Three things have happened across the first three fronts of this report. Insider Risk Management's category brand absorbed into a "Human Risk" platform when Mimecast bought Code42. Data Loss Prevention's category brand absorbed into a "Data Security Platform" when Microsoft, Forcepoint, Cyberhaven, BigID, Palo Alto, and IBM Guardium all repositioned DLP as a module of a DSPM-anchored platform. Data Security Posture Management absorbed itself into the buyers it was supposed to replace — Veeam closed Securiti AI at $1.725B in December 2025, Google closed Wiz at $32B in early 2026, Palo Alto closed CyberArk at $25B in February 2026, and Cyera quadrupled its valuation in fourteen months to $9B by January 2026 ^{1 2 3 4}. Three category brands, three different absorption stories, one structural moment in the data-security market.

Not investment advice. See Disclosures.

Convergence in 2026 is not three parallel platform races. It is a single absorption wave that resolves all three fronts into the same shape. The question is which architectural layer the absorbed mass settles on — the data, the platform, or the actor — and which vendor archetypes survive the resolution. This chapter argues for the data-layer answer; the framing acknowledges that the platform-economics answer and the actor-collapse answer both have serious support in 2026 evidence.

The DSPM Absorption Substrate Thesis. The 2026 consolidation of IRM, DLP, and DSPM is not three parallel platform races — it is a single absorption wave in which the data layer becomes the anchor for the surrounding categories. Six DSPM-relevant M&A events in two years (IBM-Polar, PANW-Dig, CrowdStrike-Flow, Rubrik-Laminar, Proofpoint-Normalyze, Veeam-Securiti) plus Google's $32B Wiz close and PANW's $25B CyberArk close show platform-incumbents from four different starting positions — data-resilience, CNAPP, identity, and email-security — converging on a DSPM-anchored data-security stack. My read is that DSPM is winning the substrate role because the underlying problem (where sensitive data sits, who can reach it, and what classifier output downstream controls trust) is the only primitive all three categories ultimately need. IRM and DLP are absorbing into platforms whose load-bearing surface is the data layer that DSPM established. The lane for standalone IRM and DLP narrows; the lane for standalone DSPM narrows differently, surviving only at the AI-training-pipeline frontier where CNAPP-bundled DSPM has not caught up. The convergence is real, asymmetric, and DSPM-led.

Two serious counter-positions need to be on the table before the chapter argues from the DSPM-substrate read.

The Three-Front Bundle Thesis. The 2026 convergence is driven by platform economics and suite-attach mechanics, not by any architectural preference for the data layer. Microsoft Purview ships IRM, DLP, and DSPM as modules of the same M365 E5 / Purview Suite SKU. Proofpoint ships Insider Threat Management, Enterprise DLP, and (post-Normalyze) DSPM as three product lines under one platform. Varonis sells a Data Security Platform with IRM, DLP-adjacent, and DSPM use cases against one ARR line. Cyberhaven's February 2026 unified launch bundles DSPM + DLP + IRM + AI Security on a data-lineage substrate. Under this thesis the absorption is symmetric across the data layer (DSPM is not specially privileged), the survivors are platform vendors with cross-module distribution leverage, and the standalone specialists in all three categories face the same renewal-cycle pricing pressure for the same economic reason.

The Identity-Data-Behavior Collapse Thesis. The 2026 convergence is being driven by agentic AI, and the three fronts collapse because the subject of analysis — the entity whose behavior, data access, and content movement is being governed — is no longer cleanly human or non-human. Above Security's $50M Series A frames AI agents as "insiders in everything but name." Microsoft Purview ships "Risky AI usage" and "Risky Agents (preview)" templates. Strac's MCP-DLP framing covers machine-to-machine traffic the legacy controls never saw. Veeam's DataAI Command Platform thesis explicitly states control must shift to the data source "so known and unknown agents cannot access sensitive data if that data is governed at the source." Under this thesis the convergence is being driven by an architectural force (the failure of agent-runtime governance to scale) rather than by M&A capital flows, and the survivors are vendors whose product accommodates the data-actor-collapse natively — regardless of category lineage.

