The state of enterprise identity, 2026

Every June I sit down and try to write honestly about where enterprise identity actually is, as opposed to where the conference keynotes say it is. This year the gap between those two things is smaller than usual, because the biggest story is impossible to overhype: for the first time, several of our largest customers now issue more credentials to software agents than to people.
Authr processed 5.2 billion authentications last month across 34 edge regions. Roughly 14 percent of those were initiated by non-human actors operating under delegated authority. In January that figure was 6 percent. I do not think the curve flattens this year.
The agent inflection
When we launched Authr for AI Agents in February, the most common question from CISOs was some version of: do I really need a separate identity model for this? Six months later, nobody asks that. They ask how fast they can get scoped, revocable, auditable credentials into the hands of agents that their business units have already deployed, with or without security's blessing. Copperline went from a pilot of 40 agent identities to just over 3,000 in one quarter, and their security team can tell you what every one of them did last Tuesday. That is the bar now.
I used to worry about 84,000 employees. Now I worry about 84,000 employees and an unknowable number of things acting on their behalf. Unknowable was the part I refused to accept.
Passkeys finally crossed the chasm
Three years ago we published pilot data from 40 enterprise passkey deployments and the honest summary was: promising, messy, not yet default. In 2026, passkeys are the default primary factor for 61 percent of new workforce rollouts on our platform. The last blockers were never the cryptography. They were shared workstations, regulated device policies, and recovery flows, and the ecosystem has ground those down one by one.
Phishing-resistant authentication is quietly becoming a procurement checkbox rather than a differentiator. That is what success looks like: the technology gets boring.
What still worries me
- Session hijacking has replaced credential theft as the dominant attack pattern; if you invest in login and ignore the session, you have secured the front door of a house with no walls.
- Authorization sprawl is real. Companies that centralized authentication a decade ago still have entitlement logic scattered across hundreds of services.
- Agent identity standards are immature. We participate in the working groups, but interoperability today is a promise, not a fact.
None of these are reasons for pessimism. They are the agenda. We have 1,400 enterprise customers, 450 people across San Francisco, Dublin, Singapore, and Sydney, and a very clear list of problems worth the next decade. If your organization is wrestling with any of the above, our team would genuinely like to compare notes. Book a demo and bring your hardest questions.
Writing from inside the identity layer since 2026. For the conversation this post starts, bring it to your next architecture review — or to ours.
