New global research from Zoho Corporation reveals a 47% gap between AI belief and deployment as organisations race ahead with AI ambitions without the security foundations to support

London: UK businesses are sold on the promise of AI to strengthen their security, the highest of their global counterparts, but yet only 40% of organisations are ready to deploy AI-powered security tools according to new research from Tigon Advisory Corp, on behalf of Zoho Vault, Zoho's password management platform.

The State of Workforce Password Security 2026 report, published ahead of World Password Day reports a widening disconnect between how organisations assess risk and how they have invested to address it.

Across 3,322 respondents from nine regions, one in three businesses reported a confirmed cyberattack in the past year, and a further 7% were unable to confirm whether they had been attacked at all. In the U.K., the attack rate climbed to 25%, seven points below the global average.

"World Password Day was created to remind people that credentials are still the entry point to the modern business. What this research shows is that the entry points have multiplied: the average UK employee now logs into between 2-10 business applications, and most organisations cannot fully account for who has access to what across them," says Sachin Agrawal, Managing Director of Zoho UK. "The issue is not under-investment, but investment without architectural coherence, leaving the UK with a significant gap between intent for security and actual results."

The report identifies legacy infrastructure (cited by 52% of global respondents) and migration complexity (48%) as the primary blockers. Cost ranks third at 41%, reinforcing a recurring theme across the data: the constraint on security maturity is not budget but architecture.

"The organisations that will navigate the next five years most effectively are those investing in architectural simplicity, building governance models that scale with identity growth, and adopting AI-enabled orchestration to reduce friction,", says Helen Yu, Founder and CEO of Tigon Advisory Corp. "Budget is not the primary constraint on security maturity; architecture, talent, and visibility infrastructure are. The data in this report is a call to sequence correctly: fix foundations before chasing advanced capabilities."

The average UK employee now accesses between 2-10 business applications daily across on-site, hybrid, and fully remote work modes, complicating the assumption that credential management is primarily a remote-work problem. Each application represents a credential that must be created, secured, and governed, yet fewer than one in four organisations globally have deployed a dedicated password manager.

The exposure is most acute in the small and mid-sized business segment. More than half of respondents in organisations under 250 employees report having no dedicated security team, relying instead on manual password hygiene, shared spreadsheets, and informal policies - a profile the report describes as "the SMB credential blind spot."

Industry leaders are calling for six imperatives for 2026, prioritised by deployment urgency: deploy a centralised password manager, close the identity visibility gap, pair password management with multi-factor authentication, build a Zero Trust roadmap, treat integration as a security requirement, and pilot AI-powered credential security within the next twelve months.

"Legacy infrastructure remains the primary blocker between any effective use of AI, including deploying AI for security," says Sachin Agrawal, Managing Director of Zoho UK. "Our future-ready stack is built around the premise that placing identity, access, and applications on the same architectural foundation provides fewer opportunities for vulnerabilities, higher identity visibility, and conveniently, an easier method of adding AI to assist in threat detection. As AI's sophistication in exploiting security weaknesses rapidly improves, migrating to a secure, AI-ready platform is only becoming more urgent."