The chosen thesis is asymmetric where the bundle thesis is symmetric, and architectural-but-data-side where the collapse thesis is architectural-but-actor-side. The remainder of the chapter argues from the chosen thesis while citing the competing reads where evidence pulls in their direction.

Caption: the three Part 1 categories overlap structurally; the shaded core is where the data-classification primitive does the load-bearing work for all three.

The three fronts split cleanly along two questions: what you protect — the data, or the human acting on it — and what you do — watch posture, or stop the event. DLP and DSPM protect data; IRM watches the human. DLP and the emerging insider-event-prevention corner act to stop the event; DSPM and IRM mostly report posture and visibility.

The vertical split is the load-bearing one: DSPM and IRM largely report posture and visibility, while DLP acts to stop the event on the data side. The human-side, event-stopping corner — stopping a risky human (or, increasingly, agent) action by judgment rather than blunt blocking — is the market's thinnest quadrant, and the one the agentic-AI shift is now pulling demand toward.

Three forces account for the 2026 wave, and each pulls in a slightly different direction.

Force 1 — Agentic AI risk has collapsed the subject of analysis. Machine identities now outnumber human identities 80-to-1, per the Palo Alto Networks closing release on its $25B CyberArk acquisition ⁵. AI agents authenticate via shared service accounts that legacy IAM treats as trusted infrastructure — "no session, no MFA, no individual identity to inspect," per Symmetry Systems' product page ⁶. The three Part 1 questions — who is doing what (IRM), what data is moving where (DLP), what data exists and who can reach it (DSPM) — all become unanswerable independently when the actor is an autonomous agent. Microsoft Purview's "Risky Agents (preview)" template (IRM) and Strac's MCP-DLP four-surface architecture (DLP) and Veeam's data-source-enforcement framing (DSPM) are three category-specific responses to the same underlying force ^{7 8 9}. The force is real, but it pulls toward the data layer because that is the only enforcement point that scales when the agent population is too large and too fast for runtime controls.

Force 2 — Platform economics has reorganized procurement. The data-security buying motion in 2026 is moving from line-item ("buy DLP," "buy IRM," "buy DSPM") to platform ("buy a data-security platform whose modules replace my legacy line items"). Six platform vendors ship multi-module data-security suites in 2026: Microsoft Purview (IRM + DLP + DSPM as M365 E5 / E5 Compliance modules) ¹⁰, Cyberhaven (unified DSPM + DLP + IRM + AI Security on a single data-lineage substrate, February 2026) ¹¹, Cyera (DSPM-primary with DLP overlay and AI Guardian extensions at $9B post-money) ⁴, BigID (seven-pillar platform with DSPM as the lead surface) ¹², Proofpoint (IRM via ITM + DLP via Enterprise DLP + DSPM via the absorbed Normalyze line) ¹³, and Varonis (Data Security Platform with IRM, DLP-adjacent permissions intelligence, and DSPM use cases all under one ARR line) ¹⁴. The buyer test is no longer category breadth — it is platform integration depth, and the convergence narrative is the marketing artifact of that procurement shift.

Not investment advice. See Disclosures.

Force 3 — Buyer fatigue has narrowed the budget for parallel specialists. The 2026 CISO running a $500M-$5B enterprise has three pressures pulling against multi-vendor data security: budget compression after AI infrastructure spend, reviewer fatigue at the security-operations tier (alert overload across IRM, DLP, and DSPM tools that don't share context), and procurement consolidation pressure from the CFO. Forcepoint's 2026 Top 8 DSPM Trends piece frames the shift directly: "DSPM becomes an active security layer, not a reporting tool" ¹⁵ — translated, the buyer no longer wants three discovery surfaces feeding three different operator teams. The same pattern surfaces in DLP (Strac's framing that compliance-evidence-generation is now a discrete RFP line item that any single platform must serve) ¹⁶ and in IRM (the Triage Agent and Linea AI Analyst Agent UX patterns that fold reviewer workflows into one case file) ⁷. Three categories, three reviewer-fatigue patterns, one buyer who wants fewer consoles.

