ProductBeacon — State of Cyber Security Markets 2026, Front 8: The Identity Front
Disclosure: This is ProductBeacon's independent, impartial market research, based solely on publicly verifiable signals, published on the open web. No vendor sponsors, no paywalled data, no analyst-firm reuse. It reflects ProductBeacon's independent view and is not investment advice. Full independence and sourcing methodology: Methodology →.
By Yohay Etsion · Head of Product (Fractional), AXIA · Creator of Product Org OS · Author of Leading the Charge (2023) and Vision to Value (coming 2026)
AXIA is an AI-powered data-security (Insider Risk Management / DLP) company.
ProductBeacon
8.1 The Playing Ground
8.1 The Playing Ground
Identity is the layer underneath every alert in this report — strip any incident down and what remains is "an identity did a thing it should not have." This report's taxonomy treats it that way, as the layer beneath the SOC, the Edge, and the data-security fronts.1 But a foundation is not a market, and the buyer who owns identity is rarely the same buyer who owns data security. The IAM/PAM/IGA org sits on its own chart, with its own budget line, its own vendors, and its own procurement rhythm. So this front does something the underlying-layer framing alone would not: it treats identity as a distinct buying center and grades the vendors who sell into it. That distinction is the first thing a reader has to hold, because the marketing language collapses it constantly.
The four identity disciplines (Access Management, IGA, PAM, Non-Human Identity), identity as a distinct buying center, and the dated consolidation vector tying this front to the SOC (Front 5) and to AI Security (Front 7).
The battleground has four disciplines, and they are sold as four products to overlapping-but-distinct buyers. Access Management is the front door — single sign-on, multi-factor authentication, and, on the consumer side, customer identity (CIAM). This is Okta's home turf: who you are, proven once, then carried across applications.2Identity Governance & Administration (IGA) answers a different question — not "are you who you say" but "should you have this access at all, and can we prove we reviewed it." Joiner-mover-leaver lifecycle, access certification, segregation-of-duties, audit evidence. SailPoint and Saviynt live here.3Privileged Access Management (PAM) guards the crown-jewel accounts — the admin credentials, the root access, the secrets vaults — on the principle that the accounts that can do the most damage need the tightest control. CyberArk built the category; BeyondTrust and Delinea contest it.4 And Non-Human / Workload Identity (NHI) is the newest discipline: securing the service accounts, API keys, machine tokens, and now autonomous AI agents that already outnumber human identities in most enterprises. Astrix and Aembit are the pure-plays.5 In one line: Access Management proves who, IGA governs what they should have, PAM guards the dangerous accounts, and NHI extends all of it to the machines and agents that are not people.
The central structural finding of this front is that the identity control plane is converging with the SOC, and the vector of convergence is non-human identity. This is not a forecast — it is observed, dated fact. In roughly thirteen months, each of the three platform giants that anchor the detection segment acquired an identity capability. Palo Alto Networks completed its ~$25 billion acquisition of CyberArk on February 11, 2026, naming Identity Security a core platform pillar and stating the deal lets it "secure every identity across the enterprise — human, machine, and agentic."6CrowdStrike agreed to acquire SGNL for ~$740 million on January 8, 2026, explicitly to grant and revoke access for "human, non-human (NHI), and AI identities" in real time.7Cisco announced its acquisition of Astrix Security (~$400 million) in May 2026 to secure "the agentic workforce" of autonomous AI agents.8 Around these sit Microsoft's Entra Agent ID (GA April 2026), Okta's ~$100 million purchase of Axiom Security (August 2025), and Delinea's StrongDM acquisition (completed March 2026).
My read: the striking thing is not that consolidation is happening. It is that every one of these deals is justified, in the acquirer's own words, by the agent-identity problem, not by legacy workforce SSO. The falsifiable test is public and dated. The thesis holds if the next two notable identity acquisitions are again framed around machine/agent identity and folded into a SOC or network platform. It weakens if a workforce-IAM pure-play is acquired on a classic SSO rationale, or if a standalone identity vendor reaches genuine scale on workforce identity alone.
