New research from SailPoint reveals that more than three quarters (77%) of UK organisations fail to immediately deactivate logins when staff leave, exposing British businesses to huge cyber risk. This occurs amid high workforce turnover, with the findings showing that more than a fifth (21%) of UK employees have left their roles in the past year.
The study, which surveyed UK IT decision-makers on identity security, highlights a concerning lapse in security protocols. With compromised credentials surging by 160% in the space of a year, dormant accounts present a critical window of opportunity for cyber criminals, making it easier for them to infiltrate company systems.
When it comes to managing the existing workforce, UK organisations are putting themselves in further jeopardy. More than a third (34%) of surveyed businesses admit to knowingly granting broader access to users,creating another backdoor point of entry for hackers and heightening the risk of cyber-attacks.
This comes amid a huge number of user access points organisations must now manage. These not only come from employee turnover, but also from third parties in the supply chain, such as contractors, partners and suppliers, and an influx of non-human identities as automation and agentic AI reshape the workforce. On average, organisations are inundated with nearly 3,000 (2,754) new users in systems each month. While more than a quarter (26%) of businesses report onboarding up to 250 new employees monthly, over one in ten (12%) say they are adding as many as 10,000 AI agents and machine identities in the same period.
The challenge to manage this influx is compounded by outdated security processes, leaving UK organisations fighting an uphill battle. Nearly three in ten (28%) still rely on manual checks such as spreadsheets or paperwork to validate employee accounts after responsibilities end, increasing the likelihood of human error and oversight. This is significantly higher than European counterparts, including those in Germany (21%) and France (23%), underscoring how much the UK is falling behind with out-of-date systems.
Alarmingly, one fifth (21%) of AI agents are still managed manually, despite the rate at which they are proliferating.
Mark McClain, CEO and Founder at SailPoint, commented:
“Organisations are experiencing an ‘access amnesia’ – a pervasive forgetfulness or lack of clarity about who or what has access to their systems, when, and why. This oversight extends not only to departing employees but also to those with existing roles and responsibilities, leaving businesses dangerously exposed as hackers seek entry points into systems. Any window of opportunity carries great risk.
“As enterprises onboard identities at industrial scale – with machine identities and AI agents to manage, in addition to employees and third-party workers, they are quickly becoming overwhelmed. Existing governance models, designed for a slower and simpler world, are struggling to keep pace.
“When access is over-granted, poorly reviewed, or simply invisible, risk is no longer theoretical – it becomes embedded in everyday operations. For CISOs and CTOs, identity can no longer be treated as a background control; it is now foundational to security, resilience, and trust. Identity should be considered the new perimeter.”
 of UK organisations fail to deactivate logins){kind=link}