New Study: Only 1% of Organizations Have Fully Adopted Just-in-Time Privileged Access as AI-Driven Identities Rapidly Increase

Key Terms

privileged access management (PAM) technical

Privileged access management (PAM) is a set of tools and practices that control, monitor and secure special accounts or “master keys” that can change or access an organization’s most sensitive systems and data. For investors, PAM matters because it reduces the chance of costly security breaches, regulatory fines and operational downtime—similar to keeping high‑value keys in a vault with strict logs and guards, which helps protect a company’s assets and reputation.

just-in-time (jit) privileged access model technical

A just-in-time (JIT) privileged access model is a security approach that gives people or systems temporary, tightly limited permission to perform sensitive tasks only when those tasks are needed, then automatically removes the permission. For investors, this reduces the chance of costly data breaches or downtime by limiting who can access critical systems and when—think of it like issuing a single-use key that works only during a specific appointment rather than handing out permanent keys.

zero trust principles technical

Zero trust principles are a cybersecurity approach that treats every user, device, and network connection as potentially untrusted and requires verification before granting access, like checking ID at every door instead of assuming someone inside is safe. For investors, this matters because adopting these principles can reduce the risk of costly data breaches, regulatory fines, and downtime, while also indicating that a company is proactively protecting its digital assets and operations—factors that can influence valuation and long-term resilience.

ai agents technical

AI agents are computer programs designed to perform tasks or make decisions automatically, often by learning from data and adapting to new information. They act like virtual assistants or robots that can handle complex activities without human intervention, which can help businesses and individuals save time and improve efficiency. For investors, AI agents matter because they can enhance decision-making and automate processes that influence markets and financial outcomes.

• 91% report that at least half of their privileged access is always-on
• AI-driven identities emerge as a major new privileged access blind spot
• ‘Shadow privilege’ and fragmented tools accelerate risk for organizations

NEWTON, Mass. & PETACH TIKVA, Israel--(BUSINESS WIRE)-- CyberArk (NASDAQ: CYBR), the global leader in identity security, today announced findings from new research revealing a significant gap between organizations’ confidence in their privileged access programs and the reality of their day-to-day practices as AI rapidly expands the identity-centric attack surface.

Despite 76% of organizations stating their privileged access management (PAM) strategies are ready for AI, cloud and hybrid environments, many continue to rely heavily on always-on access assumptions that were designed for far less dynamic operating environments.

Organizations Overestimate Their Readiness for AI and Cloud

The study, which surveyed 500 U.S. practitioners in PAM, identity and infrastructure roles, shows that while modernization efforts are underway, very few organizations have adopted adaptive, time-bound access models aligned with Zero Trust principles. Key findings include:

• Only 1% have fully implemented a modern Just-in-Time (JIT) privileged access model.
• 91% report that at least half of their privileged access is always-on, providing unrestricted, persistent access to sensitive systems.
• 45% apply the same privileged access controls to AI agents as they do to human identities.
• 33% say they lack clear AI access policies.

Shadow Privilege and Tool Sprawl Accelerate Risk

The research highlights the widespread and growing issue of ‘shadow privilege’ — unmanaged, unknown or unnecessary privileged accounts and secrets that accumulate silently over time.

• 54% of organizations uncover unmanaged privileged accounts and secrets every week.
• 88% manage two or more identity security tools, creating fragmentation that introduces blind spots.
• 66% say traditional privileged access reviews delay projects.
• 63% admit employees bypass controls to move faster.

“Dynamic, evolving environments mean the nature of privileged access — and how to secure it — has fundamentally changed,” said Matt Cohen, CEO of CyberArk. “With only one percent of organizations having fully implemented a Just-in-Time access model, it’s clear that industry-wide modernization is overdue. As AI agents and non-human identities take on increasingly sensitive tasks, applying the right privilege controls to each identity — and governing every privileged action — is now essential.”

To reduce risk while supporting innovation at scale, organizations should focus on evolving how privileged access is applied without abandoning foundational controls:

• Minimize standing privileges by implementing dynamic, risk-based access.
• Adopt automated and orchestrated Just-in-Time access for high-risk or sensitive actions.
• Apply appropriate privilege controls across human, machine and AI identities, based on context and risk.
• Simplify and consolidate identity platforms to improve visibility and governance.

Further Information:

• Download the infographic: The Privilege Reality Gap: New Insights Shaping the Future of Identity Security.
• Whitepaper: CyberArk Solutions for Securing Modern Infrastructure.
• What is the future of privileged access? Learn more here.

About the Research:

The research was conducted by Censuswide, based on a sample of 500 U.S. workers. The data was collected between November 11, 2025 and November 21, 2025. Respondents included DevOps Engineers, IAM Architects, DevOps Security Managers, Database Administrators, Site Reliability Engineers, Cloud Security Architects/Engineers, IT Support Specialists, and Software Engineers. Participants represented foundational PAM and modern infrastructure roles across the buying center — including decision makers, champions, influencers, and end‑users — and were aged 27–64. Censuswide abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Censuswide is also a member of the British Polling Council.

About CyberArk

CyberArk (NASDAQ: CYBR) is the global leader in identity security, trusted by organizations around the world to secure human and machine identities in the modern enterprise. CyberArk’s AI-powered Identity Security Platform applies intelligent privilege controls to every identity with continuous threat prevention, detection and response across the identity lifecycle. With CyberArk, organizations can reduce operational and security risks by enabling zero trust and least privilege with complete visibility, empowering all users and identities, including workforce, IT, developers and machines, to securely access any resource, located anywhere, from everywhere. Learn more at cyberark.com.

Copyright © 2026 CyberArk Software. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260108548493/en/

Investor Relations:

Kelsey Turcotte

CyberArk

617-558-2132

ir@cyberark.com

Media:

Rachel Gardner

CyberArk

603-531-7229

press@cyberark.com

Source: CyberArk