The State of Identity and Data Security 2026

Methodology

The State of Identity and Data Security 2026 report is based on findings from 10 Identity & Data Risk Assessments conducted by Lepide between 2025 and 2026. Each assessment analyzed live production environments to identify common risks relating to identity security, privileged access, permissions management, sensitive data governance, user activity, and operational visibility.

Unlike surveys that rely on self-reported information, every finding in this report is based on technical analysis of real customer environments using the Lepide Data Security Platform. All organizations have been anonymized where appropriate, and no customer-specific information has been included without permission.

Organizations Assessed

The research includes organizations operating across a range of regulated and operationally complex industries, including:

  • Local Government
  • Education
  • Manufacturing
  • Construction & Engineering
  • Utilities
  • Commercial Services
  • Non-profit / Charity

The organizations assessed ranged from approximately 2,000 Active Directory users to large hybrid enterprise environments managing more than 100 TB of unstructured data, thousands of privileged identities, and extensive Microsoft 365 deployments.

Technologies Analyzed

Assessments included one or more of the following platforms:

  • Active Directory
  • Microsoft Entra ID
  • Windows File Servers
  • Microsoft 365
  • SharePoint Online
  • OneDrive
  • Microsoft Teams
  • Exchange Online

Each environment was assessed according to the customer's objectives, although all assessments included analysis of identity, permissions and security visibility.

What We Measured

Across all environments we collected and analyzed data relating to:

Identity Hygiene

  • Inactive user accounts
  • Password hygiene
  • Privileged accounts
  • Service accounts
  • Identity lifecycle

Access & Permissions

  • Administrative privileges
  • Permission inheritance
  • Group membership
  • Permission changes
  • Effective access

Authentication

  • Failed logons
  • Password resets
  • Account lockouts
  • Authentication anomalies

Data Security

  • Sensitive data discovery
  • Personally identifiable information
  • External sharing
  • Microsoft 365 permissions
  • Data access

User Activity

  • File copies
  • File movement
  • File renames
  • SharePoint activity
  • After-hours access

Operational Visibility

  • Audit capability
  • Investigation effort
  • Manual processes
  • Compliance readiness

How We Analyzed the Results

Because every organization differs in size, industry and operational maturity, we focused on identifying recurring security patterns rather than comparing organizations directly.

For each metric we evaluated:

  • Frequency across organizations
  • Relative scale
  • Operational impact
  • Business risk
  • Compliance implications

This allowed us to identify the common weaknesses that consistently appeared across multiple independent assessments.

Limitations

The findings presented in this report represent observations from organizations that requested an Identity & Data Risk Assessment from Lepide and should not be interpreted as representative of every organization worldwide.

Assessment scope varied depending on customer objectives, infrastructure, and technologies deployed. Some organizations focused primarily on Active Directory, while others included Microsoft 365, file servers, sensitive data discovery, or Microsoft Copilot readiness.

Where benchmark statistics are presented, they are derived solely from the environments assessed during this research period.

Why this Research is Different

Most industry reports rely on surveys, interviews or self-reported questionnaires. This research is different. Every statistic in this report is derived from technical analysis of live production environments. Rather than asking organizations what they believe their security posture looks like, we analyzed identity configurations, permissions, authentication activity, sensitive data exposure and user behavior to understand the risks that actually exist.