Two cross-front boundaries must be drawn cleanly, and both are decisive. First, identity versus the SOC (Front 5). Identity telemetry feeds the SOC, and the overlap zone is identity threat detection and response (ITDR) — detecting privilege escalation, anomalous authentication, token theft. But the SOC and platform incumbents — Microsoft Defender and Sentinel, Palo Alto Cortex, CrowdStrike Falcon, Cisco — are characterized primarily in Front 5. In this front they appear only as identity moves: named by the identity product or acquisition (CyberArk inside Palo Alto, SGNL inside CrowdStrike, Astrix inside Cisco), not graded as identity contenders.9 Second, identity versus AI security (Front 7). Non-human and agent identity is the shared frontier — the agentic-governance problem of Front 7 is fundamentally an identity problem. Front 7 owns the AI runtime and agent governance; this front owns the identity primitive that authenticates and authorizes the agent. The seam between them is exactly where the consolidation triad above is buying.
Three buyer misconceptions are worth retiring. One, that identity is a single purchase — it is four disciplines sold to a buying center whose internals (the IAM team, the IGA/audit team, the PAM team) often do not even share a budget. Two, that PAM and IGA are the same thing — they are not; PAM controls the dangerous accounts at the moment of use, IGA governs who is entitled to access at all and produces the audit evidence. A buyer who deploys one still has the other gap open. Three, that non-human identity is a niche — the machine and agent population already dwarfs the human one, and the entire consolidation wave above is a bet that NHI is the center of identity's next decade, not its edge. This front inherits its underlying-layer map and cross-Part vendor rules from the shared taxonomy.9
ProductBeacon
8.2 The Terrain
8.2 The Terrain
Market sizing — four lenses, deliberately not averaged. Because identity is four disciplines, there is no single number, and the analyst lenses below measure genuinely different things. Read them side by side, not blended. Take the broad Identity & Access Management lens first — the whole front, dominated by access management. Grand View Research sizes the 2026 market at USD 29.68 billion (from USD 26.77 billion in 2025), reaching USD 62.90 billion by 2033 at an 11.3% CAGR. MarketsandMarkets, on its own definition, puts the market at USD 25.96 billion in 2025 growing to USD 42.61 billion by 2030 at a 10.4% CAGR.10 On the narrower IGA lens — governance and audit, not the front door — Fortune Business Insights sizes 2026 at USD 10.7 billion reaching USD 33.1 billion by 2034 at a 15.16% CAGR. GII Research puts 2026 at roughly USD 11.04 billion at a 13.89% CAGR.11 On the PAM lens — the crown-jewel accounts — Mordor Intelligence sizes 2026 at USD 5.17 billion (from USD 4.25 billion in 2025) reaching USD 13.83 billion by 2031 at a 21.72% CAGR. That is the steepest growth of the three established disciplines.12
And on the newest non-human / machine identity lens, Grand View Research sizes NHI access management at USD 12.44 billion in 2026 reaching USD 27.33 billion by 2033 at an 11.9% CAGR. MarketsandMarkets, on a more narrowly-scoped definition, sizes the NHI market at USD 9.45 billion in 2024 reaching USD 18.71 billion by 2030, also at 11.9%.13 The honest summary across all four: PAM is the fastest-growing of the established disciplines, its 21.72% CAGR reflecting the privileged-access-everywhere problem; the broad IAM aggregate grows slowest off the largest base; and the NHI figures diverge most by definition. Grand View's broad "NHI access management" runs ten-plus billion while narrower machine-identity cuts and the agent-specific slice sit lower, because no two firms yet agree on where the machine-identity boundary falls. Averaging any of these would destroy information.
