New research from SailPoint reveals that more than three quarters (77%) of UK organisations fail to immediately deactivate logins when staff leave, exposing British businesses to huge cyber-risk.
The report has stated that this occurs amid high workforce turnover, with the findings showing that more than a fifth (21%) of UK employees have left their roles in the past year.
The study, which surveyed UK IT decision-makers on identity security, is said to highlight a concerning lapse in security protocols.
With compromised credentials surging by 160% in the space of a year, dormant accounts present a critical window of opportunity for cyber-criminals, making it easier for them to infiltrate company systems, according to SailPoint.
When it comes to managing the existing workforce, UK organisations are reportedly putting themselves in further jeopardy.
More than a third (34%) of surveyed businesses are said to have admitted to knowingly granting broader access to users, creating another backdoor point of entry for hackers and heightening the risk of cyber-attacks.
The report has stated that this comes amid a huge number of user access points organisations must now manage.
These are said to not only come from employee turnover, but also from third parties in the supply chain, such as contractors, partners and suppliers and an influx of non-human identities as automation and agentic AI reshape the workforce.
According to the report, on average, organisations are inundated with nearly 3,000 (2,754) new users in systems each month.
While more than a quarter (26%) of businesses report onboarding up to 250 new employees monthly, over one in ten (12%) say they are adding as many as 10,000 AI agents and machine identities in the same period.
The challenge to manage this influx is said to be compounded by outdated security processes, leaving UK organisations fighting an uphill battle.
According to the report, nearly three in ten (28%) still rely on manual checks such as spreadsheets or paperwork to validate employee accounts after responsibilities end, increasing the likelihood of human error and oversight.
SailPoint has articulated that this is significantly higher than European counterparts, including those in Germany (21%) and France (23%), underscoring how much the UK is falling behind with out-of-date systems.
Alarmingly, one fifth (21%) of AI agents are still reportedly managed manually, despite the rate at which they are proliferating.
Mark McClain, CEO and Founder at SailPoint commented: “Organisations are experiencing an ‘access amnesia’ – a pervasive forgetfulness or lack of clarity about who or what has access to their systems, when and why.
“This oversight extends not only to departing employees but also to those with existing roles and responsibilities, leaving businesses dangerously exposed as hackers seek entry points into systems.
“Any window of opportunity carries great risk.
“As enterprises onboard identities at industrial scale – with machine identities and AI agents to manage, in addition to employees and third-party workers, they are quickly becoming overwhelmed.
“Existing governance models, designed for a slower and simpler world, are struggling to keep pace.
“When access is over-granted, poorly reviewed or simply invisible, risk is no longer theoretical – it becomes embedded in everyday operations.
“For CISOs and CTOs, identity can no longer be treated as a background control; it is now foundational to security, resilience and trust.
“Identity should be considered the new perimeter.”
