10% of organizations reported an identity breach that impacted their business in the last year.

When identity breaches impact business, the primary consequences are data theft (49%), ransomware (48%), and financial theft (47%).

Only 24% of organizations continually monitor for unusual login attempts.

14% of breached organizations cannot detect and stop their most significant identity attack before damage is done.

Energy, oil/gas, and utilities reported an 80% breach rate and federal/central government report a 78% breach rate, the highest across industries surveyed.

Organizations that find compliance requirements very challenging have a breach rate of 82.4%, which is 14 percentage points higher than organizations with lower compliance difficulty (68.3%).

Human error (employees tricked into providing credentials) was cited in nearly 43% of identity incidents.

Weak non-human identity (NHI) management was cited in 41% of identity incidents.

One-third of organizations regularly rotate or audit service accounts and non-human identities, while just 11% do so continuously.

In the 12 months from March 2025, industrial organisations accounted for 29.6% of all ransomware activity on average.

Within capital goods, machinery experienced 442 ransomware attacks and construction and engineering experienced 394 ransomware attacks in the 12 months from March 2025.

Industrial organisations experienced 2,073 ransomware attacks in the 12 months from March 2025.

Total annual revenue in the UK cyber security sector reaches £14.7 billion, a nominal increase of about 11% since the previous year.

Total gross value added (GVA) for the UK cyber security sector reaches approximately £9.1 billion, an increase of 17% since the previous year.

99% of respondents say their organization already uses AI agents.

On average, 40% of AI agents and 40% of machine identities already have access to organizational data.

90% of respondents agree that AI agents should operate under least privilege principles, with bounded access and tighter controls.

91% believe they can rapidly contain compromised AI agents.

On average, only 39% of privileged access is managed through a just-in-time (JIT) or zero standing privilege (ZSP) model.

Among C-suite respondents, 54% believe their organization is completely effective at continuously enforcing least privilege, while 61% of the practitioners doing the work disagree.