ProductBeacon — State of Cyber Security Markets 2026, Front 8: The Identity Front

Disclosure: This is ProductBeacon's independent, impartial market research, based solely on publicly verifiable signals, published on the open web. No vendor sponsors, no paywalled data, no analyst-firm reuse. It reflects ProductBeacon's independent view and is not investment advice. Full independence and sourcing methodology: Methodology →.

By Yohay Etsion · Head of Product (Fractional), AXIA · Creator of Product Org OS · Author of Leading the Charge (2023) and Vision to Value (coming 2026)

AXIA is an AI-powered data-security (Insider Risk Management / DLP) company.

8.1 The Playing Ground

Identity is the layer underneath every alert in this report — strip any incident down and what remains is "an identity did a thing it should not have." This report's taxonomy treats it that way, as the layer beneath the SOC, the Edge, and the data-security fronts.1 But a foundation is not a market, and the buyer who owns identity is rarely the same buyer who owns data security. The IAM/PAM/IGA org sits on its own chart, with its own budget line, its own vendors, and its own procurement rhythm. So this front does something the underlying-layer framing alone would not: it treats identity as a distinct buying center and grades the vendors who sell into it. That distinction is the first thing a reader has to hold, because the marketing language collapses it constantly.

Where Identity Sits — Four Disciplines, One Converging Control Plane PRODUCTBEACON — STATE OF CYBER SECURITY MARKETS 2026, FRONT 8 Demand driver: AGENTIC AI (the non-human-identity explosion) Access Management SSO · MFA · CIAM Proves WHO The front door — identity proven once, carried across apps Buyer: CISO / identity architect e.g. Okta Identity Governance IGA · certification · audit Governs WHAT they should have Joiner-mover-leaver · SoD · access certification · audit evidence Buyer: IGA / audit · risk & compliance e.g. SailPoint · Saviynt Privileged Access PAM · vaults · secrets Guards the DANGEROUS accounts Admin credentials · root access · secrets vaults — tightest control Buyer: security / PAM team e.g. CyberArk · BeyondTrust · Delinea Non-Human Identity NHI · workload · agents Extends to the MACHINES & AGENTS Service accounts · API keys · tokens · autonomous AI agents Already outnumber human identities Buyer: platform / security engineering e.g. Astrix · Aembit Identity is the layer underneath every alert — but a distinct BUYING CENTER, not the same buyer as data security. Its own org chart, its own budget line, its own procurement rhythm. The marketing language collapses the four disciplines constantly — the buyer must not. Structural finding: the identity control plane is converging with the SOC Observed, dated fact — the vector is non-human identity, not legacy SSO Palo Alto → CyberArk — ~$25B, completed Feb 11, 2026 CrowdStrike → SGNL — ~$740M, Jan 8, 2026 Cisco → Astrix — ~$400M, May 2026 Microsoft — built, not bought: Entra Agent ID (GA April 2026) Each deal justified in the acquirer's own words by the AGENT-identity problem — not by the front door. Boundary 1 — Identity vs the SOC Front 5 owns the SOC/platform incumbents. Overlap = ITDR. Here they appear only as identity MOVES — not graded as contenders. Boundary 2 — Identity vs AI Security Front 7 owns the AI runtime & agent governance. This front owns the identity primitive that authenticates the agent. In one line: Access proves WHO · IGA governs WHAT they should have · PAM guards the DANGEROUS accounts · NHI extends it all to the machines. The defining structural fact: the identity control plane is converging with the SOC, and the vector of convergence is non-human identity.

The four identity disciplines (Access Management, IGA, PAM, Non-Human Identity), identity as a distinct buying center, and the dated consolidation vector tying this front to the SOC (Front 5) and to AI Security (Front 7).

The battleground has four disciplines, and they are sold as four products to overlapping-but-distinct buyers. Access Management is the front door — single sign-on, multi-factor authentication, and, on the consumer side, customer identity (CIAM). This is Okta's home turf: who you are, proven once, then carried across applications.2 Identity Governance & Administration (IGA) answers a different question — not "are you who you say" but "should you have this access at all, and can we prove we reviewed it." Joiner-mover-leaver lifecycle, access certification, segregation-of-duties, audit evidence. SailPoint and Saviynt live here.3 Privileged Access Management (PAM) guards the crown-jewel accounts — the admin credentials, the root access, the secrets vaults — on the principle that the accounts that can do the most damage need the tightest control. CyberArk built the category; BeyondTrust and Delinea contest it.4 And Non-Human / Workload Identity (NHI) is the newest discipline: securing the service accounts, API keys, machine tokens, and now autonomous AI agents that already outnumber human identities in most enterprises. Astrix and Aembit are the pure-plays.5 In one line: Access Management proves who, IGA governs what they should have, PAM guards the dangerous accounts, and NHI extends all of it to the machines and agents that are not people.

The central structural finding of this front is that the identity control plane is converging with the SOC, and the vector of convergence is non-human identity. This is not a forecast — it is observed, dated fact. In roughly thirteen months, each of the three platform giants that anchor the detection segment acquired an identity capability. Palo Alto Networks completed its ~$25 billion acquisition of CyberArk on February 11, 2026, naming Identity Security a core platform pillar and stating the deal lets it "secure every identity across the enterprise — human, machine, and agentic."6 CrowdStrike agreed to acquire SGNL for ~$740 million on January 8, 2026, explicitly to grant and revoke access for "human, non-human (NHI), and AI identities" in real time.7 Cisco announced its acquisition of Astrix Security (~$400 million) in May 2026 to secure "the agentic workforce" of autonomous AI agents.8 Around these sit Microsoft's Entra Agent ID (GA April 2026), Okta's ~$100 million purchase of Axiom Security (August 2025), and Delinea's StrongDM acquisition (completed March 2026).

My read: the striking thing is not that consolidation is happening. It is that every one of these deals is justified, in the acquirer's own words, by the agent-identity problem, not by legacy workforce SSO. The falsifiable test is public and dated. The thesis holds if the next two notable identity acquisitions are again framed around machine/agent identity and folded into a SOC or network platform. It weakens if a workforce-IAM pure-play is acquired on a classic SSO rationale, or if a standalone identity vendor reaches genuine scale on workforce identity alone.

