Organizations Adopt AI Agents for Sensitive Security Tasks

According to a Semperis study distributed via PR Newswire on May 13, 2026, a global survey of 1,100 organisations across the US, UK, France, Germany, Spain, Italy, Singapore and Australia found 74% believe AI will increase attacks on identity infrastructure. The study reports 93% of respondents already use or plan to use AI agents for sensitive security tasks including password resets and VPN access, and 92% say AI is installed on at least some local machines with access to SSH and encryption keys. The release states only 32% of organisations globally are very confident they could regain control if AI exposes admin credentials; the release cites 53% confidence in the US and 12% in France. The study also reports 65% say AI identities are fully registered, 6% do not track them, and among organisations that track AI identities 57% use the same system as human identities while 43% use a separate system. Alex Weinert, Semperis Chief Product Officer, is quoted saying "The accelerated use of AI is introducing a bevy of new agents- each with its own non-human identity (NHI)- throughout global enterprises and many companies are just way too optimistic about their ability to recover their identity infrastructure following a breach, even as they expand this landscape of NHIs."

Industry-pattern observations: organisations embedding AI agents into ops workflows commonly expand machine-access footprints for identity systems such as Active Directory, Entra ID and Okta. When agents run on endpoints with SSH or key material, the attack surface enlarges because non-human credentials and automation tokens can be harvested or misused in ways that differ from human account compromise. Survey-reported gaps in registration and tracking of AI identities increase the chance that ephemeral or shadow identities are not subject to standard rotation, least-privilege, or monitoring controls.

Editorial analysis: The Semperis findings align with wider reporting that enterprises adopt generative AI and automation rapidly while governance lags. Comparable surveys and vendor reporting in 2024-2026 highlighted frequent sharing of sensitive data with generative tools and uneven controls for machine identities. For security teams, this pattern raises forensic, incident-response, and key-management challenges that differ from traditional user-centric identity incidents.

Editorial analysis: Observers should track three indicators: whether organisations formalise registration and lifecycle management for AI or non-human identities; adoption of tooling that detects and isolates compromised agent credentials; and changes in incident-response playbooks to handle automation-driven lateral movement. Publicly reported confidence metrics by region, like the 53% US and 12% France figures from the Semperis release, provide a baseline for benchmarking readiness across markets.