Experts warn passwords no longer sufficient in AI era

Cyber security experts warn that passwords are no longer a sufficient line of defence as Australian organisations expand their use of artificial intelligence and digital services. The comments come as the industry marks World Password Day and reassesses long-standing authentication practices.

Security vendors and specialists say attackers are increasingly targeting identities rather than network perimeters. In an environment shaped by agentic AI, credential theft and large-scale data leakage, they argue passwords have become a weak link.

Check Point Software Technologies says its internal research highlights growing concern over how staff use generative AI tools in corporate environments. Employees routinely paste sensitive information into public chatbots, often through personal accounts outside enterprise control.

"Despite years of warnings, users persistently reuse passwords, unaware that when one platform is breached, automated credential stuffing attacks can unlock profiles across hundreds of other services.

"However, the biggest human-element threat in 2026 is not just password reuse. It is the accidental insider threat created by generative AI. The world is currently witnessing an epidemic of employees inadvertently feeding corporate secrets directly into AI tools.

"According to Check Point Research, in March 2026, one in every 28 GenAI prompts submitted from enterprise environments posed a high risk of sensitive data leakage, affecting 91% of organisations that use GenAI tools regularly. An additional 17% of prompts contained potentially sensitive information. Even worse, 82% of these copy-and-paste actions happen through unmanaged personal accounts, according to the LayerX report, creating a massive blind spot.

"Here are some ways organisations can defend themselves in 2026:

Embrace passwordless and FIDO2: The only true defence against phishing and infostealers is removing the password entirely. Transitioning to FIDO2 passkeys ensures that even if an employee is tricked into visiting a fake login page, there is no reusable credential to steal. Implement identity-centric Zero Trust: Security teams must treat every authentication attempt with scepticism and combine endpoint detection and response (EDR) with identity threat detection and response (ITDR) to correlate behavioural anomalies across both environments. Control the AI browser vector: Traditional data loss prevention (DLP) tools that monitor file transfers are obsolete if an employee simply hits "Ctrl+V" into ChatGPT. Enterprises must adopt enterprise browsers or browser security extensions to monitor, govern and block sensitive data from being pasted into unauthorised GenAI chatbots. Continuous dark web and Telegram monitoring: Waiting for a breach notification is too late. Organisations need continuous threat intelligence monitoring to catch traded credentials before initial access brokers can sell them to ransomware affiliates.

"Passwords were once the keys to the castle. Today, they are a liability heavily traded on the dark web. As we look ahead, the future of enterprise security relies on verifying behaviour, not just a string of characters," said Raymond Schippers, Lead Technologist for ANZ, Check Point Software Technologies.

Rising risks

Identity security is also rising up the agenda for boards and executives. Saviynt argues that expanding digital ecosystems and rapid AI adoption are giving attackers more scope to scale credential-based attacks.

"World Password Day is a good reminder for Australian businesses and their workforces that passwords alone are no longer enough to protect an organisation. They are the low-hanging fruit that cybercriminals turn to first to commit identity theft and financial fraud.

"As businesses accelerate their AI agenda, attackers also gain an advantage in scaling credential-based attacks. Identity security is no longer a peripheral concern but a core business priority. As cyber threats evolve, organisations must adopt a holistic approach that combines technology, processes and people. They need robust visibility into who has access to what, and stronger controls to manage and adjust that access as risks change.

"With digital ecosystems expanding and enterprise boundaries becoming more fluid, identities have become the new perimeter, making visibility and governance the central test ahead. Ultimately, reducing reliance on passwords starts with a more proactive approach to identity and access management across the business. Fixing access governance makes reducing password reliance an automatic outcome, not a separate initiative. The north star is improved user experience and better security," said James Ross, Regional Vice President for ANZ, Saviynt.

Consultancy Adactin also sees the annual awareness day as a sign that simple password updates fall short in the current threat environment. It supports a shift to an identity-first model that combines technology with staff education.

"International Password Day is not just a reminder to update credentials. It is a timely signal that passwords, while still widely used, are no longer sufficient as a standalone control in today's threat landscape. At Adactin, we see this as a clear call for organisations to move beyond basic password hygiene and adopt a more holistic, identity-first security model. This includes combining multi-factor authentication, privileged access controls and zero-trust principles to ensure every access request is verified, not assumed. With the rapid enablement of AI, this shift becomes even more critical as cyber threats grow in sophistication and relying solely on passwords introduces unnecessary risk. Modern security demands a more resilient and adaptive approach to managing and protecting access.

"At the same time, technology alone cannot solve the challenge. The real differentiator is a strong security culture in which employees understand their role in safeguarding digital assets. At Adactin, we see International Password Day as an opportunity for organisations to reinforce accountability and embed continuous awareness and education across the workforce. Strengthening user behaviour and security habits plays a vital role in reducing exposure to cyber threats. Ultimately, this means moving from reactive compliance to proactive resilience by embedding secure practices, continuous monitoring and user education into everyday operations to build trust in an increasingly digital world," said Srinivas Gutta, Technical Practise Director, Adactin.