Two cross-front boundaries must be drawn cleanly, and both are decisive. First, identity versus the SOC (Front 5). Identity telemetry feeds the SOC, and the overlap zone is identity threat detection and response (ITDR) — detecting privilege escalation, anomalous authentication, token theft. But the SOC and platform incumbents — Microsoft Defender and Sentinel, Palo Alto Cortex, CrowdStrike Falcon, Cisco — are characterized primarily in Front 5. In this front they appear only as identity moves: named by the identity product or acquisition (CyberArk inside Palo Alto, SGNL inside CrowdStrike, Astrix inside Cisco), not graded as identity contenders.9 Second, identity versus AI security (Front 7). Non-human and agent identity is the shared frontier — the agentic-governance problem of Front 7 is fundamentally an identity problem. Front 7 owns the AI runtime and agent governance; this front owns the identity primitive that authenticates and authorizes the agent. The seam between them is exactly where the consolidation triad above is buying.

Three buyer misconceptions are worth retiring. One, that identity is a single purchase — it is four disciplines sold to a buying center whose internals (the IAM team, the IGA/audit team, the PAM team) often do not even share a budget. Two, that PAM and IGA are the same thing — they are not; PAM controls the dangerous accounts at the moment of use, IGA governs who is entitled to access at all and produces the audit evidence. A buyer who deploys one still has the other gap open. Three, that non-human identity is a niche — the machine and agent population already dwarfs the human one, and the entire consolidation wave above is a bet that NHI is the center of identity's next decade, not its edge. This front inherits its underlying-layer map and cross-Part vendor rules from the shared taxonomy.9

8.2 The Terrain

Market sizing — four lenses, deliberately not averaged. Because identity is four disciplines, there is no single number, and the analyst lenses below measure genuinely different things. Read them side by side, not blended. Take the broad Identity & Access Management lens first — the whole front, dominated by access management. Grand View Research sizes the 2026 market at USD 29.68 billion (from USD 26.77 billion in 2025), reaching USD 62.90 billion by 2033 at an 11.3% CAGR. MarketsandMarkets, on its own definition, puts the market at USD 25.96 billion in 2025 growing to USD 42.61 billion by 2030 at a 10.4% CAGR.10 On the narrower IGA lens — governance and audit, not the front door — Fortune Business Insights sizes 2026 at USD 10.7 billion reaching USD 33.1 billion by 2034 at a 15.16% CAGR. GII Research puts 2026 at roughly USD 11.04 billion at a 13.89% CAGR.11 On the PAM lens — the crown-jewel accounts — Mordor Intelligence sizes 2026 at USD 5.17 billion (from USD 4.25 billion in 2025) reaching USD 13.83 billion by 2031 at a 21.72% CAGR. That is the steepest growth of the three established disciplines.12

And on the newest non-human / machine identity lens, Grand View Research sizes NHI access management at USD 12.44 billion in 2026 reaching USD 27.33 billion by 2033 at an 11.9% CAGR. MarketsandMarkets, on a more narrowly-scoped definition, sizes the NHI market at USD 9.45 billion in 2024 reaching USD 18.71 billion by 2030, also at 11.9%.13 The honest summary across all four: PAM is the fastest-growing of the established disciplines, its 21.72% CAGR reflecting the privileged-access-everywhere problem; the broad IAM aggregate grows slowest off the largest base; and the NHI figures diverge most by definition. Grand View's broad "NHI access management" runs ten-plus billion while narrower machine-identity cuts and the agent-specific slice sit lower, because no two firms yet agree on where the machine-identity boundary falls. Averaging any of these would destroy information.

Buyer and user trends. The buyer for this front is not one person — it is a buying center with internal seams. The IAM team owns the front door (SSO, MFA, CIAM) and sells to the CISO and the identity architect. The IGA/audit team owns access certification and segregation-of-duties and answers to risk, compliance, and the auditors — a procurement rhythm driven by the audit calendar, not the threat calendar. The PAM team owns the privileged accounts and the secrets vaults. The dominant cross-cutting trend reshaping all three is identity-security convergence: the recognition, now backed by the consolidation triad in §8.1, that identity is no longer a directory-and-provisioning utility but a security control plane in its own right. The user-side signal worth watching is the rise of the identity-security practitioner — a role that did not exist on most org charts five years ago — and the analyst-category creation that follows it. The clearest public signal of where budget is migrating is the deal flow. Palo Alto, CrowdStrike, and Cisco each spend on identity inside one year, Saviynt raises USD 700 million at roughly a USD 3 billion valuation from KKR (December 2025), and SailPoint returns to the public markets. The capital is voting that identity security is a growth center, not a maintenance line.14

Technology trend anchor — agentic AI driving the non-human-identity explosion. The single demand driver pulling this front forward is the same one pulling Front 6 and Front 7: agentic AI, and specifically the population explosion of non-human identities it creates. Every autonomous agent needs a credential to act — a service account, an API key, an OAuth token, a workload identity — and those credentials must be issued, scoped, monitored, and revoked. The grounding here is shipped product and analyst category creation, not a regulatory date. The clearest production signals are the consolidation deals themselves, each justified in the acquirer's own words by the agent problem. CrowdStrike's SGNL purchase grants and revokes access for "human, non-human (NHI), and AI identities" in real time. Cisco's Astrix acquisition secures "the agentic workforce." Microsoft's Entra Agent ID reached general availability in April 2026 to give agents first-class identities in the directory.15 On the pure-play side, Astrix's acquisition by Cisco and Aembit's positioning as a workload-identity platform — with CrowdStrike among its investors — mark NHI's graduation from feature to funded category.16 I read agent identity as the contested center of this front for the next several quarters. The falsifiable test is whether the platform incumbents report named agent-identity or NHI SKUs as disclosed growth drivers in upcoming earnings, rather than burying them as undifferentiated identity line-items.