The three forces do not all pull in the same direction. Force 1 is architectural and pulls toward the data layer. Force 2 is economic and pulls toward whichever platform has cross-module distribution. Force 3 is operational and pulls toward whichever vendor has the cleanest reviewer experience across modules. The chosen thesis (§4.1) is the argument that Force 1 dominates and the data layer wins; the competing theses are the arguments that Force 2 or Force 3 dominate and the platform layer wins regardless of architectural preference.

Three vendors are positioned to win, each in a distinct lane. The lanes do not overlap, so the three Winners labels reflect different prizes rather than the same prize contested three ways. Each vendor's pillars are drawn verbatim from the per-front Contenders lists; nothing new is introduced here.

Microsoft Purview — the distribution leader across all three fronts. From the IRM front: "Microsoft Purview Insider Risk Management is a compliance solution that helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization" [cross-front: see IRM §1.3 Gravity]. From the DLP front: "In Microsoft Purview, you implement data loss prevention by defining and applying DLP policies" [cross-front: see DLP §2.3 Gravity]. From the DSPM front: "Microsoft Purview Data Security Posture Management (DSPM) enables you to quickly and easily monitor cross-cloud data and user risk through dynamic reports and trend analysis" [cross-front: see DSPM §3.3 Gravity]. Purview is the only single vendor with Gravity-tier placement in all three Part 1 fronts and the only one with cross-cloud partner connectors (Varonis, Cyera, BigID, OneTrust) wired into a unified DSPM observability layer including dedicated Agent 365 tracking ¹⁰. I read Purview as winning the cross-front-platform lane — the default-choice slot in Microsoft-standard enterprises regardless of which Force resolves the convergence. Distribution moats compound across all three theses.

Cyera — the standalone DSPM leader with the strongest capital depth. From the DSPM front: "Modern DSPM. Complete data clarity. Actionable intelligence. Built for the AI era" [cross-front: see DSPM §3.3 Attention]. From the DLP front: "One AI brain. Zero noise. DLP, finally working. Every alert pre-analyzed and ready to act on" [cross-front: see DLP §2.3 Wildcard]. Cyera has zero IRM-front presence in this report; the Winners label is lane-specific and does not extend to the cross-front-platform lane Purview occupies. Cyera's January 8, 2026 Series F at $9B post-money — anchored across Fortune, BusinessWire, Calcalist, and TechCrunch — is the single largest data-security-private mark on the table and the strongest standalone-DSPM signal in the report ⁴. The trajectory from $1.4B in April 2024 through $3B (November 2024) and $6B (June 2025) to $9B (January 2026) — four rounds in twenty-one months — is the strongest concentration of data-security capital in the 2024-2026 cohort. I read Cyera as winning the standalone-DSPM lane on funding depth and AI-data-positioned product extensions; whether that lane stays wide depends on the absorption gravity Pattern Claim 1 documents.

Cyberhaven — the unified-platform challenger with compounded fundraising, revenue, and product cadence. Cyberhaven is a §3.3 Attention-tier vendor in IRM Front 1 and DLP Front 2; DSPM coverage arrives via the February 2026 unified-platform launch documented in DSPM §3.4 Plays rather than as a §3.3 placement. The three-front product framing rests on that February 2026 launch, not on three independent §N.3 placements — flagged for next-refresh re-assessment. From the IRM front: "Secure Data. Secure AI. Cyberhaven's AI & data security platform unifies DSPM, DLP, Insider Risk, and AI Security to protect data wherever it lives and goes across endpoints, cloud, on-prem, SaaS, and AI tools" [cross-front: see IRM §1.3 Attention]. From the DLP front: "DLP Reimagined. We questioned every assumption and built a DLP solution from the ground up to protect data in a better way" [cross-front: see DLP §2.3 Attention]. Cyberhaven crossed $1B post-money in the April 2025 Series D and shipped a unified DSPM + DLP + IRM + AI Security platform in February 2026 on a single Large Lineage Model data-lineage substrate ¹¹. The vendor compounded fundraising, revenue ($52.4M FY 2026 per Latka), and platform-position simultaneously across a fourteen-month window — the cleanest "platform-led specialist still gaining ground" story in the cohort. I read Cyberhaven as winning the unified-platform challenger lane at the Attention tier; the question Pattern Claim 1 forces is whether that lane survives the absorption wave or itself becomes an acquisition target.

