Cisco: Firms Struggle with Identity Security as AI Rises
Technology departments across North America and Europe face mounting pressure to control who can access company systems and data. A new study shows many organisations understand the importance of managing employee access but struggle to implement effective controls.
Ciscoβs 2025 State of Identity Security report, surveying 650 IT and security leaders, reveals a disconnect between awareness and execution in managing digital identities. The research shows that whilst leaders recognise the need for better access controls, implementation gaps leave many companies vulnerable to data breaches and cyber attacks.
- Only 33% of IT leaders trust their current identity provider to prevent attacks
- 51% of organisations have suffered financial losses from identity-related breaches
- 19% of companies have deployed FIDO2 phishing-resistant authentication tokens
The study found that only 33% of technology leaders feel confident their current systems can prevent identity-based attacks. This uncertainty stems from increasingly complex IT environments where employees use multiple systems and devices to access company resources.
Matt Caulfield, Cisco's VP of Product Management, points to the organisational impact of system complexity.
β94% of leaders believe that complexity in identity infrastructure decreases their overall security,β he says.
This complexity shows in daily operations, with IT teams using an average of five different tools to resolve a single access-related issue. The administrative burden creates inefficiencies and potential security gaps across organisations.
The financial impact is substantial. Over half of surveyed companies have experienced monetary losses due to identity-related security breaches, prompting 82% of financial decision-makers to increase their access control investments for 2025.
Cisco research shows AI creates new business risks and solutions
AI presents both challenges and opportunities for companies managing employee access to systems. The research identifies AI-powered phishing attacks as a growing concern, with technology leaders ranking it alongside insider threats and supply chain vulnerabilities.
Matt explains the prominence of this threat in today's business environment.
β44% of leaders consider AI-driven phishing one of the top identity threats for 2025,β he says.
Traditional security measures prove insufficient against sophisticated AI-powered attacks, particularly in complex business networks with multiple suppliers and partners. Cybercriminals use AI to create more convincing phishing emails and social engineering attacks that bypass conventional defences.
However, AI also drives modernisation efforts. The research shows 85% of companies are adopting security-focused access management practices specifically to counter AI-driven threats. Organisations use AI's data processing capabilities as a defensive tool whilst protecting against its misuse by attackers.
The emergence of AI-powered threats has accelerated technology upgrade timelines. Companies that previously delayed access management improvements now face pressure to implement systems capable of detecting and responding to automated attack patterns.
Cisco Duo finds multi-factor authentication adoption lags behind business needs
Multi-factor authentication deployment continues to lag despite widespread recognition of phishing risks. Whilst 87% of technology leaders consider advanced authentication methods important for their business operations, only 30% express confidence in their current protections against phishing attacks.
The research identifies gaps in authentication implementation across organisations. Weak or missing multi-factor authentication accounts for 36% of access-related breaches, followed by coverage gaps at 34% and authentication system failures at 29%. These statistics align with findings from Cisco Talosβ cybersecurity research, which identified incomplete authentication coverage as a primary attack vector.
As AI-driven threats surge, security leaders are confronting alarming confidence gaps, fragmented visibility, and additional hurdles to adopt essential identity security measures.
Hardware authentication devices remain uncommon, with only 19% of companies using FIDO2 tokens. These devices provide strong protection against phishing but are typically reserved for senior staff and system administrators. Broader deployment faces obstacles including device management complexity (57%), staff training requirements (53%), and hardware costs (47%).
Interest in password-free access methods exists among business leaders, though implementation challenges persist.
Matt highlights the disconnect between business objectives and technical execution.
"61% of leaders want their organisations to go passwordless," he notes.
However, deployment hurdles prevent many companies from achieving this goal, leaving them dependent on traditional password-based systems that create user friction and security vulnerabilities.
Cisco Study Shows Companies Rethink Access Management Strategy
Business approaches to access control are evolving as organisations recognise the limitations of adding security measures after system deployment. The research reveals that 74% of IT leaders acknowledge access security is often considered late in technology planning, typically implemented following compliance issues or security incidents.
This reactive approach creates additional costs, complexity, and operational challenges that reduce system visibility and control. In response, 79% of technology teams are exploring vendor consolidation to improve access management oversight and reduce tool complexity.
Integration challenges persist across identity and device monitoring systems. Only 52% of organisations report full integration between access controls and device management. Without real-time visibility into user behaviour, technology teams cannot make informed decisions about access permissions and threat responses.
Third-party access control presents particular business concerns, with 86% of leaders expressing worry about insufficient controls for contractors and external partners. This extended business perimeter often lacks the oversight applied to employees, complicated by personal devices and delayed account closure processes.
Advanced threat detection capabilities are increasingly viewed as business necessities, with 87% of leaders considering identity threat detection and response systems important for operations. However, deployment of comprehensive access monitoring solutions remains limited, with only 32% of IT teams having implemented such tools.
Matt frames the challenge in terms of business operations and strategic planning.
βAt Duo, we know that managing who accesses what, from where, and on which device is not just a daily challenge β itβs a strategic imperative,β he says.