Regulatory backdrop (context only). Zero-trust mandates, audit and segregation-of-duties requirements (SOX, and the access-certification obligations that drive IGA buying), and emerging AI-governance frameworks form the regulatory weather around this front. They are real, and the IGA buyer in particular buys partly to produce audit evidence. But per this report's discipline, they are context, not a market-timing mechanism: no forward claim in this front grounds on a regulatory effective date. The forward-looking reads above ground only on observable proxies — the dated consolidation triad, Saviynt's KKR round and SailPoint's re-IPO, Microsoft Entra Agent ID's shipped GA, and the PAM lens's 21.72% CAGR off a real revenue base. If the agent-identity convergence keeps showing up in dated acquisitions and earnings disclosures, the thesis holds; if a workforce-IAM pure-play scales on classic SSO alone, it weakens. The regulation is the weather, not the trade.

8.3 The Contenders

The eight vendors below are grouped by the four disciplines §8.1 laid out — Access Management, then IGA, then PAM, then non-human identity — because in identity the discipline is where the structure lives, not the tier. Within each group I note the tier each vendor carries on the report's standard scale: Gravity for the public-company and scaled-private anchors, Attention for the established and well-funded contenders, Wildcard for the earliest-stage non-human-identity pure-plays. But the reader should carry one structural fact through every card, because it is the through-line of this front: two of these eight are no longer independent companies. CyberArk, the PAM category originator and a Gravity-tier anchor, is now the Identity Security pillar of Palo Alto Networks following a roughly twenty-five-billion-dollar acquisition completed in February 2026. Astrix Security, the lead non-human-identity Wildcard, is now inside Cisco following a roughly four-hundred-million-dollar acquisition announced in May 2026. I treat both as acquired-unit cards — the vendor is the card, the acquisition is the descriptive fact, and the acquirer's strategic move belongs to the next author's §8.4 Plays.

Neither is a casualty. A twenty-five-billion-dollar premium and a four-hundred-million-dollar exit are the strongest signals a vendor can send; they are the anchor examples of the consolidation thread §8.1 named, not evidence of distress. Each card is anchored to a dated, vendor-controlled surface with at least one verbatim messaging pillar lifted live on 2026-06-17, and no card here renders a winner-or-loser verdict — these are positioning extractions.

One currency note belongs up front, because it is the most striking thing the live scan surfaced. Read the eight homepage pillars below in sequence and the convergence finding from §8.1 stops being an analyst's claim and becomes the vendors' own words. Okta leads with "Okta secures AI." SailPoint leads with "identity-first security for humans, machines, and AI." Saviynt leads with securing "every identity — human, non-human, and AI." Delinea leads with protecting "your human and agentic workforce." CyberArk leads with "secure every identity — human, machine and AI," and Aembit simply with "IAM for Agentic AI." Six of eight identity-native vendors now lead their homepage with the human-machine-AI identity triad. That is not a coincidence of timing. It is the entire front repositioning around the same demand driver in the same window — exactly what a control plane converging with the SOC looks like from the vendors' side of the glass.

The Identity Vendor Landscape — 2026 PRODUCTBEACON — STATE OF CYBER SECURITY MARKETS 2026, FRONT 8 ACCESS MANAGEMENT SSO / MFA / CIAM IDENTITY GOVERNANCE IGA PRIVILEGED ACCESS PAM NON-HUMAN IDENTITY NHI / Workload Identity Discipline → ↑ Consolidation Status Independent pure-play Absorbed into a platform incumbent TIER COLOR Gravity — public / scaled anchor Attention — established, funded Wildcard — earliest-stage NHI Okta front-door incumbent · ~$2.9B rev SailPoint NASDAQ: SAIL · re-IPO Saviynt $700M KKR · ~$3B BeyondTrust FP-owned · sale explored Delinea TPG · bought StrongDM CyberArk → Palo Alto (~$25B, Feb 2026) Aembit independent · CrowdStrike-backed Astrix → Cisco (~$400M, May 2026) 2 disciplines, 2 platforms — absorption spans the front Author's read of public material, June 2026. Vendor positions are conceptual, not data-derived. The Y-axis surfaces the identity-consolidation thread.

Author's read of public material, June 2026. Vendor positions are conceptual, not data-derived.

Access Management

Okta (Gravity)

"Okta secures AI. And every other identity, from machine to human. To get AI agent security right, you have to get identity right." — [okta.com, accessed 2026-06-17]17

Okta is the Gravity anchor of this front and the clearest articulation of the access-management discipline §8.1 defined — the front door that proves who you are once and carries it across every application. The live homepage no longer leads with single sign-on. It leads with "Okta secures AI," framing the company as the identity layer underneath the agent problem and reaching the workforce-and-customer identity story through the machine-to-human spectrum.17 Its stated USP is breadth across both sides of the identity divide: Workforce Identity for employees and Customer Identity (the Auth0 line) for end users, now extended toward machine and AI identities. The target buyer is the CISO and identity architect at organizations standardizing on a single identity platform rather than stitching point tools — exactly the platform-or-best-of-breed tension that defines Okta's strategic position. Architecturally Okta classifies as a cloud-native access-management platform with a CIAM arm, vendor-controlled and public.

The capital picture is the largest disclosed in this front. Okta reported FY2026 revenue of roughly USD 2.9 billion, up about 12% year over year, and guided FY2027 to roughly USD 3.185–3.205 billion. In August 2025 it acquired Axiom Security, a privileged-access and non-human-identity vendor, for a figure reported around USD 100 million, extending toward the PAM and NHI disciplines it did not natively own.18 Published-material tier is the highest available — public-company financial disclosure plus vendor-controlled surfaces plus named-outlet acquisition coverage. My read: Okta is the front-door incumbent consciously repositioning as the identity control plane for the AI era, and the Axiom acquisition is the tell. The access-management leader buying into PAM and non-human identity is the same convergence pattern §8.1 traced through the platform giants, just running inside an identity-native vendor rather than a SOC platform. The open question Okta embodies for the whole front is whether the buyer wants one identity platform or the best tool per discipline.

Identity Governance & Administration

SailPoint (Attention)

"The new era of adaptive identity. Identity-first security for humans, machines, and AI. One platform to secure every identity." — [sailpoint.com, accessed 2026-06-17]19

SailPoint is the IGA leader and the budget-anchor of identity programs — the governance discipline that answers not "are you who you say" but "should you have this access at all, and can we prove we reviewed it." Its live homepage frames "the new era of adaptive identity" and "identity-first security for humans, machines, and AI," which casts the governance platform as a single control point. That control point spans the joiner-mover-leaver lifecycle, access certification, segregation-of-duties, and the audit evidence that IGA exists to produce.19 The stated USP is governance depth delivered as a unified platform with AI-driven access decisioning — "adaptive identity security, powered in real time." The target buyer skews toward the IGA and audit team answering to risk and compliance, with a procurement rhythm set by the audit calendar rather than the threat calendar. Architecturally SailPoint classifies as a cloud IGA platform, vendor-controlled and public.