Buyer and user trends. The buyer for this front is not one person — it is a buying center with internal seams. The IAM team owns the front door (SSO, MFA, CIAM) and sells to the CISO and the identity architect. The IGA/audit team owns access certification and segregation-of-duties and answers to risk, compliance, and the auditors — a procurement rhythm driven by the audit calendar, not the threat calendar. The PAM team owns the privileged accounts and the secrets vaults. The dominant cross-cutting trend reshaping all three is identity-security convergence: the recognition, now backed by the consolidation triad in §8.1, that identity is no longer a directory-and-provisioning utility but a security control plane in its own right. The user-side signal worth watching is the rise of the identity-security practitioner — a role that did not exist on most org charts five years ago — and the analyst-category creation that follows it. The clearest public signal of where budget is migrating is the deal flow. Palo Alto, CrowdStrike, and Cisco each spend on identity inside one year, Saviynt raises USD 700 million at roughly a USD 3 billion valuation from KKR (December 2025), and SailPoint returns to the public markets. The capital is voting that identity security is a growth center, not a maintenance line.14
Technology trend anchor — agentic AI driving the non-human-identity explosion. The single demand driver pulling this front forward is the same one pulling Front 6 and Front 7: agentic AI, and specifically the population explosion of non-human identities it creates. Every autonomous agent needs a credential to act — a service account, an API key, an OAuth token, a workload identity — and those credentials must be issued, scoped, monitored, and revoked. The grounding here is shipped product and analyst category creation, not a regulatory date. The clearest production signals are the consolidation deals themselves, each justified in the acquirer's own words by the agent problem. CrowdStrike's SGNL purchase grants and revokes access for "human, non-human (NHI), and AI identities" in real time. Cisco's Astrix acquisition secures "the agentic workforce." Microsoft's Entra Agent ID reached general availability in April 2026 to give agents first-class identities in the directory.15 On the pure-play side, Astrix's acquisition by Cisco and Aembit's positioning as a workload-identity platform — with CrowdStrike among its investors — mark NHI's graduation from feature to funded category.16 I read agent identity as the contested center of this front for the next several quarters. The falsifiable test is whether the platform incumbents report named agent-identity or NHI SKUs as disclosed growth drivers in upcoming earnings, rather than burying them as undifferentiated identity line-items.
Regulatory backdrop (context only). Zero-trust mandates, audit and segregation-of-duties requirements (SOX, and the access-certification obligations that drive IGA buying), and emerging AI-governance frameworks form the regulatory weather around this front. They are real, and the IGA buyer in particular buys partly to produce audit evidence. But per this report's discipline, they are context, not a market-timing mechanism: no forward claim in this front grounds on a regulatory effective date. The forward-looking reads above ground only on observable proxies — the dated consolidation triad, Saviynt's KKR round and SailPoint's re-IPO, Microsoft Entra Agent ID's shipped GA, and the PAM lens's 21.72% CAGR off a real revenue base. If the agent-identity convergence keeps showing up in dated acquisitions and earnings disclosures, the thesis holds; if a workforce-IAM pure-play scales on classic SSO alone, it weakens. The regulation is the weather, not the trade.
ProductBeacon
8.3 The Contenders
8.3 The Contenders
The eight vendors below are grouped by the four disciplines §8.1 laid out — Access Management, then IGA, then PAM, then non-human identity — because in identity the discipline is where the structure lives, not the tier. Within each group I note the tier each vendor carries on the report's standard scale: Gravity for the public-company and scaled-private anchors, Attention for the established and well-funded contenders, Wildcard for the earliest-stage non-human-identity pure-plays. But the reader should carry one structural fact through every card, because it is the through-line of this front: two of these eight are no longer independent companies. CyberArk, the PAM category originator and a Gravity-tier anchor, is now the Identity Security pillar of Palo Alto Networks following a roughly twenty-five-billion-dollar acquisition completed in February 2026. Astrix Security, the lead non-human-identity Wildcard, is now inside Cisco following a roughly four-hundred-million-dollar acquisition announced in May 2026. I treat both as acquired-unit cards — the vendor is the card, the acquisition is the descriptive fact, and the acquirer's strategic move belongs to the next author's §8.4 Plays.
Neither is a casualty. A twenty-five-billion-dollar premium and a four-hundred-million-dollar exit are the strongest signals a vendor can send; they are the anchor examples of the consolidation thread §8.1 named, not evidence of distress. Each card is anchored to a dated, vendor-controlled surface with at least one verbatim messaging pillar lifted live on 2026-06-17, and no card here renders a winner-or-loser verdict — these are positioning extractions.
One currency note belongs up front, because it is the most striking thing the live scan surfaced. Read the eight homepage pillars below in sequence and the convergence finding from §8.1 stops being an analyst's claim and becomes the vendors' own words. Okta leads with "Okta secures AI." SailPoint leads with "identity-first security for humans, machines, and AI." Saviynt leads with securing "every identity — human, non-human, and AI." Delinea leads with protecting "your human and agentic workforce." CyberArk leads with "secure every identity — human, machine and AI," and Aembit simply with "IAM for Agentic AI." Six of eight identity-native vendors now lead their homepage with the human-machine-AI identity triad. That is not a coincidence of timing. It is the entire front repositioning around the same demand driver in the same window — exactly what a control plane converging with the SOC looks like from the vendors' side of the glass.
