Enterprises Spend 11 Hours Investigating Identity-Related Security Alerts
Enterprises spend an average of 11 person hours investigating and remediating a single critical identity-related security alert, according to a new study by Enterprise Strategy Group. The lengthy response time slows the ability of security teams to manage alert volume, a challenge amplified by the growth of artificial intelligence (AI).
The report notes that AI introduces new identity types while outpacing organizational oversight and creating additional attack vectors. Enhancing the ability of security teams to gain insights into suspicious activity is critical, especially as identities are fragmented across cloud services such as Azure and AWS, developer platforms like GitHub, identity providers including Okta, and infrastructure resources such as databases, servers and Kubernetes.
“When it only takes minutes for threat actors to move laterally across your infrastructure, 11 hours to investigate an identity-related incident simply isn’t good enough,” said Ev Kontsevoy, CEO of Teleport, which sponsored the research. “As we move deeper into the age of AI, we must remember that AI dramatically lowers the cost of identity attacks, and we must expect the frequency of them to increase.”
Credential theft compounds the challenge. Criminals continue to obtain valid static credentials such as passwords and API keys to impersonate identities. The study found credential theft accounts for one in five data breaches, with compromised credentials up 160% so far in 2025.
AI adoption is also fueling new risks. Nearly half of businesses surveyed (44%) have already deployed AI, which can create another silo of identities with over-privileged access to sensitive systems. More than half of respondents (52%) ranked data privacy issues as the top AI-related concern.
Fragmentation complicates identity management
Fragmentation is evident in how identities are managed. Workforce identity teams use an average of 11 tools to trace security issues, underscoring the need for a more cohesive approach.
“Most cybersecurity solutions only see part of the picture,” said Todd Thiemann, principal analyst at Enterprise Strategy Group. “Few organizations understand the scale of the threat, let alone how quickly malicious actors can move laterally and disrupt systems. Each application expands a company’s security and compliance surface area, often faster than they can govern it, and few are easily integrated with identity tools. This leaves blind spots, orphaned accounts, inconsistent access privileges and gaps in auditability.”
Kontsevoy added that blind spots hinder both security and productivity. “They need a way to quickly answer vital questions. Who accessed database X and with what permissions? Is this behavior unusual? What’s the full summary of what an identity did in a single session across platforms? To answer these questions, we need a different approach to cybersecurity, one that isn’t based on secrets and siloed identities.”
Teleport has launched Identity Security, described as the industry’s first full identity chain observability solution. The offering is designed to enable security teams to detect risky activity within minutes instead of hours.
The study surveyed 370 IT and cybersecurity decision makers from organizations with more than 100 employees, including enterprises and midmarket firms across financial, manufacturing and technology sectors.