The capital picture is unusually well-disclosed for a recently re-public company. SailPoint returned to the public markets and trades on NASDAQ under SAIL (around USD 14.80 on 2026-06-15). It reported first-quarter FY2027 revenue of USD 280 million, up 22% year over year, and annual recurring revenue of USD 1.163 billion, up 26%; the company is led by CEO Mark McClain and CPO Levent Besik.20 A June 2026 board change (a Thoma Bravo designee seat) is routine and explicitly not a disagreement — it is noted here only to retire it as a non-signal. Published-material tier is public-company financial disclosure plus vendor-controlled. My read: SailPoint is the governance budget-anchor whose re-IPO and ARR trajectory make it the best-evidenced growth story among the identity-native independents. Its "humans, machines, and AI" framing puts the governance discipline, not just access management, squarely inside the convergence story — which matters because governance is where the audit evidence for agent access will eventually have to live.

Saviynt (Attention)

"We Deliver Enterprise Control Over AI. Saviynt secures every identity — human, non-human, and AI. See. Enforce. Govern. Every AI agent, everywhere, for every action." — [saviynt.com, accessed 2026-06-17]21

Saviynt is the cloud-IGA challenger to SailPoint and the most explicitly AI-forward governance pitch in this set. Its live homepage leads not with governance language but with "we deliver enterprise control over AI." It frames the platform as the layer that secures "every identity — human, non-human, and AI." It casts the governance loop as "see, enforce, govern — every AI agent, everywhere, for every action." The page signs off with the tagline "identity security for AI. AI for identity security."21 The stated USP is converged cloud-native identity governance — a single platform spanning IGA, application access governance, and privileged-access management — differentiated from SailPoint on cloud-first architecture and an unusually direct agent-identity message. The target buyer is the enterprise IGA and compliance owner consolidating identity governance onto a cloud platform, with a clear lean toward organizations governing AI deployment. Architecturally Saviynt classifies as a cloud-native converged identity-governance platform, private.

The capital picture is a war-chest positive: Saviynt raised USD 700 million at a roughly USD 3 billion valuation in a round led by KKR that closed December 9, 2025, with Sixth Street, TenEleven, and Carrick participating.22 Published-material tier is vendor-controlled plus named-outlet funding coverage. My read: Saviynt is the strongly-capitalized cloud-IGA challenger making the most aggressive AI-identity claim of the governance pair. The KKR round is the single largest fresh private raise in this front, and it is explicitly a bet on the AI-identity thesis. That makes Saviynt the clearest test of whether governance, not just access, becomes a venture-scale growth center inside the convergence wave.

Privileged Access Management

CyberArk / Palo Alto Networks (acquired unit, Gravity)

"Secure every identity — human, machine and AI — with the right level of privilege controls." — [cyberark.com Identity Security Platform, accessed 2026-06-17]23

CyberArk is no longer an independent contender, and that is the descriptive fact this card carries. Palo Alto Networks completed its acquisition of CyberArk on February 11, 2026, in a transaction valued at roughly USD 25 billion — USD 45.00 in cash plus 2.2005 PANW shares per ordinary share, approved by 99.8% of voting shareholders. It made CyberArk its Identity Security pillar, stating the deal "enables Palo Alto Networks to secure every identity across the enterprise — human, machine, and agentic."24 On the live CyberArk surface the PAM heritage now reads through the platform pillar "secure every identity — human, machine and AI — with the right level of privilege controls," carrying the category-defining privileged-access DNA up into a network-and-platform security company.23 Because the acquisition is the descriptive fact, this card extracts positioning from the now-owned surface. CyberArk's pre-acquisition identity is the PAM category originator — the vault, the privileged session, the secrets management — expanded into broader workforce identity after its 2024 Venafi acquisition (machine-identity / certificate management).

The target buyer is the security organization extending privileged-access control across the full identity estate, now inside Palo Alto's platform relationship. Architecturally CyberArk classifies as a privileged-access and identity-security platform embedded inside a larger security platform. Published-material tier is the highest available — public-company acquisition disclosure (Palo Alto Networks) plus named-outlet coverage plus vendor-controlled. My read: CyberArk is the anchor example of the consolidation thread. The PAM category leader was absorbed at a roughly twenty-five-billion-dollar premium and renamed a "pillar," with the acquirer's own justification being the human-machine-agentic identity problem, not legacy privileged access. That is strength expressed as exit, and it is the single largest data point behind §8.1's convergence finding. When the PAM originator becomes a network-platform pillar on an agent-identity rationale, the identity control plane and the SOC are converging in public, dated fact.

BeyondTrust (Attention)

"BeyondTrust discovers agentic identities across AWS, Azure, Google, OpenAI, Salesforce, and ServiceNow, then enforces the same privilege controls that secure your human administrators." — [beyondtrust.com, accessed 2026-06-17]25

BeyondTrust is the PAM challenger that contests the privileged-access category against the now-absorbed CyberArk, and its live messaging shows it making the same convergence move — extending privileged-access control from human administrators to the agentic-identity population. The homepage pillar describes discovering "agentic identities across AWS, Azure, Google, OpenAI, Salesforce, and ServiceNow" and enforcing "the same privilege controls that secure your human administrators." That frames BeyondTrust's USP as a single privilege-control plane spanning human and machine/agent identities — the "paths to privilege" thesis carried into the AI era.25 The target buyer is the security and PAM team consolidating privileged-access management across a hybrid estate. Architecturally BeyondTrust classifies as a privileged-access and identity-security platform, private.

