Research insights: 4 trends reshaping identity security in 2025
At Duo, we know that managing who accesses what, from where, and on which device is not just a daily challenge—it’s a strategic imperative.
The security industry is facing an identity crisis. As AI-driven threats surge, security leaders are confronting alarming confidence gaps, fragmented visibility, and additional hurdles to adopt essential identity security measures.
To explore how companies are navigating this complex environment, we surveyed 650 IT and security leaders across North America and Europe. Our latest report, the 2025 State of Identity Security, reveals the urgent identity challenges cybersecurity professionals face today.
The findings expose a stark reality: While leaders acknowledge the vital role of identity security, glaring gaps in confidence and execution leave many organizations dangerously vulnerable.
Facing complexity and a confidence crisis
Leaders face significant challenges as identity threats escalate and security gaps widen. Only a third (33%) of leaders are confident that their current identity provider (IdP) can prevent identity-based attacks. This lack of confidence is heightened by complex identity systems and concerns about limited visibility into potential weaknesses. A significant 94% of leaders believe that complexity in identity infrastructure decreases their overall security. Additionally, 75% of leaders admit they lack full insight into identity vulnerabilities across their organizations. Identity and tool sprawl also hinder unified security and visibility. On average, IT and security teams use five tools to resolve a single identity issue.
The consequences can be costly: Over half (51%) of organizations have suffered financial losses due to identity-related breaches. Recognizing the high stakes, companies are proactively responding to these risks. In fact, 82% of financial decision-makers have increased investments in identity security for 2025. This signals a clear commitment to strengthening defenses and closing critical gaps.
“94% of leaders believe that complexity in identity infrastructure decreases their overall security.”
AI's double-edged sword: Threat and catalyst for modernization
The rise of artificial intelligence (AI) presents both new threats and a powerful impetus for change in identity security. AI-driven phishing is one of the top identity threats for 2025 according to 44% of leaders, alongside insider threats and supply chain attacks. Traditional defenses are no match for the sophistication of AI-powered attacks, especially when combined with complex supply chain networks and identity ecosystems.
“44% of leaders consider AI-driven phishing one of the top identity threats for 2025.”
However, AI is also modernizing identity systems. 85% of companies are adopting security-first identity practices to counter AI-driven threats. AI is a powerful catalyst, driving organizations to address long-standing gaps in their identity security strategies and to leverage data processing through AI as a tool.
Persistent phishing threats and MFA gaps
Phishing remains a perennial issue, driving the need for stronger authentication and complete deployment of multi-factor authentication (MFA). While 87% of leaders believe phishing-resistant MFA is critical to their security strategies, only 30% are highly confident in their phishing controls.
Even foundational MFA defenses are not universally applied. The top causes of identity breaches include: weak or missing MFA (36%), coverage gaps (34%), and one-time passcode failures (29%). Cisco Talos’ recent Year in Review also listed missing, incomplete, or weak coverage of MFA as top vectors for identity-based attacks.
Further, only 19% of companies have deployed FIDO2 tokens, the gold standard in phishing-resistant MFA. Often, these hardware tokens are reserved for privileged users. The rest are held back by token management (57%), training needs (53%) and hardware cost (47%).
Upgrading to more secure authentication methods is top-of-mind. Sixty-one percent of leaders want to adopt passwordless access but expect deployment challenges.
“61% of leaders want their organizations to go passwordless”
A need for security-first IAM
Amid identity sprawl, shadow IT, and irregular identity lifecycles, today’s unpredictable security landscape presents significant challenges—but companies also have valuable opportunities to strengthen their defenses and take proactive steps to address these issues.
Many IT leaders acknowledge that identity security is added after a compliance issue or breach, rather than built-in from the start. A significant 74% of IT leaders admit identity security is often an afterthought in infrastructure planning.
Treating security as an add-on can result in additional costs, complexity, and misalignment that decreases overall visibility. In response to tool sprawl and complexity, 79% of teams are actively exploring vendor consolidation to improve identity security visibility.
Only 52% of organizations believe they have fully integrated identity and device telemetry. Without real-time visibility into identity behaviors, security and IT teams can’t make consistent, informed decisions.
Further, a significant 86% of leaders expressed concern about inadequate controls for contractors and third-party access. This extended perimeter often lacks the robust oversight applied to internal users, with the added challenges of unmanaged devices and timely deprovisioning.
As organizations shift to a security-first IAM strategy, unified visibility is critical for bridging gaps across complex environments. 87% of leaders believe that having identity threat detection and response (ITDR) is crucial. Meanwhile, only 32% of IT teams have Identity Security Posture Management (ISPM) solutions deployed.
Get the full report
Organizations need identity solutions that prioritize security without compromising usability. Security-first IAM makes strong identity defenses the default.
Duo and Cisco Identity Intelligence help global teams make sense of the complex identity landscape by offering simplified security-first identity management, frictionless phishing-resistant MFA, and unified identity telemetry.
Get in front of identity security challenges and leap ahead in resilience and readiness. Download Cisco Duo’s report the 2025 State of Identity Security: Challenges and Strategies from IT and Security Leaders to dive deeper into the findings and actionable insights.