Palo Alto Networks Report Finds AI Is Accelerating Breaches as Identity and Enterprise Complexity Drive Risk

Artificial intelligence is not only reshaping enterprise operations; it is also compressing the timeline of cyberattacks in ways that many organisations are not structurally prepared to handle. According to the Unit 42 2026 Global Incident Response Report released by Palo Alto Networks, attackers are now able to move from initial access to data exfiltration in as little as 72 minutes in the fastest cases examined, representing a fourfold acceleration compared with the previous year.

The findings are drawn from more than 750 high-stakes incident response engagements conducted globally by Unit 42, Palo Alto Networks’ threat intelligence and consulting arm. The data suggests that the combination of AI-assisted attack techniques, fragmented enterprise environments and identity weaknesses is reshaping how breaches unfold, reducing the window for detection and response to a fraction of what it once was.

Sam Rubin, Senior Vice President of Unit 42 Consulting & Threat Intelligence at Palo Alto Networks, argued that complexity itself has become a structural vulnerability. “Enterprise complexity has become the adversary’s greatest advantage,” he said, noting that attackers are increasingly targeting credentials and deploying autonomous AI agents capable of bridging human and machine identities to operate with minimal oversight once inside an environment.

What emerges from the report is not simply a story of faster malware, but of systemic exposure embedded within modern digital infrastructure.

Identity Has Replaced the Perimeter as the Primary Battleground

The report underscores a decisive shift away from traditional perimeter-based intrusion models toward identity-driven compromise. Identity weaknesses were exploited in 89% of the investigations analysed, while 65% of initial access techniques relied on identity-based methods such as social engineering and credential misuse. In comparison, software vulnerabilities accounted for 22% of initial access points.

This rebalancing reflects how enterprise environments have evolved. As organisations expand into hybrid cloud, SaaS ecosystems and remote work infrastructures, authentication systems increasingly serve as the connective framework between applications, users and services. Credentials, tokens and session cookies now provide attackers with access pathways that can bypass traditional network defences. Once inside, lateral movement often appears indistinguishable from legitimate activity, particularly in environments where implicit trust between systems remains intact.

The browser, long considered a routine productivity tool, has become a primary theatre of conflict. Nearly 48% of the attacks reviewed involved browser-based techniques, weaponising everyday web sessions to harvest credentials, hijack authentication tokens or evade endpoint controls. The line between user behaviour and attack vector has, in effect, blurred.

Multi-Surface Attacks Reflect Structural Fragmentation

The report also highlights how breaches increasingly span multiple layers of enterprise architecture. In 87% of incidents examined, attackers operated across two or more attack surfaces, blending activity between endpoints, cloud environments, SaaS applications and identity systems. In some cases, Unit 42 observed coordinated activity unfolding across as many as ten distinct vectors simultaneously.

Such complexity is compounded by the rise of SaaS supply chain exposure. Attacks involving third-party SaaS platforms have increased 3.8 times since 2022 and now account for 23% of all incidents analysed. OAuth tokens and API keys, designed to enable seamless integration between systems, are increasingly being exploited to pivot laterally across environments once initial access is secured.

Unit 42 attributes 90% of data breaches to misconfigurations or security gaps, often rooted in fragmented visibility and excessive trust relationships embedded in enterprise architecture. As organisations layer cloud-native services, AI-powered tools and distributed workforce infrastructure onto legacy systems, they create environments optimised for agility but often fragile from a defensive standpoint.

Defensive Models Struggle to Match Machine Speed

The collapse of the attack lifecycle presents a fundamental operational challenge. Security operations centres that rely on human review cycles measured in hours are increasingly misaligned with attack chains that unfold in minutes. The report argues that defensive strategy must therefore shift toward automation, unified security platforms and identity-centric governance.

Among its recommendations are the deployment of AI-driven detection and response systems capable of operating at machine speed, embedding security controls directly into software and AI development pipelines, centralising management of human and machine identities, and adopting zero trust architectures that continuously verify access rather than relying on assumed trust within networks.

The broader implication is less about any single vulnerability and more about tempo. AI is accelerating both innovation and risk. Enterprises are embedding automation into workflows, expanding digital surfaces and integrating systems at unprecedented scale. The same forces that enable productivity gains also compress the margin for defensive error.

In this environment, cybersecurity is no longer defined primarily by whether an organisation can prevent intrusion, but by whether it can detect and contain compromise before irreversible damage occurs. The report suggests that in a world of AI-enabled adversaries, resilience will depend less on isolated tools and more on structural simplification — reducing implicit trust, consolidating visibility and aligning defensive capability with the speed of the threat itself.