Singaporean organizations are enthusiastically embracing Artificial Intelligence, but this rapid adoption comes with a critical, often overlooked, drawback: a dramatically expanded cybersecurity attack surface. A new global study from Semperis, a leader in identity-driven cyber resilience, reveals that while AI promises innovation, it is simultaneously creating a new frontier for cyber threats, particularly concerning enterprise identity systems like Active Directory, Entra ID, and Okta.
The comprehensive “State of Identity Security in the AI Era” study, which surveyed 1,100 organizations across eight countries including Singapore, paints a concerning picture. In the Lion City, a significant 66% of organizations anticipate an increase in attacks targeting their identity infrastructure due to AI. Yet, paradoxically, a staggering 93% either already deploy or plan to deploy AI agents for highly sensitive security tasks, such as managing password resets and VPN access.
“Singapore organizations have been quick to explore AI across business and security operations, but every AI agent introduced into the enterprise also creates a new identity that must be governed, monitored, and recovered if compromised,” cautions Gerry Sillars, Semperis Vice President of Asia Pacific and Japan. “It’s encouraging that 90% of Singapore respondents see AI identity governance as a priority, but priority must translate into practical controls. As AI moves closer to privileged systems, identity resilience needs to be built into AI adoption from the start.”
This trend in Singapore mirrors a broader global challenge: as AI agents proliferate across increasingly sensitive workflows, they are rapidly escalating the number of non-human identities (NHIs) connected to critical organizational systems. These digital entities, often operating with significant access, are not always adequately managed. Globally, a mere 65% of organizations confirm their AI identities are fully registered, authenticated, and authorized within a formal system, while a worrying 6% admit they don’t track them at all.
Alex Weinert, Semperis Chief Product Officer, warns, “The accelerated use of AI is introducing a bevy of new agents, each with its own non-human identity (NHI) throughout global enterprises, and many companies are just way too optimistic about their ability to recover their identity infrastructure following a breach, even as they expand this landscape of NHIs.”
The complexity deepens for Singaporean security teams. While AI agents don’t behave like human users, they can possess extensive access, interact with sensitive systems, and fundamentally integrate into an organization’s identity fabric. Without robust processes for registration, authentication, authorization, and recovery, these non-human identities can dramatically widen the attack surface and complicate swift incident response.
Are organizations ready for AI-fueled identity breaches?
The study’s findings highlight that AI is already being granted proximity to highly sensitive identity infrastructure. Over a quarter of surveyed organizations (29%) currently utilize AI agents for managing security-related help desk tickets, including critical functions like password resets and VPN access. An additional 65% plan to implement this within the next year. Furthermore, a concerning 92% of respondents report that a portion of their workforce has AI installed on local machines, potentially granting access to SSH and encryption keys.
For Singaporean organizations, where the exploration of AI spans business operations, security, and productivity, these revelations underscore the urgent need to treat AI agents not as isolated tools, but as integral components of the enterprise identity environment.
Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor, cautions, “The pattern of global organizations overestimating how quickly they can recover from a cyberattack is real, especially when identity is within the blast radius. On paper, organizations have plans and backups; in practice, identity failures turn technical incidents into prolonged business crises, exposing a dangerous gap between perceived resilience and reality.”
On a more optimistic note, 90% of Singaporean respondents affirmed that AI identity governance will be a priority in the coming months. But how can organizations effectively manage these often elusive identities? Current best practices include:
- Treat AI agents explicitly as non-human identities in the identity fabric
- Enforce least‑privilege, just‑enough and just‑in‑time access for agents as rigorously as for humans
- Segregate agent and human trust boundaries where appropriate
- Use UEBA‑style analytics to detect “zombie” or anomalous agent behaviour
- Ensure that your organization can quickly recover identity systems to a trustworthy state if they are breached
The full AI Study can be obtained here: The State of Identity Security in the AI Era.
Methodology
To conduct this study, Semperis partnered with Censuswide, an international market research consultancy. In early 2026, Censuswide surveyed 1,100 organizations across the US, UK, France, Germany, Italy, Spain, Australia and Singapore.