The nonprofit sector is a vital part of the global economy, managing high-stakes data like donor records, refugee data, and sensitive government grants. This growing digital footprint, and a lack of funding for cybersecurity, has made these organizations increasingly vulnerable to security threats.
Okta’s Nonprofits at Work 2026 report reveals a difficult reality: While AI offers ways for nonprofits to serve their communities as budgets shrink, it puts this already heavily targeted and under-funded sector in an even more precarious position. The data suggests that for many mission-driven organizations, the path to a high-tech future is currently blocked by a significant security gap.
The 78% attack velocity
The most sobering finding in this year’s report is an astonishing surge in malicious activity. Two years ago, the ratio of threats to authentications in the nonprofit sector was just 2.6%. Last year, it rose to 18%. This year, that figure skyrocketed to 78%.
Nearly four out of five login attempts at nonprofits are now fraudulent, making it the most-attacked industry in our dataset and surpassing historically "hard" targets such as finance and energy. This exponential rise in threat activity suggests that attackers see the nonprofit sector as a target-rich and less-defended environment. Because these organizations manage sensitive data for donors and vulnerable populations, identity security has become a mission-critical imperative.
The governance vacuum and shadow AI
Used as a "financial force multiplier," AI could help nonprofits handle growing workloads with shrinking resources. The report found that 80% of larger nonprofits (more than 200 employees) are already deploying or piloting autonomous AI agents.
However, adoption is outstripping oversight. Three out of four (76%) nonprofits lack a formal AI strategy, and 58% have no restrictions in place for the use of AI tools. This creates a "shadow AI" nightmare. Staff are using free tools like ChatGPT to automate individual workflows, but these apps often sit outside the protection of Single Sign-On (SSO) and Multi-Factor Authentication (MFA), leaving sensitive data exposed.
The automation gap
Perhaps the most critical barrier to nonprofit security is the lack of foundational automation. Nonprofits currently rank last among all 16 industries for automated lifecycle management (LCM) — the process of automatically onboarding, offboarding, and managing user access.
In an era where attackers move at machine speed, many nonprofits are still fighting back with manual, human-speed processes. Without automated governance, the impending proliferation of non-human identities (NHIs) and AI agents will inevitably create an unmanageable attack surface. There is good news: While the gap is significant, some nonprofits are making steady progress. The sector’s LCM-using customer base is growing at 5% per year, ranking it No. 9 for year-over-year growth across all industries.
Measure your AI readiness in 2 minutes
See where identity, access, and agent control break down in production
The path forward: Identity as a bedrock
Despite these challenges, there is a clear path toward resilience. Nonprofits are rapidly adopting phishing-resistant authentication, with Okta FastPass passwordless logins growing by 98% year-over-year.
To safely navigate the agentic age, nonprofit leaders must move beyond manual security. Scaling impact in 2026 requires a bedrock of strong identity security: continuous authentication, automated lifecycle management, and robust governance for both human and machine identities.
Is your organization ready for the speed of AI?
Download the full Okta Nonprofits at Work 2026 report to explore the data, and take our AI Readiness Assessment to uncover your blind spots and understand your AI identity readiness in minutes.