Physical impact

New research from Genetec suggests physical security environments also face growing credential-related risks as systems connect to corporate networks. Its Enterprise Physical Security in the Cloud Era study reports a rise in phishing and smishing attacks, along with higher incident volumes.

"AI is changing the speed and scale of cyber risk. Attackers can now move faster and use AI to impersonate people, tailor social engineering attacks, uncover vulnerabilities at scale and evade detection. To respond, organisations need to actively govern access and identity across their systems, not just set controls once and hope they hold.

"These risks are already affecting organisations that manage physical security systems. Genetec's recent Enterprise Physical Security in the Cloud Era research, based on insights from more than 7,300 physical security professionals worldwide, found that 58.7% of organisations had experienced an increase in phishing and smishing attacks, while 41% reported a rise in overall physical or cyber incidents. Social engineering was identified by 43.5% as a leading attack vector.

"Genetec encourages organisations to move beyond isolated credential controls and adopt a governance-first approach to identity management in physical security environments, including:

Strengthen identity and credential controls: Organisations should eliminate default and shared credentials, enforce strong authentication such as passkeys and adopt multi-factor authentication to reduce common attack entry points. This must also extend to devices by replacing static passwords with certificate-based authentication where possible, alongside centralised management and regular credential rotation.

Closer alignment between IT and physical security teams: Bringing IT and physical security teams together helps apply consistent security standards, improve visibility into access risks and coordinate incident response. As physical security systems become more connected to enterprise networks, cross-functional alignment can help organisations identify weak points and respond more effectively to credential-based attacks.

Governance-first management of physical security systems: Organisations should manage physical security infrastructure with the same rigour as other mission-critical systems. This includes regular access reviews, controlled updates and partnerships with trusted technology providers that support long-term security, transparency and operational resilience," said Mathieu Chevalier, Principal Security Architect, Genetec.

Beyond passwords

BeyondTrust frames the decline of passwords as part of a broader shift in identity and privilege management. It points to industrialised credential theft and says complex password rules cannot offset the risks created by leaked secrets.

"Each year, World Password Day arrives with a familiar message that is increasingly outdated. The password, once the foundation for authentication and digital trust, has become the weakest link in an era of agentic AI and identity compromise. The uncomfortable truth is that passwords alone are no longer an effective identity security control. They have become a liability.

"Threat actors typically do not hack in the traditional sense anymore through vulnerabilities and exploits. They simply log in using stolen credentials. Credential theft, password spraying and replay attacks have industrialised access for crime syndicates and nation-state threat actors. Billions of compromised credentials circulate across the dark web, and even the most complex password policy cannot defend against password reuse, human behaviour and a leaked secret. Complexity does not equal security, and relying on password obfuscation only increases friction for users and automation.

"Organisations must treat these changes in password management for humans and secrets management for machines as an inflection point. Identity has become the new perimeter, and passwords cannot carry that burden alone. Multi-factor authentication and single sign-on were the first evolution, but even these technologies are under pressure from phishing-resistant bypass techniques, social engineering, token theft and SIM jacking. The next phase demands a shift toward passwordless architectures, least-privilege principles, continuous authentication, just-in-time access and behavioural monitoring.

"This is not just a technology conversation. It is a governance and cultural transformation that must be led by executives who are willing to ask harder questions of the business. For example, why are we still trusting standing privileges in a dynamic threat environment that includes new AI deployments? The answer often lies in legacy systems, operational inertia and misplaced confidence in outdated frameworks and security controls.

"The path forward is clear: eliminate passwords where possible, enforce least privilege with just-in-time access, treat every identity, human or machine, as a potential attack vector, measure trust continuously rather than only at login, and monitor every sensitive session for appropriate behaviour.

"World Password Day should not celebrate passwords. It should mark their decline and the evolution of the technology, best practices and security controls needed to protect identities once secured solely by passwords. It should be a day of remembrance for passwords; they served us well for decades," said Morey J. Haber, Chief Security Advisor, BeyondTrust.

The rapid growth of AI agents adds another dimension to the debate. Ping Identity says many organisations now run autonomous systems whose actions are not governed to the same standard as human accounts.

"As organisations rapidly adopt AI agents, large-scale data breaches are becoming less of an anomaly and more of an inevitability. These systems are doing more than responding to prompts. They are making decisions, taking actions and even spawning new agents with increasing autonomy and speed. That shift fundamentally changes the security landscape.

"The challenge is that many organisations are deploying AI agents faster than they can establish clear identity, accountability and governance for them. When you cannot definitively answer what an agent did, why it did it, or under whose authority it acted, you introduce significant risk. This is why identity for AI must become a foundational priority. Every agent needs a verifiable identity with clear permissions and continuous oversight, just like any human user or service account. Without that, the growing ecosystem of autonomous AI will continue to expand the attack surface in ways most organisations are not yet prepared to manage," said John Cannava, CIO, Ping Identity.