Relying on static credentials for AI systems correlates with a 20-percentage-point increase in incident rates.

67% of organizations rely on static credentials for AI systems.

Detected sensitive-data events are led by secrets and credentials (47.9%), followed by financial information (36.3%) and health-related data (15.8%).

44% of organizations use or plan to use static API keys and 43% use or plan to use username/password combinations for agents.

45% of Canadian IT & security professionals reported that employees using weak or compromised credentials is a top security concern

48% of organizations adopted AI-enhanced phishing detection.

33% of ransomware incidents involved compromised credentials

36% of insider incidents involved user credentials.

88% of open-source Model Context Protocol (MCP) server implementations require credentials.

28% of Gen Z parents admit to sharing passwords verbally or through text or email.

46% of developers worry about AI systems sharing or leaking API credentials.

16% of organizations identify AI agents operating with user credentials as a Shadow AI concern.

In 16% of large ransomware claims, attackers leveraged compromised or weak credentials to gain entry.

The theft of credentials via information-stealing malware has skyrocketed by 800% since the start of 2025.

Over 1.8 billion credentials were stolen in the first half of 2025 alone. The 1.8 billion stolen credentials represent an 800% increase.

Of organisations that experienced attacks, 38% of breaches stemmed from compromised employee credentials.

Among non-PAM users, 8% still store credentials in spreadsheets.

68% of users admitted to reusing passwords across multiple accounts.

36% of enterprises said data breaches due to weak and stolen credentials was one of the most common ways to lose data.

One in nine (11%) password reset attempts in 2024 was a fraud attack. This rate rose to over one in four (27%) reset attempts initiated on a desktop computer.