The capital and ownership picture is the single flagged watch item of this front, sourced but not asserted. BeyondTrust has been majority-owned by Francisco Partners since 2018 (with Clearlake Capital a minority holder) and carries roughly USD 500 million in ARR by widely-cited reporting. Francisco Partners is reportedly exploring a multi-billion-dollar sale of the company — an early-stage, no-deal-announced process consistent with a hold now past the typical private-equity duration.26 I flag that as sourced exit-pressure to watch, not a casualty or distress signal; no transaction has been announced. Published-material tier is vendor-controlled plus named-outlet ownership-and-process reporting. My read: BeyondTrust is the credible PAM challenger whose live homepage proves the convergence thesis from the contender side, extending privilege controls to agentic identities in the same window CyberArk became a PANW pillar. The Francisco Partners exit-exploration is the open ownership question that makes BeyondTrust the most likely next moving piece in the identity-consolidation board — which is precisely why it is flagged as a watch item rather than scored.

Delinea (Attention)

"The future of identity security is continuous. Access granted isn't access secured. Delinea continuously authorizes every identity, session, and action — protecting your human and agentic workforce with control that goes far beyond login." — [delinea.com, accessed 2026-06-17]27

Delinea is the PAM consolidator of this set — the Thycotic-plus-Centrify merger, TPG-backed — and its live homepage reframes privileged access as continuous authorization rather than a one-time login gate. The pillar reads "the future of identity security is continuous," and the supporting line reads "access granted isn't access secured… continuously authorizes every identity, session, and action — protecting your human and agentic workforce." That casts Delinea's USP as runtime, just-in-time authorization across human and agent identities. The company brands the engine "Iris AI."27 The strategic move behind that messaging is the descriptive fact worth naming. Delinea acquired StrongDM (announced January 15, completed March 5, 2026, terms undisclosed), unifying its PAM heritage with StrongDM's just-in-time runtime-authorization layer for non-human and AI-agent access.

The target buyer is the mid-market-to-enterprise PAM team modernizing privileged access toward continuous, identity-aware authorization. Architecturally Delinea classifies as a privileged-access and runtime-authorization platform, private. The capital picture is TPG ownership with the StrongDM acquisition as the recent capital event; deal terms were not disclosed.28 Published-material tier is vendor-controlled plus named-outlet acquisition coverage. My read: Delinea is consolidating, not consolidated. Where CyberArk and Astrix became units of larger platforms, Delinea is the identity-native vendor doing its own acquiring. It bought StrongDM to fold just-in-time runtime authorization for agents into PAM. Its "continuous authorization for the human and agentic workforce" framing is the same convergence bet as everyone else's on this page. The difference is that Delinea expresses it as a buy-side rather than sell-side move. That makes Delinea a useful counterweight to the absorbed-into-a-platform pattern: the consolidation wave has acquirers inside the identity-native field too, not only at the SOC-platform tier.

Non-Human / Workload Identity

Astrix Security / Cisco (acquired unit, Wildcard)

"Discover, secure, and deploy AI agents responsibly across the enterprise. AI Agents + NHIs > Humans. Secure the Identities that Matter." — [astrix.security, accessed 2026-06-17]29

Astrix Security is the lead non-human-identity Wildcard, and like CyberArk it is no longer independent. The descriptive fact this card carries is that Cisco completed its acquisition of Astrix, at a figure reported around USD 400 million, announced in May 2026, folding NHI discovery, lifecycle, and threat detection into Cisco Identity Intelligence alongside Duo, Secure Access, and Splunk.30 On the live Astrix surface the NHI pure-play story still reads in its own voice: "discover, secure, and deploy AI agents responsibly across the enterprise." It is anchored on the population claim "AI Agents + NHIs > Humans" and the framing that the vast majority of non-human identities are ungoverned and overprivileged — the discovery-to-governance loop for service accounts, API keys, OAuth tokens, and now autonomous agents.29 Because the acquisition is the descriptive fact, this card extracts positioning from the still-live Astrix surface and states the Cisco deal as context. Astrix's pre-acquisition capital picture was a Wildcard's: roughly USD 85 million raised in total, anchored by a USD 45 million Series B in December 2024 with Menlo Ventures among the investors.30

The target buyer is the security team confronting a machine and agent population that already dwarfs the human one. Architecturally Astrix classifies as a non-human-identity discovery-and-governance platform, now embedded inside Cisco's identity platform. Published-material tier is named-outlet acquisition coverage plus vendor-controlled. This is a Wildcard-tier card under the report's descriptive-only discipline for the earliest-stage names — positioning extraction only, no winner-or-loser verdict, and the acquisition is treated as an exit, not a death. My read: Astrix is the resolved-Wildcard case study of §8.1's central thesis made literal. It is a non-human-identity pure-play graduating directly into a platform, justified in the acquirer's own words by the "agentic workforce" — the exact pattern of NHI being bought into existence by the platform players before any independent reaches escape velocity. The four-hundred-million-dollar exit is the validation of the category, and the demonstration that, in identity right now, the NHI Wildcard's most likely next step is to become a platform module.

Aembit (Wildcard)

"IAM for Agentic AI. Aembit enforces access to sensitive data and accelerates AI use with confidence through policy, context, and audit based on unique agent identities." — [aembit.io, accessed 2026-06-17]31

Aembit is the surviving independent non-human-identity Wildcard. Where Astrix exited into Cisco, Aembit remains standalone — the cleanest live read of what an independent NHI company sounds like in its own voice. Its homepage leads with "IAM for Agentic AI," framing the product as access enforcement "based on unique agent identities" through "policy, context, and audit." It organizes around secretless authentication ("short-lived access without stored credentials"), secure autonomy for AI agents, and a policy-driven rather than script-driven model — the workload-identity-and-access-management discipline applied to agents, MCP servers, and CI/CD workloads.31 The stated USP is access without stored secrets or certificates, granted to workload and agent identities in real time per task. The target buyer is the platform and security engineering team securing machine-to-machine and agent-to-resource access across distributed cloud and on-premise environments. Architecturally Aembit classifies as a non-human / workload identity-and-access platform, cloud-native, SOC 2 and ISO 27001 certified, private.

