The security industry is facing an identity crisis. As AI-driven threats surge, security leaders are confronting alarming confidence gaps, fragmented visibility, and additional hurdles to adopt essential identity security measures.
To explore how companies are navigating this complex environment, Cisco Duo surveyed 650 IT and security leaders across North America and Europe. This latest report, the 2025 State of Identity Security, reveals the urgent identity challenges cyber security professionals face today.
According to Matt Caulfield of Cisco Duo, the findings expose a stark reality: While leaders acknowledge the vital role of identity security, glaring gaps in confidence and execution leave many organisations dangerously vulnerable. Below is a summary of the findings and some insights into the solutions needed to navigate this challenging landscape.
Leaders face significant challenges as identity threats escalate and security gaps widen. Only a third (33%) of leaders are confident that their current identity provider can prevent identity-based attacks. This lack of confidence is heightened by complex identity systems and concerns about limited visibility into potential weaknesses. A significant 94% of leaders believe that complexity in identity infrastructure decreases their overall security.
Additionally, 75% of leaders admit they lack full insight into identity vulnerabilities across their organisations. Identity and tool sprawl also hinder unified security and visibility. On average, IT and security teams use five tools to resolve a single identity issue.
The consequences can be costly: Over half (51%) of organisations have suffered financial losses due to identity-related breaches. Recognising the high stakes, companies are proactively responding to these risks. In fact, 82% of financial decision-makers have increased investments in identity security for 2025. This signals a clear commitment to strengthening defences and closing critical gaps.
The rise of artificial intelligence (AI) presents both new threats and a powerful impetus for change in identity security. AI-driven phishing is one of the top identity threats for 2025 according to 44% of leaders, alongside insider threats and supply chain attacks. Traditional defences are no match for the sophistication of AI-powered attacks, especially when combined with complex supply chain networks and identity ecosystems.
However, AI is also modernising identity systems. 85% of companies are adopting security-first identity practices to counter AI-driven threats. AI is a powerful catalyst, driving organisations to address long-standing gaps in their identity security strategies and to leverage data processing through AI as a tool.
Phishing remains a perennial issue, driving the need for stronger authentication and complete deployment of multi-factor authentication (MFA). While 87% of leaders believe phishing-resistant MFA is critical to their security strategies, only 30% are highly confident in their phishing controls.
Even foundational MFA defences are not universally applied. The top causes of identity breaches include: weak or missing MFA (36%), coverage gaps (34%), and one-time passcode failures (29%). Cisco Talos’ recent Year in Review also listed missing, incomplete, or weak coverage of MFA as top vectors for identity-based attacks.
Further, only 19% of companies have deployed FIDO2 tokens, the gold standard in phishing-resistant MFA. Often, these hardware tokens are reserved for privileged users. The rest are held back by token management (57%), training needs (53%) and hardware cost (47%).
Upgrading to more secure authentication methods is top-of-mind. Sixty-one percent of leaders want to adopt passwordless access but expect deployment challenges.
Amid identity sprawl, shadow IT, and irregular identity lifecycles, today’s unpredictable security landscape presents significant challenges—but companies also have valuable opportunities to strengthen their defenses and take proactive steps to address these issues.
Many IT leaders acknowledge that identity security is added after a compliance issue or breach, rather than built-in from the start. A significant 74% of IT leaders admit identity security is often an afterthought in infrastructure planning.
Treating security as an add-on can result in additional costs, complexity, and misalignment that decreases overall visibility. In response to tool sprawl and complexity, 79% of teams are actively exploring vendor consolidation to improve identity security visibility.
Only 52% of organisations believe they have fully integrated identity and device telemetry. Without real-time visibility into identity behaviours, security and IT teams can’t make consistent, informed decisions.
Further, a significant 86% of leaders expressed concern about inadequate controls for contractors and third-party access. This extended perimeter often lacks the robust oversight applied to internal users, with the added challenges of unmanaged devices and timely deprovisioning.
As organisations shift to a security-first IAM strategy, unified visibility is critical for bridging gaps across complex environments. 87% of leaders believe that having identity threat detection and response (ITDR) is crucial. Meanwhile, only 32% of IT teams have Identity Security Posture Management (ISPM) solutions deployed.
