CyberArk today announced findings from new research revealing a significant gap between organizations’ confidence in their privileged access programs and the reality of their day-to-day practices as AI rapidly expands the identity-centric attack surface.
Despite 76% of organizations stating their privileged access management (PAM) strategies are ready for AI, cloud and hybrid environments, many continue to rely heavily on always-on access assumptions that were designed for far less dynamic operating environments.
Organizations Overestimate Their Readiness for AI and Cloud
The study, which surveyed 500 U.S. practitioners in PAM, identity and infrastructure roles, shows that while modernization efforts are underway, very few organizations have adopted adaptive, time-bound access models aligned with Zero Trust principles. Key findings include:
- Only 1% have fully implemented a modern Just-in-Time (JIT) privileged access model.
- 91% report that at least half of their privileged access is always-on, providing unrestricted, persistent access to sensitive systems.
- 45% apply the same privileged access controls to AI agents as they do to human identities.
- 33% say they lack clear AI access policies.
Shadow Privilege and Tool Sprawl Accelerate Risk
The research highlights the widespread and growing issue of ‘shadow privilege’ — unmanaged, unknown or unnecessary privileged accounts and secrets that accumulate silently over time.
- 54% of organizations uncover unmanaged privileged accounts and secrets every week.
- 88% manage two or more identity security tools, creating fragmentation that introduces blind spots.
- 66% say traditional privileged access reviews delay projects.
- 63% admit employees bypass controls to move faster.
“Dynamic, evolving environments mean the nature of privileged access — and how to secure it — has fundamentally changed,” said Matt Cohen, CEO of CyberArk. “With only one percent of organizations having fully implemented a Just-in-Time access model, it’s clear that industry-wide modernization is overdue. As AI agents and non-human identities take on increasingly sensitive tasks, applying the right privilege controls to each identity — and governing every privileged action — is now essential.”
To reduce risk while supporting innovation at scale, organizations should focus on evolving how privileged access is applied without abandoning foundational controls:
- Minimize standing privileges by implementing dynamic, risk-based access.
- Adopt automated and orchestrated Just-in-Time access for high-risk or sensitive actions.
- Apply appropriate privilege controls across human, machine and AI identities, based on context and risk.
- Simplify and consolidate identity platforms to improve visibility and governance.