The capital picture is a Wildcard's, with a notable strategic-investor signal. Aembit has raised approximately USD 45 million in total. The USD 25 million Series A closed in September 2024 led by Acrew Capital, with CrowdStrike among its investors alongside Ballistic Ventures and Ten Eleven Ventures, and it positions its "IAM for Agentic AI" offering as generally available in 2026.32 Published-material tier is vendor-controlled plus named-outlet funding coverage. This is a Wildcard-tier card under the report's descriptive-only discipline for the earliest-stage names — positioning extraction only, no verdict. My read: Aembit is the independent counterpart to the now-absorbed Astrix, and the most strategically interesting thing about it is the investor list. CrowdStrike, which separately agreed to acquire SGNL for a sum reported around USD 740 million in January 2026, is on Aembit's cap table. That places the surviving NHI Wildcard one degree of separation from the same SOC-platform consolidation wave that already claimed Astrix. Aembit is the live test of whether a non-human-identity pure-play can stay independent through the convergence, or whether the NHI Wildcard's gravitational endpoint really is a platform.

8.4 Their Plays

The plays of the identity front do not read like the plays of the older theaters in this report. There is no installed base being slowly displaced, no decade-old standoff being renegotiated. Instead there is a single dominant motion — consolidation into platforms — and three sub-motions resolving underneath it. The four plays below are stated as public observations, named participants, and conditional outcomes that resolve against a signal an outsider can watch and date. The first is the spine. It is the most heavily evidenced move in this entire front, and the cross-front exhibit for the report's "identity converges with the SOC" thesis. The other three are the disciplines underneath — privileged access becoming a platform, governance modernizing into the cloud, and the non-human-identity category resolving by acquisition. Throughout, the SOC and network incumbents (Palo Alto, CrowdStrike, Cisco, Microsoft) are characterized primarily in Front 5; here they appear only as identity moves, named by the identity asset they bought or built, not graded as identity contenders.

Play 1: The Platform-Absorbs-Identity Consolidation Play

Play 2: The PAM-Becomes-a-Platform Play

Play 3: The IGA Cloud-Modernization Contest

Play 4: The Non-Human-Identity Wave

8.5 War Chests & Casualties

The capital picture of the identity front tells the same story the plays do, and it tells it with money. The defining motion here is not distress — there is no entity-level distress event among the eight identity-native vendors that clears this report's two-source bar for a casualty claim. The defining motion is consolidation into platforms, and the two largest "exits" are premium acquisitions, not collapses. Read the two acquired names below as graduation events — positive-or-neutral platform exits — not as distress.

VendorMost Recent Round / StatusValuationStrategic InvestorDistress Signal
Okta (NASDAQ: OKTA)Independent public co.; FY2026 revenue ~$2.919B (+12% YoY); acquired Axiom Security (PAM/NHI, ~$100M, Aug 2025)42Public (market-cap, not disclosed here)Public-market investors(empty — no public distress event)
CyberArk → Palo Alto Networks (exit)Acquired ~$25B, completed Feb 11, 2026; now PANW Identity Security pillar43Premium exit (~$25B)Palo Alto Networks(empty — premium platform exit, not distress)
SailPoint (NASDAQ: SAIL)Re-IPO'd from Thoma Bravo; Q1 FY2027 revenue $280M (+22% YoY), ARR $1.163B (+26%)44PublicPublic-market investors (Thoma Bravo designee on board)(empty — no public distress event)
BeyondTrust (private)Francisco Partners majority since 2018; ~$500M ARR; FP reportedly exploring a multi-billion sale (sourced, unconsummated)45Not disclosedFrancisco Partners (majority), Clearlake (minority)Flagged watch: owner reportedly exploring a sale — sourced exit-pressure, NOT a distress assertion
Saviynt (private)$700M raised at ~$3B valuation, KKR-led; closed Dec 9, 202546~$3B (private)KKR (lead), Sixth Street, TenEleven, Carrick(empty — war-chest high mark, opposite of distress)
Delinea (private)TPG-backed; acquired StrongDM (JIT runtime auth for NHI/AI), completed Mar 5, 202647Not disclosedTPG(empty — active acquirer, not distress)
Astrix Security → Cisco (exit)Acquired ~$400M, announced May 2026; had raised $45M Series B (Dec 2024), ~$85M total48Premium exit (~$400M)Cisco (acquirer); Menlo Ventures (prior)(empty — graduation / platform exit, not distress)
Aembit (private)~$45M raised; Series A $25M (Sep 2024)49Not disclosedAcrew Capital (lead), CrowdStrike, TenEleven, Ballistic Ventures(empty — no public distress event; forward M&A watch)

The capital is voting that identity security is a growth center, not a maintenance line. The single highest war-chest mark in the front is Saviynt's $700 million KKR-led round at roughly a $3 billion valuation (December 2025) — a heavily-capitalized challenger arming for the governance contest, the exact opposite of a distress story. Around it, the established public names are scaling, not contracting: Okta at ~$2.9 billion FY2026 revenue and SailPoint back in public view with $1.163 billion ARR growing 26%. Delinea is an active acquirer, not a target, having pulled StrongDM in to extend PAM into NHI runtime authorization.

The two largest exits — CyberArk into Palo Alto Networks at ~$25 billion (February 11, 2026) and Astrix into Cisco at ~$400 million (May 2026) — are precisely that: premium events that graduate the asset into a platform. CyberArk was acquired at a ~$25 billion price; that is a strength signal, not a distress signal, and it anchors the consolidation thread of §8.4 Play 1. The only entry carrying any exit-pressure caveat is BeyondTrust, and it carries it carefully. Its owner Francisco Partners is reportedly exploring a multi-billion-dollar sale. But that is a sourced, unconsummated report past a typical private-equity hold — a flagged watch item, framed as exit pressure, not asserted as distress. None of the eight identity-native vendors is a casualty. The defining motion of this front is platform absorption, and the war chests confirm it: capital is flowing toward identity, the strongest assets are being bought at premiums, and the challengers are being funded, not buried.

