A new study from CyberArk has found that only a small fraction of organisations have fully implemented just-in-time privileged access, despite widespread confidence that existing access controls are ready for AI-driven and cloud-based environments.
The research, conducted among 500 US practitioners working in privileged access management, identity and infrastructure roles, highlights a growing disconnect between perceived readiness and operational reality as artificial intelligence expands the number and types of identities requiring elevated access.
While 76 per cent of respondents said their privileged access strategies are suitable for AI, cloud and hybrid environments, the study found that reliance on persistent, always-on privileged access remains widespread. Ninety-one per cent reported that at least half of their privileged access is permanently enabled, a model originally designed for more static IT environments.
Only one per cent of organisations surveyed said they have fully adopted a modern just-in-time privileged access model, where elevated permissions are granted temporarily and based on context and risk. Such models are commonly associated with Zero Trust approaches, but the research suggests adoption remains limited.
The study also points to increasing complexity as organisations introduce AI-driven identities into production environments. Forty-five per cent of respondents said AI agents are governed using the same privileged access controls as human users, while one-third reported having no clear policies for AI access. This indicates that non-human identities may be emerging faster than governance frameworks designed to manage them.
Another issue identified is the accumulation of “shadow privilege” — privileged accounts or secrets that are unmanaged, unnecessary or unknown. More than half of organisations said they uncover unmanaged privileged access on a weekly basis, suggesting limited visibility into how access evolves over time.
Fragmentation across identity security tools is contributing to the problem. Eighty-eight per cent of organisations said they manage multiple identity security platforms, which respondents linked to gaps in oversight and slower review processes. Two-thirds reported that traditional privileged access reviews delay projects, while nearly the same proportion said employees bypass controls to maintain speed.
The findings suggest that as environments become more dynamic and automated, privileged access models designed around static human users are struggling to adapt. The introduction of AI agents, combined with persistent access assumptions and fragmented tooling, is creating conditions where elevated access is both widespread and difficult to govern.
The research was carried out by Censuswide between 11 and 21 November 2025 and included respondents from roles such as DevOps engineering, identity architecture, cloud security and site reliability engineering. Participants ranged from decision-makers to operational users across modern infrastructure environments.
Overall, the study indicates that while organisations increasingly recognise the importance of securing privileged access, implementation of adaptive, time-bound access controls remains limited as AI-driven identities reshape the security landscape.
You can read the full report here.