The named winners are three because the chapter's discipline is to honor the per-front evidence rather than synthesize a fourth winner. Other strong candidates — BigID's seven-pillar Gravity-tier DSPM platform with data-governance heritage, Sentra's Copilot-readiness positioning, Symmetry Systems' Identity × Data Graph architectural primitive — surface in §4.5 Buyer's Decision and §4.6 Cross-Front Pattern Claims as architectural articulators rather than as Winners-tier picks. The Winners label here reflects funding depth, named-outlet sourcing density, and structural positioning across the three Forces; it does not call a long-term outcome against the absorption gravity.

Not investment advice. See Disclosures.

A Convergence-level Losers section operates under a stricter evidentiary bar than the per-front equivalents: at least three corroborating sources plus at least one financial-distress signal specific to the vendor's data-security business, not a parent-company-wide action. No single named vendor across IRM Front 1, DLP Front 2, and DSPM Front 3 meets that bar at access time. The per-front chapters reached the same finding under their lower per-front ≥2-source rule; Convergence's higher rule does not lower it.

What the convergence does produce, instead, is a structural loser class — specialist pure-plays that cannot bundle. The loser shape is not a specific vendor but a market position: a single-category vendor with no platform attach, no cross-module distribution, and no AI-training-pipeline differentiator. The absorption wave documented in Pattern Claim 1 (§4.6) is what eliminates this position over the next renewal cycle, not because the specialist vendors are failing technically but because the buying motion has reorganized around platforms whose load-bearing primitive is data. In each front the Watch list already names the most exposed specialists. From IRM Front 1: Mimecast Incydr (under absorption pressure per the Mimecast Absorption Thesis) and Teramind (UAM-positioning-narrower-than-peers, IRM §1.6 framing). From DLP Front 2: Fortra Digital Guardian (portfolio-rebrand absorption pattern parallel to Mimecast Incydr) and Nightfall AI (funding-staleness watch). From DSPM Front 3: Symmetry Systems (funding-staleness watch) and Concentric AI (positioning-staleness window edge). None of these vendors carries a cited distress event that survives Convergence's evidentiary bar; all are watch-tier observations that would convert to losers only if H2 2026 produces a vendor-specific distress disclosure.

The Convergence-level Loser observation is therefore architectural rather than personal: any IRM, DLP, or DSPM specialist that does not ship cross-module integration or an AI-training-pipeline differentiator by H2 2026 faces structural renewal-cycle pressure, regardless of product quality. Whether the pressure converts to vendor-specific distress is the watch question H2 2026 and 2027 will answer.

One public-vendor cross-front context note deserves carrying forward. Varonis (NASDAQ: VRNS) carried a cited-public-event cluster in IRM Front 1 [cross-front: see IRM §1.5 for the full sourced event record]. The DSPM front handles the same vendor as a Play 4 reference (AI-Native repositioning) without duplicating the underlying material. Convergence preserves the IRM anchoring — the cluster is platform-event-level, not data-security-segment-specific — and does not promote Varonis to a Convergence-level Loser label under the chapter's stricter bar. Q1 2026 results document a public-vendor recovery trajectory that further argues against a Loser label at this snapshot.

Not investment advice. See Disclosures.

The CISO at a $500M-$5B revenue enterprise enters the 2026 data-security renewal cycle with three real choices, and each has a defensible logic.