8.6 Winning & Losing

This front is not won or lost vendor-versus-vendor, and the cards in §8.3 make plain why. Two of the eight contenders are already inside platforms, the two largest "exits" are premium acquisitions rather than collapses, and there is no entity-level casualty I am willing to name. So I am not going to manufacture a winners-and-losers scoreboard at the company level. That would be the exact directional verdict on individual vendors' fates this report's discipline forbids, and in a front whose defining motion is consolidation it would also be wrong. This front is won or lost one altitude up, at the level of platform consolidation. The contest that decides it is whether the identity control plane stays a distinct, defensible buying center, or gets absorbed into the SOC and network platforms the enterprise already owns. Every claim below is therefore stated about the market's motion — how the disciplines are consolidating, where the capital is voting, which structural pattern the dated public record supports — never as a survival call on any one company. The two acquisitions of the period (CyberArk into Palo Alto, Astrix into Cisco) are read here as positive-to-neutral consolidation exits, because a ~$25 billion premium and a ~$400 million graduation are the strongest signals a vendor can send, not casualties.

Three category-level patterns explain the motion. The first is the spine of the entire front, and the single most important claim of this chapter: the identity control plane is converging with the SOC. It is the evidence the report's later cross-front syntheses lean on. The second is the discipline doing the converging fastest: non-human identity, resolving by acqui-graduation into platforms rather than by independent scaling. The third is the compression pressure shaping who survives as an independent: Microsoft's bundled Entra economics, now extending to agent identity. Each is stated as a dated public observation, a labeled read, and a falsifiable conditional. Each resolves against a market signal an outsider can watch and date — an M&A event, a funding round, an earnings-disclosed metric, or an analyst category. None of them grounds on a regulatory effective date. This front's analytic trap is to mistake a policy deadline for a market event, and I am holding every threshold to a public market signal instead.

Pattern Claim 1 — The Identity-Converges-with-the-SOC Thesis

Observation.

My read.

Conditional prediction.

Sources. 50 51 52 53 54 55

The Identity-Converges-with-the-SOC Thesis PATTERN CLAIM 1 — STATE OF CYBER 2026, FRONT 8 · THE CENTRAL CLAIM In ~13 months, each of the three SOC/platform giants bought identity — and a fourth built it — every move justified by the AGENT-identity problem Palo Alto BOUGHT → CyberArk ~$25B · Feb 11, 2026 "secure every identity — human, machine, and agentic" Identity Security pillar CrowdStrike BOUGHT → SGNL ~$740M · Jan 8, 2026 grant/revoke access for "human, non-human (NHI), and AI identities" Continuous Identity for AI Agents Cisco BOUGHT → Astrix ~$400M · May 2026 to secure "the agentic workforce" of autonomous agents Cisco Identity Intelligence Microsoft BUILT, not bought Entra Agent ID GA · April 2026 agent identities as a first-class directory construct inside Agent 365 The identity control plane and the SOC are merging — in public, on dated press releases Six of eight identity-native vendors now lead their homepage with the human-machine-AI triad (2026-06-17) Category-level claim about the control plane's MOTION toward the SOC — not a bet on any single platform winning. PANW/CRWD/CSCO/MSFT graded in Front 5. FALSIFIABLE TEST — next two-to-four quarters CONVERGENCE VALIDATES if the next one or two notable identity acquisitions are again framed around machine / agent / non-human identity and folded into a SOC or network platform, in the acquirers' own dated press and named-outlet M&A coverage. Confirming proxy: SOC-platform acquirers reporting named agent-identity / NHI SKUs as disclosed earnings growth drivers. THESIS WEAKENS if a workforce-IAM pure-play is acquired on a classic SSO rationale, OR a standalone identity vendor reaches genuine disclosed scale on workforce identity alone with no platform absorption. The strength of the claim is that it is not a forecast — it is dated fact already on the public record. Grounded on the M&A and earnings-disclosure record — NOT on any regulatory date.

Pattern Claim 2 — The Non-Human-Identity Wave Thesis

Observation.

My read.

Conditional prediction.

Sources. 51 52 56 57

The Non-Human-Identity Wave Thesis PATTERN CLAIM 2 — STATE OF CYBER 2026, FRONT 8 NHI is resolving by acqui-graduation into platforms — faster than any independent reaches escape velocity Graduated into a platform the resolved case study — exit, not casualty Astrix → Cisco ~$400M acquisition, announced May 2026 into Cisco Identity Intelligence Prior: $45M Series B (Dec 2024) Menlo Ventures ~$85M total — a Wildcard exiting before scale Plus SGNL → CrowdStrike (~$740M, Jan 2026) — same machine-and-agent identity space Economics favor the platform: fold NHI into a platform the enterprise already runs + cross-sell instantly vs a specialist building distribution from zero Surviving independent the watch item that defines the open question Aembit (standalone) ~$45M raised · Series A $25M (Sep 2024) "IAM for Agentic AI" — GA in 2026 The telling tie: CrowdStrike is among Aembit's investors — and CrowdStrike just bought SGNL in the same NHI space One degree of separation from the same absorption that already claimed Astrix The cleanest live test: can an NHI pure-play stay independent through the wave? absorption pull FALSIFIABLE TEST — next two-to-four quarters NHI WAVE VALIDATES (resolves by acqui-graduation) if a second NHI pure-play is acquired by a platform incumbent in dated, named-outlet coverage — Aembit by CrowdStrike the most-telegraphed candidate given the existing investor tie. Confirming proxy: an analyst firm formalizes a named NHI / machine-identity segment (Magic Quadrant / Market Guide). CATEGORY HOLDS A STANDALONE-SURVIVAL PATH if Aembit instead closes a disclosed independent up-round and no further NHI pure-play absorption surfaces. Category-level claim about how the NHI category resolves — never a directional bet on any one Wildcard. Both acquisitions are graduation exits, not casualties. Grounded on the M&A record, disclosed funding rounds, and analyst category creation — NOT on any regulatory date.

Pattern Claim 3 — The Entra Compression Thesis

Observation.

My read.

Conditional prediction.

