The State of Identity and Data Security 2026 report is based on findings from 10 Identity & Data Risk Assessments conducted by Lepide between 2025 and 2026. Each assessment analyzed live production environments to identify common risks relating to identity security, privileged access, permissions management, sensitive data governance, user activity, and operational visibility.
Unlike surveys that rely on self-reported information, every finding in this report is based on technical analysis of real customer environments using the Lepide Data Security Platform. All organizations have been anonymized where appropriate, and no customer-specific information has been included without permission.
The research includes organizations operating across a range of regulated and operationally complex industries, including:
The organizations assessed ranged from approximately 2,000 Active Directory users to large hybrid enterprise environments managing more than 100 TB of unstructured data, thousands of privileged identities, and extensive Microsoft 365 deployments.
Assessments included one or more of the following platforms:
Each environment was assessed according to the customer's objectives, although all assessments included analysis of identity, permissions and security visibility.
Across all environments we collected and analyzed data relating to:
Identity Hygiene
Access & Permissions
Authentication
Data Security
User Activity
Operational Visibility
Because every organization differs in size, industry and operational maturity, we focused on identifying recurring security patterns rather than comparing organizations directly.
For each metric we evaluated:
This allowed us to identify the common weaknesses that consistently appeared across multiple independent assessments.
The findings presented in this report represent observations from organizations that requested an Identity & Data Risk Assessment from Lepide and should not be interpreted as representative of every organization worldwide.
Assessment scope varied depending on customer objectives, infrastructure, and technologies deployed. Some organizations focused primarily on Active Directory, while others included Microsoft 365, file servers, sensitive data discovery, or Microsoft Copilot readiness.
Where benchmark statistics are presented, they are derived solely from the environments assessed during this research period.
Most industry reports rely on surveys, interviews or self-reported questionnaires. This research is different. Every statistic in this report is derived from technical analysis of live production environments. Rather than asking organizations what they believe their security posture looks like, we analyzed identity configurations, permissions, authentication activity, sensitive data exposure and user behavior to understand the risks that actually exist.