Choice 1 — Consolidate to a platform. Buy Microsoft Purview if the enterprise is Microsoft-standardized with Copilot and Agent 365 in scope; the IRM + DLP + DSPM modules ship under one E5 / E5 Compliance contract, the partner-integration depth into Varonis / Cyera / BigID / OneTrust gives third-party cloud and SaaS coverage, and the Agent 365 AI observability is the cleanest 2026 Microsoft articulation of the agentic-AI data-source enforcement pivot. Buy Cyberhaven if the enterprise is multi-vendor and wants a single data-lineage substrate across IRM + DLP + DSPM + AI Security; the February 2026 unified platform is the cleanest specialist-led platform pitch. Buy Proofpoint if the enterprise is email-security-anchored and wants ITM + Enterprise DLP + DSPM rationalized under the Thoma Bravo platform [cross-front: see DLP §2.3 Attention, IRM §1.3 Gravity, DSPM §3.3 Attention]. The argument for consolidating is reviewer-fatigue reduction, procurement simplification, and a single integration point for downstream identity and SOC tooling. The argument against is integration-depth risk — Pattern Claim 1 (§4.6) flags that the Proofpoint cross-front modules do not yet share a unified classifier substrate at flagship-mature integration depth, and similar integration-maturity questions apply to every platform-bundle pitch.

Choice 2 — Best-of-breed across the three fronts. Buy Cyera or BigID for DSPM (the standalone-DSPM lane has the strongest 2026 capital depth and product-positioning specificity), buy a behavioral-IRM specialist like Cyberhaven or DTEX or Above Security for the IRM module (where AI-actor framing is sharpest at the specialist tier), and buy Microsoft Purview DLP or Cyberhaven DLP for the DLP module (where the classification stack is deepest). The argument for best-of-breed is feature depth and absence of integration-depth assumptions; the argument against is operator burden (three consoles, three operating models, three renewal cycles) and the procurement gravity Force 2 documents.

Choice 3 — A hybrid: anchor on a DSPM-led platform with selective best-of-breed augmentation. Buy Cyera for DSPM at the architectural-substrate layer; layer Microsoft Purview IRM / DLP for Microsoft-tenant coverage where it is the default; selectively bring in Above Security or Cyberhaven for agentic-AI insider-risk coverage where Purview's "Risky Agents" template is not yet GA-deep enough for the buyer's risk profile. This is the argument that Pattern Claim 1's "DSPM Absorption Substrate" thesis is correct and the buyer should anchor on the absorption layer rather than fight it, while accepting selective specialist augmentation for the AI-actor and unified-platform gaps the platform incumbent does not yet close.

The chapter does not prescribe a choice; the buyer's decision depends on the enterprise's Microsoft-standardization position, AI-agent deployment maturity, and tolerance for integration-depth risk. The conditional recommendation: if the enterprise is Microsoft-standardized and Copilot / Agent 365 are in scope, Choice 1 with Purview as anchor carries the lowest integration-risk burden. If the enterprise has substantial multi-cloud data estate breadth and the DSPM scope materially exceeds what M365-anchored Purview covers, Choice 3 with Cyera as DSPM anchor is the more defensible path. If the enterprise has strong reasons to maintain category specialists — federal-heritage requirements (Everfox), MCP-DLP runtime coverage (Operant AI), or AI-agent-as-first-class-principal architectural specificity (Above Security, Symmetry Systems) — Choice 2 retains its lane, with the renewal-cycle pressure Pattern Claim 1 documents as the question the buyer revisits at every refresh.

Not investment advice. See Disclosures.

Two claims that span IRM, DLP, and DSPM and could not be made inside a single Phase 2 front. Each follows the Observation → My read → Conditional prediction → Sources structure with a co-located diagram and a falsifiable-test footer.

The two Pattern Claims address different cuts of the convergence. Pattern Claim 1 is vendor-specific and tests whether a multi-front portfolio is also a multi-front platform. Pattern Claim 2 is architectural and tests where the enforcement primitive settles for all vendors across all three fronts. Together they bracket the chapter's chosen DSPM Absorption Substrate Thesis from two sides — Pattern Claim 1 documents the absorption dynamic at the vendor level; Pattern Claim 2 documents the architectural reason the data layer is where the absorbed mass settles. Per the cross-front vendor ledger, the coherence flags for the multi-front vendors named here are coherent (Microsoft Purview, Varonis, Cyberhaven) or complementary (Cyera, Proofpoint, BigID); no contradictory flags surface at access time.