Sources. 50 53 54 58 59

The Entra Compression Thesis PATTERN CLAIM 3 — STATE OF CYBER 2026, FRONT 8 Entra's bundled M365/E5 economics — now extending to agent identity — compress standalone deal sizes by discipline-defensibility Microsoft Entra ID — already paid for inside M365 / E5 Entra Agent ID (GA April 2026) extends the bundle to agent identity — build-not-buy COMPRESSION — heaviest on the left, lightest on the right Access Management MOST EXPOSED to the bundle Okta's home turf — the front door When the directory + SSO is already paid for, "good enough" AM trends to $0 Okta: ~$2.9B FY26 rev, +12% YoY; bought Axiom (~$100M) reaching for PAM / NHI ground it didn't natively own Broad IAM aggregate grows SLOWEST, off the largest base Identity Governance MIDDLE — sits in between SailPoint · Saviynt The audit calendar gives IGA independent budget authority — audit evidence the bundle doesn't produce Where agent-access audit evidence will eventually have to live Buying driven by the audit calendar, not the threat calendar Privileged Access MOST DEFENSIBLE CyberArk · Delinea · BeyondTrust Controls the dangerous accounts at the moment of use — a distinct control surface the front-door bundle does not reach ~$25B CyberArk premium; Delinea an active consolidator; PAM consolidating, not commoditizing PAM grows FASTEST — 21.72% CAGR Category-level claim: compression sorts the front by defensibility of the DISCIPLINE — not a knock on any vendor. Structural, not a survival call. FALSIFIABLE TEST — next two-to-four quarters COMPRESSION-SORTS-BY-DEFENSIBILITY VALIDATES if standalone AM shows compression in disclosed signals — Okta's growth decelerating, a workforce-IAM pure-play acquired below prior marks, or analyst coverage noting Entra Agent ID displacing standalone agent-identity spend — WHILE PAM contenders sustain premium valuations and disclosed growth. THESIS WEAKENS if a standalone AM vendor posts accelerating disclosed growth against the bundle, OR a PAM contender commoditizes into a flat/down round. Grounded on earnings-disclosed metrics, dated M&A marks, and analyst category coverage — NOT on any regulatory effective date.

8.7 The Campaign Ahead

The decisive signals in this front are unusually easy to watch, because the front's defining motion is M&A and capital allocation — and those move in public, dated press releases, SEC filings, funding announcements, earnings disclosures, and analyst category reports. None of the seven signals below requires privileged access, and not one of them is a regulatory date. This front's analytic trap is to mistake a zero-trust mandate or an AI-governance deadline for a market event, and I am holding every threshold to a public market signal an outsider can monitor through H2 2026.

  1. Does a fourth platform giant buy identity? Signal: whether a SOC, network, or hyperscale platform beyond Palo Alto, CrowdStrike, Cisco, and Microsoft acquires an identity capability in dated, named-outlet M&A coverage. Threshold: a fourth platform acquisition framed around machine/agent identity confirms the convergence of Pattern Claim 1 as an industry-wide default, not a three-deal coincidence. A period passing with no further platform identity acquisition leaves the convergence as a striking-but-bounded triad. Primary source: acquirer press releases, SEC Form 8-K filings, and named-outlet M&A coverage.60
  1. NHI graduation versus absorption — Aembit's path. Signal: whether Aembit, the surviving independent NHI pure-play, is acquired by a platform incumbent (CrowdStrike being the most-telegraphed candidate given its existing investor tie) or instead closes a disclosed independent up-round. Threshold: an Aembit acquisition in dated coverage confirms the NHI wave resolves by acqui-graduation (Pattern Claim 2); a disclosed independent up-round with no further NHI absorption says the category retains a standalone-survival path. Primary source: dated funding announcements and named-outlet M&A coverage.56
  1. The Entra agent-identity compression signal. Signal: whether Entra Agent ID's general availability shows up as compression on standalone access-management economics — Okta's disclosed revenue-growth rate decelerating, a workforce-IAM pure-play acquired below prior marks, or analyst coverage citing Entra displacing standalone agent-identity spend. Threshold: any of those disclosed signals confirms the Entra Compression thesis (Pattern Claim 3) landing on the access-management discipline; accelerating standalone-AM growth against the bundle weakens it. Primary source: Okta and Microsoft earnings disclosures, dated M&A marks, and analyst commentary.5453
  1. The SailPoint-versus-Saviynt IGA cloud contest. Signal: whether Saviynt converts its $700 million KKR war chest into disclosed ARR growth, named enterprise displacements, or analyst-category share gains, while SailPoint sustains or compresses its mid-twenties ARR growth (ARR $1.163 billion, +26%). Threshold: disclosed Saviynt traction beyond the round itself validates the cloud-first challenger as a genuine contender for the governance buyer; SailPoint sustaining growth with Saviynt's capital not surfacing as disclosed traction reads the raise as runway, not displacement. Primary source: SailPoint quarterly results (NASDAQ: SAIL) and Saviynt disclosed metrics in named outlets.57
  1. The BeyondTrust sale resolution. Signal: whether Francisco Partners' reportedly-explored multi-billion-dollar sale of BeyondTrust (sourced, unconsummated as of June 2026) converts into a dated transaction, and at what mark. Threshold: a closed BeyondTrust sale into a platform confirms PAM consolidation pulling in even the standalone contenders; a clearing at a premium mark reinforces PAM's defensibility (Pattern Claim 3); the exploration lapsing with the company independent and unchanged says PAM holds as a standalone discipline. Primary source: named-outlet M&A coverage and any acquirer filing.58
  1. Does identity ITDR surface as a disclosed SOC-platform attach metric? Signal: whether the platform acquirers begin reporting named agent-identity, NHI, or identity-threat-detection-and-response (ITDR) SKUs as disclosed growth drivers in earnings, rather than burying them as undifferentiated identity line-items. Threshold: a named identity/ITDR attach metric disclosed in a platform's earnings confirms the control plane is converging with the SOC at the revenue level, not just the deal level (Pattern Claim 1). Continued non-disclosure leaves the convergence visible in M&A but not yet in the P&L. Primary source: Palo Alto, CrowdStrike, Cisco, and Microsoft earnings disclosures and investor materials.61
  1. Does an analyst firm formalize a non-human / agent identity market category? Signal: whether Gartner, Forrester, or a peer publishes a named Magic Quadrant or Market Guide for non-human / machine / agent identity, where today the market lenses diverge most by definition. Threshold: a named, consolidated NHI/agent-identity analyst category confirms the discipline has cohered enough to be tracked as a market in its own right (Pattern Claim 2); continued fragmentation across broad-IAM and machine-identity lenses says the boundary is still being drawn. Primary source: published analyst category reports and vendor announcements citing placement.59

References & Footnotes

References

Section