• 91% report that at least half of their privileged access is always-on
• AI-driven identities emerge as a major new privileged access blind spot
• ‘Shadow privilege’ and fragmented tools accelerate risk for organizations

CyberArk (NASDAQ: CYBR), the global leader in identity security, today announced findings from new research revealing a significant gap between organizations’ confidence in their privileged access programs and the reality of their day-to-day practices as AI rapidly expands the identity-centric attack surface.

Despite 76% of organizations stating their privileged access management (PAM) strategies are ready for AI, cloud and hybrid environments, many continue to rely heavily on always-on access assumptions that were designed for far less dynamic operating environments.

Organizations Overestimate Their Readiness for AI and Cloud

The study, which surveyed 500 U.S. practitioners in PAM, identity and infrastructure roles, shows that while modernization efforts are underway, very few organizations have adopted adaptive, time-bound access models aligned with Zero Trust principles. Key findings include:

• Only 1% have fully implemented a modern Just-in-Time (JIT) privileged access model.
• 91% report that at least half of their privileged access is always-on, providing unrestricted, persistent access to sensitive systems.
• 45% apply the same privileged access controls to AI agents as they do to human identities.
• 33% say they lack clear AI access policies.

Shadow Privilege and Tool Sprawl Accelerate Risk

The research highlights the widespread and growing issue of ‘shadow privilege’ — unmanaged, unknown or unnecessary privileged accounts and secrets that accumulate silently over time.

• 54% of organizations uncover unmanaged privileged accounts and secrets every week.
• 88% manage two or more identity security tools, creating fragmentation that introduces blind spots.
• 66% say traditional privileged access reviews delay projects.
• 63% admit employees bypass controls to move faster.

“Dynamic, evolving environments mean the nature of privileged access — and how to secure it — has fundamentally changed,” said Matt Cohen, CEO of CyberArk. “With only one percent of organizations having fully implemented a Just-in-Time access model, it’s clear that industry-wide modernization is overdue. As AI agents and non-human identities take on increasingly sensitive tasks, applying the right privilege controls to each identity — and governing every privileged action — is now essential.”

To reduce risk while supporting innovation at scale, organizations should focus on evolving how privileged access is applied without abandoning foundational controls:

• Minimize standing privileges by implementing dynamic, risk-based access.
• Adopt automated and orchestrated Just-in-Time access for high-risk or sensitive actions.
• Apply appropriate privilege controls across human, machine and AI identities, based on context and risk.
• Simplify and consolidate identity platforms to improve visibility and governance.

Further Information:

• Download the infographic: The Privilege Reality Gap: New Insights Shaping the Future of Identity Security.
• Whitepaper: CyberArk Solutions for Securing Modern Infrastructure.
• What is the future of privileged access? Learn more here.

About the Research:

The research was conducted by Censuswide, based on a sample of 500 U.S. workers. The data was collected between November 11, 2025 and November 21, 2025. Respondents included DevOps Engineers, IAM Architects, DevOps Security Managers, Database Administrators, Site Reliability Engineers, Cloud Security Architects/Engineers, IT Support Specialists, and Software Engineers. Participants represented foundational PAM and modern infrastructure roles across the buying center — including decision makers, champions, influencers, and end‑users — and were aged 27–64. Censuswide abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Censuswide is also a member of the British Polling Council.

About CyberArk

CyberArk (NASDAQ: CYBR) is the global leader in identity security, trusted by organizations around the world to secure human and machine identities in the modern enterprise. CyberArk’s AI-powered Identity Security Platform applies intelligent privilege controls to every identity with continuous threat prevention, detection and response across the identity lifecycle. With CyberArk, organizations can reduce operational and security risks by enabling zero trust and least privilege with complete visibility, empowering all users and identities, including workforce, IT, developers and machines, to securely access any resource, located anywhere, from everywhere. Learn more at cyberark.com.

Copyright © 2026 CyberArk Software. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260108548493/en/