This new SANS report is built on findings from a large independent 2026 identity threat detection and response survey, and the biggest takeaway is pretty simple: most organizations have identity security tools in place, but that has not translated into real resilience.
SANS calls out a clear gap between deployment and outcomes. While 68% of organizations detect identity attacks within 24 hours, only 55% contain them in that same window.
The report gets more useful from there. It shows that identity attacks are no longer mostly about stealing credentials and getting through the login screen. A lot of the damage now happens after authentication, through compromised sessions, token abuse, OAuth paths and overprivileged service accounts. In other words, the problem is not just who gets in. It is what a valid identity can do once it is inside.
It also puts a spotlight on two areas teams still do not have under control: non-human identities and AI agents. SANS found that NHIs are the fastest-growing identity category, yet 92% of organizations fail to rotate most NHI credentials on a 90-day cycle. It also found that 74% are already using AI agents or automations that require credentials, even though governance is still immature and inconsistent.
If you want a survey-backed look at where identity security is actually breaking down and what needs to change, this report is worth your time.