Author's read of public material, June 2026. Vendor positions are conceptual, not data-derived.
ProductBeacon
Access Management
Access Management
Okta (Gravity)
"Okta secures AI. And every other identity, from machine to human. To get AI agent security right, you have to get identity right." — [okta.com, accessed 2026-06-17]17
Okta is the Gravity anchor of this front and the clearest articulation of the access-management discipline §8.1 defined — the front door that proves who you are once and carries it across every application. The live homepage no longer leads with single sign-on. It leads with "Okta secures AI," framing the company as the identity layer underneath the agent problem and reaching the workforce-and-customer identity story through the machine-to-human spectrum.17 Its stated USP is breadth across both sides of the identity divide: Workforce Identity for employees and Customer Identity (the Auth0 line) for end users, now extended toward machine and AI identities. The target buyer is the CISO and identity architect at organizations standardizing on a single identity platform rather than stitching point tools — exactly the platform-or-best-of-breed tension that defines Okta's strategic position. Architecturally Okta classifies as a cloud-native access-management platform with a CIAM arm, vendor-controlled and public.
The capital picture is the largest disclosed in this front. Okta reported FY2026 revenue of roughly USD 2.9 billion, up about 12% year over year, and guided FY2027 to roughly USD 3.185–3.205 billion. In August 2025 it acquired Axiom Security, a privileged-access and non-human-identity vendor, for a figure reported around USD 100 million, extending toward the PAM and NHI disciplines it did not natively own.18 Published-material tier is the highest available — public-company financial disclosure plus vendor-controlled surfaces plus named-outlet acquisition coverage. My read: Okta is the front-door incumbent consciously repositioning as the identity control plane for the AI era, and the Axiom acquisition is the tell. The access-management leader buying into PAM and non-human identity is the same convergence pattern §8.1 traced through the platform giants, just running inside an identity-native vendor rather than a SOC platform. The open question Okta embodies for the whole front is whether the buyer wants one identity platform or the best tool per discipline.
ProductBeacon
Identity Governance & Administ...
Identity Governance & Administration
SailPoint (Attention)
"The new era of adaptive identity. Identity-first security for humans, machines, and AI. One platform to secure every identity." — [sailpoint.com, accessed 2026-06-17]19
SailPoint is the IGA leader and the budget-anchor of identity programs — the governance discipline that answers not "are you who you say" but "should you have this access at all, and can we prove we reviewed it." Its live homepage frames "the new era of adaptive identity" and "identity-first security for humans, machines, and AI," which casts the governance platform as a single control point. That control point spans the joiner-mover-leaver lifecycle, access certification, segregation-of-duties, and the audit evidence that IGA exists to produce.19 The stated USP is governance depth delivered as a unified platform with AI-driven access decisioning — "adaptive identity security, powered in real time." The target buyer skews toward the IGA and audit team answering to risk and compliance, with a procurement rhythm set by the audit calendar rather than the threat calendar. Architecturally SailPoint classifies as a cloud IGA platform, vendor-controlled and public.
The capital picture is unusually well-disclosed for a recently re-public company. SailPoint returned to the public markets and trades on NASDAQ under SAIL (around USD 14.80 on 2026-06-15). It reported first-quarter FY2027 revenue of USD 280 million, up 22% year over year, and annual recurring revenue of USD 1.163 billion, up 26%; the company is led by CEO Mark McClain and CPO Levent Besik.20 A June 2026 board change (a Thoma Bravo designee seat) is routine and explicitly not a disagreement — it is noted here only to retire it as a non-signal. Published-material tier is public-company financial disclosure plus vendor-controlled. My read: SailPoint is the governance budget-anchor whose re-IPO and ARR trajectory make it the best-evidenced growth story among the identity-native independents. Its "humans, machines, and AI" framing puts the governance discipline, not just access management, squarely inside the convergence story — which matters because governance is where the audit evidence for agent access will eventually have to live.
