The State of Identity and Data Security 2026

Executive Summary

Identity and data security are becoming increasingly difficult to manage. As organizations adopt hybrid infrastructure, Microsoft 365, cloud collaboration, and AI-powered technologies, the number of identities, permissions, security events, and sensitive data repositories continues to grow. While many organizations have invested heavily in security tools, understanding who can access sensitive information—and whether that access remains appropriate—has become significantly more challenging.

To better understand these challenges, Lepide analyzed ten real-world Identity & Data Risk Assessments conducted across organizations in government, education, manufacturing, construction, utilities, commercial services, and the non-profit sector. Rather than relying on surveys or self-reported data, this report is based entirely on technical analysis of live production environments.

The findings revealed a remarkably consistent pattern. Identity lifecycle management remains one of the weakest areas of enterprise security, with dormant accounts and static credentials continuing to expand organizational attack surfaces. Privileged access frequently extends beyond intended administrators through inherited permissions and legacy group structures, while permission sprawl makes it increasingly difficult to understand who can access sensitive information. Organizations consistently underestimated the volume of regulated data they held and lacked confidence that access to this information remained aligned with business need. At the same time, security teams were overwhelmed by millions of authentication events, permission changes, and user activities that obscured the relatively small number of events requiring investigation.

Perhaps the most significant finding was that these challenges are not isolated. They are closely connected. Weak identity governance contributes to excessive permissions. Excessive permissions increase sensitive data exposure. Limited visibility into user activity slows up investigations. AI technologies such as Microsoft Copilot amplify existing governance weaknesses by making information easier to discover through permissions that already exist.

The organizations included in this research did not lack security controls. They were lacking context.

Throughout every assessment, the same operational challenge emerged: security teams struggled to connect identities, permissions, sensitive data, and user activity into a single, accurate understanding of organizational risk. We refer to this challenge as the Identity Data Disconnect.

Addressing this disconnect requires more than periodic audits or additional point solutions. Organizations need continuous visibility into identities, permissions, sensitive data, and user behavior to reduce risk, simplify compliance, accelerate investigations, and confidently adopt new technologies.

The findings presented in this report provide a benchmark for where organizations stand today—and a practical roadmap for strengthening identity and data security in the years ahead.