By 2026, many enterprises report mature identity and access management (IAM) and Zero Trust security programs on paper, yet their real-world exposure to identity-related risk continues to increase. Recent research from Ponemon Institute indicates that the core problem is no longer a lack of IAM technology, but the scale of systems that remain outside centralized identity control.
The identity paradox: mature IAM, rising cyber risk
Most large organizations have invested heavily in single sign-on (SSO), multi-factor authentication (MFA), identity governance tools and Zero Trust architectures. Audit reports often show high levels of maturity and compliance against frameworks such as NIST or ISO 27001.
However, Ponemon Institute’s latest study of more than 600 IT and security leaders highlights a critical gap: organizations typically manage only a portion of their digital identities through centralized IAM. Credential-based attacks remain one of the dominant causes of breaches globally, a trend repeatedly confirmed by incident reports such as the Verizon Data Breach Investigations Report, where stolen or misused credentials are consistently among the top initial access vectors.
Dark applications: the hidden IAM blind spot
According to the Ponemon research, a typical enterprise still operates hundreds of applications that are not integrated with any centralized IAM platform. These are often referred to as “dark applications” and include legacy line-of-business systems, internally hosted tools, niche SaaS platforms and custom-built applications.
Such dark applications usually:
- do not support modern authentication standards or SSO;
- are not connected to an identity provider (IdP);
- fall outside routine access reviews and recertification cycles;
- are maintained by business units rather than central IT or security.
Access to these systems is frequently controlled through manual processes such as spreadsheets, local administrator accounts, static passwords and long-lived API tokens. Any compromise of these credentials can provide attackers with deep and often undetected access to critical business processes, bypassing the carefully managed “front door” of formal IAM systems.
Where Zero Trust fails: the “last mile” of identity
Zero Trust security models are built on continuous verification of users, devices and transactions. In practice, organizations often achieve strong coverage for cloud platforms, VPN access and major SaaS suites, while leaving the “last mile”—legacy applications, local accounts and isolated SaaS tools—largely unmanaged.
This creates what many experts describe as an identity confidence gap: dashboards and reports suggest high Zero Trust maturity, but a significant portion of real access paths is governed by ad hoc credentials and opaque entitlements. Attackers increasingly target this gap, because controls, monitoring and logging are weakest where IAM coverage is incomplete.
Autonomous AI agents as a force multiplier for credential risk
The rapid adoption of AI copilots, chatbots and autonomous AI agents is fundamentally reshaping the identity landscape. To perform useful work—automating workflows, integrating systems, querying business data—these agents must be granted access to the same applications and APIs that are often not protected by centralized IAM.
In this context, AI systems become a multiplier of existing weaknesses in identity security. Poorly governed AI agents may:
- reuse legacy passwords, keys or tokens originally created for human users;
- connect to dark applications via the “path of least resistance,” bypassing formal access policies;
- establish new integrations and data flows that security teams do not see or review;
- cache, log or store sensitive credentials in ways that are difficult to audit.
What was previously treated as a compliance nuisance—unmanaged accounts and shadow IT—has now become an operational security vulnerability. As AI-driven automation scales, the volume of identity-related operations explodes, increasing the probability and impact of credential misuse across unmanaged applications.
Ponemon Institute insights and a roadmap for CISOs
To address this emerging attack surface, The Hacker News is hosting a dedicated webinar with Mike Fitzpatrick (Ponemon Institute) and Matt Chiodi (CSO, Cerby). The session will unpack the study’s findings on how dark applications and AI agents undermine Zero Trust initiatives and offer a tactical roadmap for security leaders.
Key topics for identity and Zero Trust leaders
According to the organizers, the webinar will help CISOs and IAM professionals to:
- quantify the scale and typical use cases of dark applications in modern enterprises;
- understand how autonomous AI agents inadvertently increase the risk of credential compromise;
- identify process gaps in IAM that cause friction during audits and delay digital transformation initiatives;
- translate formal identity maturity into measurable operational control over all applications, not just those that are easy to integrate.
Particular emphasis will be placed on why simply “doing more of the same”—adding more password rules, more isolated policies or more point-in-time reviews—is no longer sufficient. Instead, organizations need architectures and processes designed specifically to bring unmanaged and legacy applications into the IAM perimeter, or to securely broker access when direct integration is not possible.
For organizations building long-term strategies around identity, security and compliance, systematically closing this gap offers dual benefits: reducing the likelihood of identity-driven breaches while accelerating digital initiatives by minimizing conflicts with regulatory requirements and internal audit findings.
As digital identity becomes both more fragmented and more heavily targeted, sustainable security depends on moving from declared Zero Trust maturity to genuine end-to-end control. This requires inventorying applications outside IAM, drastically reducing local accounts, centralizing access for AI agents, enforcing short-lived credentials and implementing continuous monitoring of privileges across all systems. The sooner this identity confidence gap is closed, the lower the chance that the next major incident will originate from an obscure but highly exposed dark application.