Saviynt (Attention)
"We Deliver Enterprise Control Over AI. Saviynt secures every identity — human, non-human, and AI. See. Enforce. Govern. Every AI agent, everywhere, for every action." — [saviynt.com, accessed 2026-06-17]21
Saviynt is the cloud-IGA challenger to SailPoint and the most explicitly AI-forward governance pitch in this set. Its live homepage leads not with governance language but with "we deliver enterprise control over AI." It frames the platform as the layer that secures "every identity — human, non-human, and AI." It casts the governance loop as "see, enforce, govern — every AI agent, everywhere, for every action." The page signs off with the tagline "identity security for AI. AI for identity security."21 The stated USP is converged cloud-native identity governance — a single platform spanning IGA, application access governance, and privileged-access management — differentiated from SailPoint on cloud-first architecture and an unusually direct agent-identity message. The target buyer is the enterprise IGA and compliance owner consolidating identity governance onto a cloud platform, with a clear lean toward organizations governing AI deployment. Architecturally Saviynt classifies as a cloud-native converged identity-governance platform, private.
The capital picture is a war-chest positive: Saviynt raised USD 700 million at a roughly USD 3 billion valuation in a round led by KKR that closed December 9, 2025, with Sixth Street, TenEleven, and Carrick participating.22 Published-material tier is vendor-controlled plus named-outlet funding coverage. My read: Saviynt is the strongly-capitalized cloud-IGA challenger making the most aggressive AI-identity claim of the governance pair. The KKR round is the single largest fresh private raise in this front, and it is explicitly a bet on the AI-identity thesis. That makes Saviynt the clearest test of whether governance, not just access, becomes a venture-scale growth center inside the convergence wave.
ProductBeacon
Privileged Access Management
Privileged Access Management
CyberArk / Palo Alto Networks (acquired unit, Gravity)
"Secure every identity — human, machine and AI — with the right level of privilege controls." — [cyberark.com Identity Security Platform, accessed 2026-06-17]23
CyberArk is no longer an independent contender, and that is the descriptive fact this card carries. Palo Alto Networks completed its acquisition of CyberArk on February 11, 2026, in a transaction valued at roughly USD 25 billion — USD 45.00 in cash plus 2.2005 PANW shares per ordinary share, approved by 99.8% of voting shareholders. It made CyberArk its Identity Security pillar, stating the deal "enables Palo Alto Networks to secure every identity across the enterprise — human, machine, and agentic."24 On the live CyberArk surface the PAM heritage now reads through the platform pillar "secure every identity — human, machine and AI — with the right level of privilege controls," carrying the category-defining privileged-access DNA up into a network-and-platform security company.23 Because the acquisition is the descriptive fact, this card extracts positioning from the now-owned surface. CyberArk's pre-acquisition identity is the PAM category originator — the vault, the privileged session, the secrets management — expanded into broader workforce identity after its 2024 Venafi acquisition (machine-identity / certificate management).
The target buyer is the security organization extending privileged-access control across the full identity estate, now inside Palo Alto's platform relationship. Architecturally CyberArk classifies as a privileged-access and identity-security platform embedded inside a larger security platform. Published-material tier is the highest available — public-company acquisition disclosure (Palo Alto Networks) plus named-outlet coverage plus vendor-controlled. My read: CyberArk is the anchor example of the consolidation thread. The PAM category leader was absorbed at a roughly twenty-five-billion-dollar premium and renamed a "pillar," with the acquirer's own justification being the human-machine-agentic identity problem, not legacy privileged access. That is strength expressed as exit, and it is the single largest data point behind §8.1's convergence finding. When the PAM originator becomes a network-platform pillar on an agent-identity rationale, the identity control plane and the SOC are converging in public, dated fact.
BeyondTrust (Attention)
"BeyondTrust discovers agentic identities across AWS, Azure, Google, OpenAI, Salesforce, and ServiceNow, then enforces the same privilege controls that secure your human administrators." — [beyondtrust.com, accessed 2026-06-17]25
BeyondTrust is the PAM challenger that contests the privileged-access category against the now-absorbed CyberArk, and its live messaging shows it making the same convergence move — extending privileged-access control from human administrators to the agentic-identity population. The homepage pillar describes discovering "agentic identities across AWS, Azure, Google, OpenAI, Salesforce, and ServiceNow" and enforcing "the same privilege controls that secure your human administrators." That frames BeyondTrust's USP as a single privilege-control plane spanning human and machine/agent identities — the "paths to privilege" thesis carried into the AI era.25 The target buyer is the security and PAM team consolidating privileged-access management across a hybrid estate. Architecturally BeyondTrust classifies as a privileged-access and identity-security platform, private.
