A global research study published by Zoho Corporation, a privately held technology company headquartered in Austin, Texas, that operates more than 55 business applications including the password management platform Zoho Vault, has found that US businesses face the largest gap in the world between confidence in AI-powered security and readiness to actually deploy it. The study, titled State of Workforce Password Security 2026 and conducted by Tigon Advisory Corp., surveyed 3,322 verified respondents across nine regions, six industries and twelve workforce roles in early 2026.
The central finding for the US market is a contradiction. Among US respondents, 91% believe AI will strengthen their security posture, the highest belief rate of any region surveyed. But only 9% report being ready to deploy AI-powered security today. That 82-point gap between conviction and operational readiness is the widest of any market in the study. The report attributes the disconnect not to budget constraints but to architectural problems. Legacy infrastructure was cited by 52% of global respondents as the primary blocker, followed by migration complexity at 48%. Cost ranked third at 41%.
The pattern extends beyond AI. US respondents reported a confirmed cyberattack rate of 34% over the past year, two points above the global average and the second-highest of any region surveyed. At the same time, 75% of US respondents plan to increase security spending in 2026, three points above the global average. The report frames this as evidence that spending intent alone does not translate into improved outcomes when the underlying infrastructure remains fragmented.
One factor driving that fragmentation is what the study calls application sprawl. The average US employee now logs into more than fifteen business applications daily, four points above the global average and the highest rate among developed markets. Each application represents a separate credential that must be created, secured and governed. Yet fewer than one in four organisations globally have deployed a dedicated password manager, and 76% of US respondents lack complete identity visibility across their workforce, including orphaned accounts and undocumented access.
The exposure is particularly acute among smaller organisations. More than half of respondents in companies with fewer than 250 employees reported having no dedicated security team, relying instead on manual password practices, shared spreadsheets and informal policies.
On the Zero Trust front, 62% of US respondents have not deployed a Zero Trust strategy, three points below the global average, though most non-adopters indicated they expect to implement one within one to three years.
"World Password Day was created to remind people that credentials are still the entry point to the modern business. What this research shows is that the entry points have multiplied: the average U.S. employee now logs into more than fifteen business applications, and most organizations cannot fully account for who has access to what across them," says Chandramouli Dorai, Chief Evangelist of Cyber Solutions at Zoho. "The issue is not under-investment, but investment without architectural coherence, leaving the U.S. with a significant gap between intent for security and actual results."
"U.S. organizations lead the world in security investment intent, but they also face the largest AI belief-to-deployment gap globally," says Helen Yu, Founder and CEO of Tigon Advisory Corp. "Legacy infrastructure is the primary blocker, and the data is unambiguous on the sequence: organizations that fix foundational identity visibility first will accelerate when AI adoption becomes table stakes within the next one-to-three years, while those that try to bolt AI onto fragmented stacks will fall further behind."
"Legacy infrastructure remains the primary blocker between any effective use of AI, including deploying AI for security," says Mani Vembu, CEO of Zoho. "Our future-ready stack is built around the premise that placing identity, access, and applications on the same architectural foundation provides fewer opportunities for vulnerabilities, higher identity visibility, and conveniently, an easier method of adding AI to assist in threat detection. As AI's sophistication in exploiting security weaknesses rapidly improves, migrating to a secure, AI-ready platform is only becoming more urgent."
