Artificial intelligence is quietly redrawing the boundaries of global identity attack surfaces and organisations are giving AI agents the keys to critical systems faster than they are putting guardrails around those new identities.
This is from a report published by Semperies, based on a study conducted by Censuswide earlier this year. Respondents were from 1,100 organisations across the United States, United Kingdom, France, Germany, Italy, Spain, Australia and Singapore.
Findings show that 66% of organisations in Singapore believe AI will increase attacks on identity infrastructure. At the same time, as high as 93% of the organisations either already use or plan to use AI agents for sensitive security tasks such as password resets and VPN access.
“Singapore organisations have been quick to explore AI across business and security operations, but every AI agent introduced into the enterprise also creates a new identity that must be governed, monitored and recovered if compromised,” said Gerry Sillars, Semperis VP of Asia Pacific and Japan.
“It’s encouraging that 90% of Singapore respondents see AI identity governance as a priority, but priority must translate into practical controls. As AI moves closer to privileged systems, identity resilience needs to be built into AI adoption from the start,” said Sillars.
Singapore trends reflect a broader global concern: as organisations deploy AI agents across more sensitive workflows, they are dramatically increasing the number of non-human identities connected to critical systems.
“The accelerated use of AI is introducing a bevy of new agents, each with its own non-human identity (NHI) throughout global enterprises and many companies are just way too optimistic about their ability to recover their identity infrastructure following a breach, even as they expand this landscape of NHIs,” said Alex Weinert, chief product officer at Semperis.
Globally, only 65% of organisations say AI identities are fully registered, authenticated, and authorized in a formal system, while 6% admit they do not track them at all.
In organisations that do track AI identities, 57% use the same system as for human identities, while 43% authenticate and authorise them using a separate system.
This adds a new layer of complexity for security teams in Singapore. AI agents may not behave like human users, but they can still hold access, interact with sensitive systems and become part of the organisation’s identity fabric.
Without clear registration, authentication, authorisation and recovery processes, these non-human identities can widen the attack surface and complicate incident response.
The study found that AI is already being placed close to sensitive identity infrastructure. More than a quarter of surveyed organisations (29%) already use AI agents to manage security‑related help desk tickets, including password resets and VPN access.
Another 65% intend to do so within the next year.In parallel, 92% of respondents say that some percentage of their workforce has AI installed on local machines where it can access SSH and encryption keys.
For Singapore organisations, where AI adoption is increasingly being explored across business operations, security and productivity use cases, this reinforces the need to treat AI agents as part of the enterprise identity environment rather than as standalone tools.
“The pattern of global organisations overestimating how quickly they can recover from a cyberattack is real, especially when identity is within the blast radius,” said Chris Inglis, strategic advisor at Semperis.
On paper, organisations have plans and backups; in practice, identity failures turn technical incidents into prolonged business crises, exposing a dangerous gap between perceived resilience and reality,” said Inglis.
Still, 90% of respondents in Singapore indicated that AI identity governance is a priority for them in the coming months.
