by a meaningful margin over every other category. At the same time, AI-focused security posted the largest year-over-year gain of any category. Together, these findings point to a clear shift. As enterprises expand their use of AI and large language models, the question is no longer only who has access. It is also what has access, what that access can do, and whether anyone can prove what happened after the fact.

Why Is Identity Security the Top Priority in 2026?

For years, identity security has been treated as a critical part of enterprise defense. In 2026, it looks more like the control plane, the central layer that decides what every other system is allowed to do.

Its score of 68 places it ahead of every other tracked category by a meaningful margin, and that lead matters because security teams are not short on priorities. They are balancing data security, AI-focused security, endpoint protection, observability, exposure management, and DevSecOps all at once. Identity still rose to the top.

The rest of the stack stayed remarkably stable, which makes the gap stand out even more. Endpoint security was the only top-five category to slip, edging down from 56 to 55, and observability and security information and event management (SIEM) ticked down from 52 to 51. The biggest change came at the bottom, and it is partly a relabeling: ETR retired the vulnerability management category, which scored 67 in 2025, and replaced it in 2026 with a broader category called risk-based exposure management, which debuted at just 41. The lower score reflects how the new, wider category was prioritized, not a sudden collapse in the work itself. DevSecOps remained in last place at 37, up slightly from 32 but still well behind every other tracked category.



The reason identity leads is practical. Every major security outcome depends on whether organizations can verify identity, govern access, and reduce unnecessary privilege. When that breaks, everything else gets harder.

How Is AI Making Identity Security More Urgent?

The single largest gain in the survey did not belong to identity. It belonged to AI-focused security, which climbed nine points year over year, rising from 49 to 58 and moving into third place overall. That jump narrowed the gap between AI and second-place data security from eight points to just two. No other category moved as fast.

These two trends are not running on separate tracks. They are part of the same story. As enterprises adopt generative AI, large language models, and agentic AI, they are introducing new forms of access into business workflows. These systems can retrieve data, trigger actions, call tools, interact with APIs, and make decisions across connected environments. That creates value, but it also creates a new identity problem. Every agent is an identity that has to be authenticated, authorized, and held accountable.

The supporting data confirms where attention is going. Respondents were asked to name their first, second, and third most critical layers for AI and LLM security, and the percentages below combine all three selections for each layer. Data security led at 50% combined, with 20% naming it their single most critical component, the highest of any area. Identity and access management followed closely at 48%, earning the highest second-place ranking of any layer. AI platform security, covering the tools used to run and monitor models such as model gateways and prompt monitoring, ranked third at 42%. After that, the numbers drop off sharply, with secure access service edge (SASE), a category of network-and-access security, ranking last among named categories at just 8%. The message is direct: technology leaders see AI security as a data and identity issue first.

What Are Non-Human Identities, and Why Do They Matter Now?

The rise of agentic AI is forcing enterprises to confront a challenge many were already struggling to manage: non-human identities.

These identities include service accounts, machine identities, bots, automation tools, API keys, tokens, and now AI agents. They do not behave like human users, but they often hold access to highly sensitive systems and data, and in many organizations they are harder to inventory, monitor, and control. ETR's data shows that 70% of respondents are now actively evaluating tools to manage non-human identities, placing the category among the fastest-growing in the entire survey. That level of evaluation suggests buyers are no longer treating it as optional plumbing. They are actively looking for solutions to bring order to a growing access problem.

What Are the Biggest Identity Risks of AI Agents?

Ask technology leaders what specifically worries them about agentic AI, and the answers cluster tightly around two themes: agents that can do too much, and agents no one can hold accountable.

The top two concerns are effectively tied. 57% of respondents flag agents acting outside their intended context or policy, and 56% flag agents being over-privileged. That finding deserves attention, because the leading concerns are not about external attacks. They are about internal control. A close second tier follows: privilege escalation through chained tool calls at 37%, and a lack of non-repudiation, meaning the inability to prove what an agent did and under whose authority, at 36%. Token theft or replay attacks that could enable silent, high-scale abuse round out the list at 25%.

Read together, these concerns describe a single anxiety. An autonomous agent with broad permissions and no clear audit trail can take consequential action, and afterward, no one can fully reconstruct what it did or why it was allowed to. This is where identity security becomes more than authentication. It becomes governance, traceability, and accountability.

Deployment Challenges Show the Same Gap

What makes the 2026 data credible is that the deployment challenges technology leaders report map almost exactly onto the risks they fear. This is not a survey full of hypotheticals. The same gaps show up in practice.

A lack of visibility into what AI agents accessed tops the challenge list at 57%, followed by the difficulty of controlling non-human identities and their privileges at 56%. Nearly half of respondents, 49%, cite the difficulty of enforcing least privilege across multiple tools and APIs. Combine these three, and the leading challenges are all upstream access-control problems. Before enterprises can detect misuse, they need to know which identities exist. Before they can limit damage, they need to enforce least privilege. Before they can trust agents at scale, they need to know what those agents are doing, and as whom.

The lower-ranked items are telling in their own way. Securing credentials and tokens sat at 33%, and approval workflows for high-impact actions ranked last at just 25%. That final result is the one worth pausing on. Approval workflows are the single control most capable of stopping an unauthorized action before it happens, yet they rank lowest among deployment priorities. The market is intensely focused on seeing and constraining what agents can reach, and comparatively less focused on the gate that would catch a bad action in the moment.

What the Data Means for Vendors and Technology Leaders

For security vendors, the opportunity is significant, but the bar is rising. Identity security vendors need to show they can support a world where access is no longer limited to employees, contractors, and partners. Buyers will expect stronger answers around non-human identities, AI agents, least privilege, policy enforcement, and auditability.

AI security vendors should take note as well. The market may be excited about model gateways, prompt monitoring, and LLMOps controls, but the data shows buyers view data security and identity and access management as the most critical layers of AI security strategy. A compelling AI security story has to connect to those priorities.

For enterprise technology leaders, the takeaway is more direct. AI adoption will move faster than governance unless identity controls are built into the strategy early. Waiting until agents are already embedded across workflows will make visibility, access control, and accountability much harder to regain.

Trust at Machine Speed

Identity security leads the 2026 cybersecurity agenda because identity is where enterprise risk now concentrates. Human users still matter, but non-human identities and AI agents are expanding the attack surface and reshaping the control model. The data is consistent across every cut of the survey: the layers that matter are data and identity, the fears are over-privileged and unaccountable agents, and the day-to-day challenges are visibility and access control.

The organizations that get ahead will not simply ask whether an AI agent can complete a task. They will ask what it can access, what authority it carries, how that authority is limited, and whether its actions can be traced. In 2026, identity security is not just about access. It is about trust at machine speed.


Access the full ETR State of Security research to see how technology leaders are prioritizing identity security, AI-focused security, and non-human identity management across the enterprise security landscape.