Identity APM Has Gone Mainstream. The Hard Work Is Just Starting.

Today SpecterOps published the “Trends in Identity Attack Path Management 2026” report. The survey, conducted by Omdia on our behalf, covers more than 500 cybersecurity decision-makers at enterprises across the U.S., U.K., Canada, France, Germany, and Australia. 

The numbers show meaningful growth in adoption, budget, and strategic priority. But what I want to talk about is why and how to apply timely pressure to rally cross-functional and executive support to achieve operational maturity. 

Adoption is not the story 

Seventy-five percent of respondents increased identity security spending this year, up from 57% in 2025, outpacing every other security category in the survey. Thirty-five percent have fully implemented an identity-based APM solution, up from 21% a year ago. Another 30% are actively researching or evaluating one. 

Budget movement is a stronger signal than stated interest. Organizations aren’t just saying identity matters; they’re allocating resources to it. So what’s behind this shift? 

Adoption figures measure what organizations have acquired, but they do not measure what those organizations can actually do with what they’ve acquired. That distinction is where this year’s data gets more interesting. 

The prioritization problem is structural 

Organizations have deployed the tools. They have the findings. They are still unable to decide what to fix first.  

That is not a technology failure. Prioritization requires a judgment the technology does not make for you: which exposure, if remediated, produces the greatest reduction in attacker freedom of movement, at the lowest organizational cost? That judgment requires understanding exposure, impact, and remediation efficiency simultaneously; and asking a question that risk scores don’t answer: which remediation collapses the most attack paths at once? 

Why AI is not a separate problem 

According to Omdia’s Cybersecurity Decision-Maker Survey, 88% percent of identity security respondents are either already using or planning to deploy AI agents within the next 12 to 18 months. Whether they plan to or not, the organization’s employees are almost certainly doing this already.  

On the surface, this is an identity problem. Every AI agent is an identity that must be managed and permissioned.  

But it’s also more than that. Every agentic workflow creates new credentials, new trust relationships, and new paths through the environment. Adversaries do not care about explicit privilege, they care about effective privilege; what a non-human identity can actually reach through chained permissions, delegated access, and role assumption paths. An AI agent with a modest direct grant, sitting adjacent to a role that can assume administrative credentials is path to administrative control. 

Let’s talk about a real-world example. Today, BloodHound Enterprise monitors approximately 110 million identities across our global customers. Those 110 million identities collectively have over 5 billion relationships between them. Those 5 billion relationships form over 650 billion attack paths.  

Identities alone are not the problem. It’s the trust relationships forged between them, and the attack paths formed through those trust relationships. It’s exponential, and as the number of agentic agents explodes, so too with the attack paths they create.  

The constraint technology cannot solve 

The solution is not to restrict AI adoption. It is to treat AI agents the way mature organizations treat human privileged accounts: clear inventory, explicit ownership, short-lived credentials, and continuous validation of effective access.  

On top of identity hygiene, the security team monitors attack paths and plans for timely remediation, resolving attack paths that the relationships between human and machine identities create. 

This is not a challenge solely addressed through technology, and here is where the opportunity lies.  

Among respondents to our survey who have implemented an identity-based APM solution, the two most cited gaps are better prioritization of risks and remediation actions, and automated remediation capabilities, both at 56%. Prioritization is also the most frequently cited implementation challenge overall at 41%. 

The organizations furthest ahead are already building a practice around identity attack path management, working with system owners, setting priorities, and driving remediation to completion.  

Closing the gap between technology and operational maturity 

The market has moved from interest in Identity APM to the harder work of building it into practice. Organizations are not asking whether to invest in this. They are asking how to operationalize what they’ve built. 

The survey shows 39% of organizations now evaluate attack paths continuously. It shows 65% use risk-based prioritization. It also shows 41% still struggle to effectively act on their findings. 

That gap between what the tools can surface and what the organization can do about it is the gap that needs closing, and that requires a durable practice around the visibility they already have. 

The organizations that gain the most from Identity APM will not be the ones with the most comprehensive deployments. They will be the ones that built a function around those deployments: clear ownership, cross-functional coordination, and a remediation workflow that can keep pace. 

That is what operational maturity means in this context. Not the tools, but the function. 

Read the full “Trends in Identity Attack Path Management 2026” report.