As AI use advances, digital identity risks require increased attention

Having a clear perspective on digital identity has never been more important for middle market companies amid growing risks from human and nonhuman identities. With AI solutions and related threats continuing to develop, identity must be a focal point of any cybersecurity risk program.

Middle market organizations are in various phases of their approach to identity, which can range from focusing on establishing initial foundational controls to reaching a mature state or tackling emerging risks.

“Identity is a continuous conversation,” RSM US LLP Principal Autumn Hurley says. “Many organizations are early in their journey to building out a mature identity program. It takes a lot of thoughtful strategic planning to lay the foundation for a successful program.”

Identity programs encompass both human and nonhuman identity management. Core concepts such as user lifecycle management within an organization, third-party identity governance, privileged access, secrets management, secure authentication, customer identity lifecycle management, and identity posture and visibility each require dedicated attention. Together, however, these elements form a robust and integrated capability that helps organizations manage risk while also driving operational efficiency.

The proliferation of AI has increased the difficulty of managing identity risks, specifically in the nonhuman identity space.

“Nonhuman identity is not a new concept,” says RSM Canada Partner Omer Arshed. “This is something we’ve been managing for clients for over a decade. But AI has changed and added further complexity to the equation.”

Before AI’s explosive growth, nonhuman identity referred to service accounts, application programming interface (API) keys, Secure Shell (SSH) keys, certificates, and right tokens used by cloud or DevOps processes or app-to-app communications. That definition still stands, but the nonhuman identity risk has now expanded to the world of agentic AI.

“Now, you have digital workers, digital bots and digital agents that are running processes that humans or applications previously performed,” says Arshed. “To do that, they not only need the level of authorization and privilege to get access to production resources to accomplish those tasks but also must be identified and mapped to business process owners, application owners, platform owners and other functions important to the organization. Agents that perform actions and interactions in the environment must be led by zero-trust principles, be auditable, produce required logs and be monitored.”

Growth can also elevate identity concerns. For example, when companies conduct mergers or acquisitions, combined entities often end up with conflicting, outdated or multiple sets of identity controls that need to be modernized and updated or merged to reduce potential risks.

In the Q1 2026 RSM US Middle Market Business Index survey, 49% of middle market respondents said their primary method for managing digital identity and securing systems access is a centralized identity and access management (IAM) system with support for MFA.

This finding was followed closely by biometric authentication (44%)—which can include fingerprint recognition, facial recognition, iris or retinal scans, voice recognition, or palm or vein pattern recognition—and password management (44%), which relies on strict policies such as regular updates and complexity requirements but with no IAM system in place.

Although middle market organizations are addressing key secure authentication and identity management risks, complexities are increasing, and additional controls are required to manage identity risk.

Traditionally, the middle market has lagged in many foundational areas related to identity. However, RSM US Principal Alden Hutchison sees some real opportunities for middle market companies to gain better control over identity risks.

“Modern identity controls have matured to the point where they’re more accessible for the middle market,” he says. “Companies can now deploy enterprise‑grade identity capabilities at a reasonable cost, whether through modern platforms or managed services that deliver outcomes without the overhead.”

Identity controls have rapidly evolved from password and multifactor strategies to more sophisticated facial, biometric and passwordless options.

“The shift to biometric and passwordless identity controls has changed adoption dynamics,” says Hutchison. “These options reduce user friction and make it easier for middle market companies to implement stronger identity strategies at scale.”