New global research presented by Zoho and conducted by Tigon Advisory Corp. finds that spend doesn't translate into outcomes, as the U.S. faces attack rates and identity visibility gaps above the global average

AUSTIN, Texas: #AI--Zoho Corporation, a global technology company, today released the State of Workforce Password Security 2026, a global research study of 3,322 verified respondents across nine regions, six industries, and twelve roles. Conducted by Tigon Advisory Corp. on behalf of Zoho Vault, Zoho's password management platform, the report documents a widening disconnect between how organizations assess credential risk and how they have invested to address it. Findings from U.S. respondents indicate that American businesses lead the world in security spending intent yet remain among the most exposed to credential-driven attack, a gap the report attributes to architectural fragmentation rather than budget constraint.

The report, released ahead of World Password Day, arrives at what the authors describe as a critical inflection point. Across the global sample, one in three businesses reported a confirmed cyberattack in the past year, and a further 7% were unable to confirm whether they had been attacked at all. In the U.S., the attack rate climbed to 34%, two points above the global average and the second-highest of any region surveyed.

"World Password Day was created to remind people that credentials are still the entry point to the modern business. What this research shows is that the entry points have multiplied: the average U.S. employee now logs into more than fifteen business applications, and most organizations cannot fully account for who has access to what across them," says Chandramouli Dorai, Chief Evangelist of Cyber Solutions at Zoho. "The issue is not under-investment, but investment without architectural coherence, leaving the U.S. with a significant gap between intent for security and actual results."

The State of Security in the United States

There is a consistent theme across the U.S. data: high awareness, high spending intent, and persistent visibility gaps. Among U.S. respondents:

• 34% experienced a confirmed cyberattack in the past year, compared with 32% globally.
• 76% lack complete identity visibility across their workforce, including orphaned accounts and undocumented access, two points higher than the global average.
• 75% plan to increase security spending in 2026 - three points above the global average.
• 63% of employees use 15 or more business applications, four points above the global average and the highest application-sprawl rate of any developed-market region.
• 62% have not deployed a Zero Trust strategy, with most non-adopters expecting to implement within one to three years, three points lower than the global average.

The AI Belief-to-Deployment Gap

The starkest finding for the U.S. concerns artificial intelligence in workforce security. 91% of U.S. respondents believe AI will strengthen their security posture - the highest belief rate of any region surveyed - yet only 9% report being ready to deploy AI-powered security today. That 82-point gap between belief and deployment readiness is the widest of any market in the study.

The report identifies legacy infrastructure (cited by 52% of global respondents) and migration complexity (48%) as the primary blockers. Cost ranks third at 41%, reinforcing a recurring theme across the data: the constraint on security maturity is not budget but architecture.

"U.S. organizations lead the world in security investment intent, but they also face the largest AI belief-to-deployment gap globally," says Helen Yu, Founder and CEO of Tigon Advisory Corp. "Legacy infrastructure is the culprit and the data makes the sequence undeniable. Organizations that fix foundational identity visibility first will accelerate when AI adoption becomes table stakes within the next one to three years. Those that try to bolt AI onto fragmented stacks will fall further behind."

The Application Sprawl Problem

The report frames credential risk as a function of attack-surface growth. The average U.S. employee now accesses more than fifteen business applications daily across on-site, hybrid, and fully remote work modes, complicating the assumption that credential management is primarily a remote-work problem. Each application represents a credential that must be created, secured, and governed, yet fewer than one in four organizations globally have deployed a dedicated password manager.

The exposure is most acute in the small and mid-sized business segment. More than half of respondents in organizations under 250 employees report having no dedicated security team, relying instead on manual password hygiene, shared spreadsheets, and informal policies - a profile the report describes as "the SMB credential blind spot."

What the Data Recommends

The report concludes with six imperatives for 2026, prioritized by deployment urgency: deploy a centralized password manager, close the identity visibility gap, pair password management with multi-factor authentication, build a Zero Trust roadmap, treat integration as a security requirement, and pilot AI-powered credential security within the next twelve months.

"Legacy infrastructure remains the primary blocker between any effective use of AI, including deploying AI for security," says Mani Vembu, CEO of Zoho. "Our future-ready stack is built around the premise that placing identity, access, and applications on the same architectural foundation provides fewer opportunities for vulnerabilities, higher identity visibility, and conveniently, an easier method of adding AI to assist in threat detection. As AI's sophistication in exploiting security weaknesses rapidly improves, migrating to a secure, AI-ready platform is only becoming more urgent."

Methodology

The State of Workforce Password Security 2026 was conducted by Tigon Advisory Corp. and sponsored by Zoho Corporation. The study is based on 3,322 verified responses across nine regions (United States, Canada, United Kingdom, European Union, India, Middle East and Africa, Australia and New Zealand, Japan, and China), six industries, and twelve workforce roles. Data was collected in early 2026. The full report, including all regional snapshots and methodology notes, is available at https://www.zoho.com/vault/state-of-workforce-password-security-report.html.

Zoho Privacy Pledge

Zoho respects user privacy and does not have an ad-revenue model in any part of its business, including its free products. The company owns and operates its data centers, ensuring complete oversight of customer data, privacy, and security. More than 150 million users around the world, across hundreds of thousands of companies, rely on Zoho every day to run their businesses, including Zoho itself. For more information, click here.

About Zoho Vault

Zoho Vault is Zoho's password management application for individuals, teams, and enterprises, providing centralized credential vaulting, secure sharing, role-based access, multi-factor authentication, and integration with Zoho's broader productivity, HR, and IT-management portfolio. Zoho Vault is included in Zoho One and is also available as a standalone subscription. More information is available at zoho.com/vault.

About Zoho Corporation

With 55+ apps in nearly every major business category, Zoho Corporation is one of the world's most prolific technology companies. Headquartered in Austin, Texas, with international headquarters in Chennai, India, Zoho is privately held and profitable with 90+ offices worldwide. For more information, please visit: www.zoho.com.

Fonte: Business Wire