Not investment advice. See Disclosures.

Seven watchlist items for H2 2026, spanning all three Part 1 fronts.

1. Proofpoint IPO S-1 segment disclosure. Signal: filing date and segment-reporting structure. Threshold: if ITM, Enterprise DLP, and DSPM appear as a single named Data Security segment with unified ARR disclosure, Pattern Claim 1's platform branch is realized; if separately segmented under "Information Protection" only, the portfolio branch is realized. Primary source: SEC EDGAR; CNBC Cybersecurity vertical.

1. Mid-tier DSPM-native acquisition event. Signal: any platform-vendor announcement of an acquisition of Sentra, BigID, Symmetry Systems, Concentric AI, or Bedrock Data, or any named-outlet rumor matching the Securiti AI / Normalyze cadence. Threshold: one mid-tier DSPM-native acquired by a CNAPP, data-resilience, identity-led, or email-security platform → the DSPM Absorption Substrate Thesis hardens. Primary source: BusinessWire, Bloomberg, Reuters, TechCrunch, Calcalist.

1. Data-source-enforcement RFP language. Signal: enterprise RFPs across IRM + DLP + DSPM naming vector-store inspection, agent-identity governance at the data-store boundary, or machine-identity-aware data access as discrete requirements rather than feature checkboxes. Threshold: two or more 2026 Q3-Q4 named-outlet RFP disclosures in this shape → Pattern Claim 2's first branch is realized. Primary source: vendor customer-win press cycles; Gartner Market Guide for DSPM next refresh; Forrester DSPM Wave.

1. Cyera valuation-and-platform-extension cadence. Signal: any Series G or larger announcement, ARR disclosure crossing $200M, named-outlet enterprise reference wins as platform-replace deals against legacy DSPM or CNAPP-bundled DSPM. Threshold: ARR $200M+ with sustained 80%+ growth AND fresh Series G mega-round AND platform-replace wins → standalone-DSPM lane stays wide and the Absorption Substrate Thesis hardens at the standalone-leader pole rather than the platform-absorber pole. Acquisition signal or flat-or-down round triggers a Pattern Claim 1 re-assessment. Primary source: Fortune, TechCrunch, Calcalist, BusinessWire.

1. Above Security customer references and AI-Agent template proliferation. Signal: Above Security named reference customers + Gartner Hype Cycle or Market Guide inclusion; parallel signal of Microsoft Purview, Varonis, and Cyberhaven all shipping GA AI-agent-monitoring templates by Q4 2026. Threshold: if both Microsoft and Varonis ship GA AI-actor templates with detection-model documentation, the AI-actor framing is table-stakes per IRM Pattern Claim 2's first branch; the Identity-Data-Behavior Collapse Thesis (§4.1) gains buyer-mindshare evidence. Primary source: vendor docs; analyst Magic Quadrant and Hype Cycle updates.

1. MCP-DLP named-vendor #2 emergence. Signal: any vendor beyond Operant AI shipping an MCP-protocol-level DLP product with dedicated launch press cycle. Threshold: second vendor entry plus analyst recognition (Gartner, IDC, Forrester) naming MCP-DLP as a distinct category → DLP Pattern Claim 2's first branch is realized and the convergence story gains a discrete machine-to-machine traffic primitive that the Pattern Claim 2 architectural pivot was predicting. Primary source: Help Net Security, GlobeNewswire, SecurityWeek, Gartner Market Guide updates.

1. Symmetry Systems funding event or platform-acquisition signal. Signal: any 2026-2027 named-outlet round at Symmetry Systems (last named-outlet round July 2023 inside round ~34 months stale at access time), or a platform-vendor acquisition signal. Threshold: fresh Series B or larger → Identity × Data Graph architectural primitive stays current and the standalone identity-led DSPM lane holds; named-outlet acquisition signal → Pattern Claim 1's second-front-vendor branch is realized. Primary source: Symmetry Systems press page, ForgePoint Capital portfolio updates, BusinessWire, TechCrunch.