SpecterOps, creator of BloodHound, today announced the results of new survey research, a commissioned study conducted by Omdia on behalf of SpecterOps, examining how security and identity leaders are adopting and operationalizing Identity Attack Path Management (APM) within broader identity security strategies.
“As identity becomes the control plane for more of the enterprise, the challenge is no longer just getting visibility.” – Jared Atkinson, CTO at SpecterOps
Identity APM is moving beyond experimentation at a time when AI adoption and the growth of non-human identities are increasing the complexity of managing identity risk. Thirty-five percent of organizations say they have fully implemented an identity-based APM solution, up from 21% in 2025, while another 30% are actively researching or evaluating one, according to the survey of more than 500 cybersecurity decision-makers.
The findings also suggest that technology adoption alone is not enough. Identities, credentials, and trust relationships proliferate across hybrid environments, allowing threat actors to cross from on-prem to the cloud and back undetected. But many organizations are still working to build the people, processes, and governance needed to turn attack path visibility into measurable, repeatable risk reduction. Respondents ranked attack path visibility and privilege relationships ahead of integrating generative and agentic AI into the business, underscoring how urgently organizations are trying to get ahead of identity risk as AI expands the attack surface.
“As identity becomes the control plane for more of the enterprise, the challenge is no longer just getting visibility,” said Jared Atkinson, CTO at SpecterOps. “Organizations are now working to build cross-functional discipline to prioritize findings and drive remediation, reducing attack paths over time. This effort becomes even more important as AI adoption introduces more non-human identities and trust relationships, and therefore more legitimate paths for an attacker to take.”
Among the report’s findings:
- Identity security investment is increasing. Seventy-five percent of respondents report increased identity security spending, and 46% say improving attack path visibility and privilege relationships is a top cybersecurity priority over the next 12 months.
- AI-driven risk is increasing operational urgency. Respondents ranked attack path visibility (43%) and privilege relationships (36%) as well as integrating generative and agentic AI (40%) into the business as part of their top three priorities.
- Operational maturity is the next step. While 65% of organizations say they use risk-based prioritization and 58% use automated remediation tools, 41% still cite difficulty prioritizing attack paths, 37% cite bandwidth and team overwhelm, 32% cite tool complexity, and 32% cite integration challenges.
The findings suggest that the market is entering a new phase for Identity APM, one defined less by early awareness and more by the practical work of integrating attack path management into day-to-day security operations.
“Identity risk is not a point-in-time problem and visibility alone does not reduce risk,” Atkinson said. “Organizations are moving to the next step: building a durable practice around Identity APM, one that connects technology, ownership, and remediation workflows in a way that can keep pace with modern environments.”
Leave a comment