The capital and ownership picture is the single flagged watch item of this front, sourced but not asserted. BeyondTrust has been majority-owned by Francisco Partners since 2018 (with Clearlake Capital a minority holder) and carries roughly USD 500 million in ARR by widely-cited reporting. Francisco Partners is reportedly exploring a multi-billion-dollar sale of the company — an early-stage, no-deal-announced process consistent with a hold now past the typical private-equity duration.26 I flag that as sourced exit-pressure to watch, not a casualty or distress signal; no transaction has been announced. Published-material tier is vendor-controlled plus named-outlet ownership-and-process reporting. My read: BeyondTrust is the credible PAM challenger whose live homepage proves the convergence thesis from the contender side, extending privilege controls to agentic identities in the same window CyberArk became a PANW pillar. The Francisco Partners exit-exploration is the open ownership question that makes BeyondTrust the most likely next moving piece in the identity-consolidation board — which is precisely why it is flagged as a watch item rather than scored.
Delinea (Attention)
"The future of identity security is continuous. Access granted isn't access secured. Delinea continuously authorizes every identity, session, and action — protecting your human and agentic workforce with control that goes far beyond login." — [delinea.com, accessed 2026-06-17]27
Delinea is the PAM consolidator of this set — the Thycotic-plus-Centrify merger, TPG-backed — and its live homepage reframes privileged access as continuous authorization rather than a one-time login gate. The pillar reads "the future of identity security is continuous," and the supporting line reads "access granted isn't access secured… continuously authorizes every identity, session, and action — protecting your human and agentic workforce." That casts Delinea's USP as runtime, just-in-time authorization across human and agent identities. The company brands the engine "Iris AI."27 The strategic move behind that messaging is the descriptive fact worth naming. Delinea acquired StrongDM (announced January 15, completed March 5, 2026, terms undisclosed), unifying its PAM heritage with StrongDM's just-in-time runtime-authorization layer for non-human and AI-agent access.
The target buyer is the mid-market-to-enterprise PAM team modernizing privileged access toward continuous, identity-aware authorization. Architecturally Delinea classifies as a privileged-access and runtime-authorization platform, private. The capital picture is TPG ownership with the StrongDM acquisition as the recent capital event; deal terms were not disclosed.28 Published-material tier is vendor-controlled plus named-outlet acquisition coverage. My read: Delinea is consolidating, not consolidated. Where CyberArk and Astrix became units of larger platforms, Delinea is the identity-native vendor doing its own acquiring. It bought StrongDM to fold just-in-time runtime authorization for agents into PAM. Its "continuous authorization for the human and agentic workforce" framing is the same convergence bet as everyone else's on this page. The difference is that Delinea expresses it as a buy-side rather than sell-side move. That makes Delinea a useful counterweight to the absorbed-into-a-platform pattern: the consolidation wave has acquirers inside the identity-native field too, not only at the SOC-platform tier.
ProductBeacon
Non-Human / Workload Identity
Non-Human / Workload Identity
Astrix Security / Cisco (acquired unit, Wildcard)
"Discover, secure, and deploy AI agents responsibly across the enterprise. AI Agents + NHIs > Humans. Secure the Identities that Matter." — [astrix.security, accessed 2026-06-17]29
Astrix Security is the lead non-human-identity Wildcard, and like CyberArk it is no longer independent. The descriptive fact this card carries is that Cisco completed its acquisition of Astrix, at a figure reported around USD 400 million, announced in May 2026, folding NHI discovery, lifecycle, and threat detection into Cisco Identity Intelligence alongside Duo, Secure Access, and Splunk.30 On the live Astrix surface the NHI pure-play story still reads in its own voice: "discover, secure, and deploy AI agents responsibly across the enterprise." It is anchored on the population claim "AI Agents + NHIs > Humans" and the framing that the vast majority of non-human identities are ungoverned and overprivileged — the discovery-to-governance loop for service accounts, API keys, OAuth tokens, and now autonomous agents.29 Because the acquisition is the descriptive fact, this card extracts positioning from the still-live Astrix surface and states the Cisco deal as context. Astrix's pre-acquisition capital picture was a Wildcard's: roughly USD 85 million raised in total, anchored by a USD 45 million Series B in December 2024 with Menlo Ventures among the investors.30
The target buyer is the security team confronting a machine and agent population that already dwarfs the human one. Architecturally Astrix classifies as a non-human-identity discovery-and-governance platform, now embedded inside Cisco's identity platform. Published-material tier is named-outlet acquisition coverage plus vendor-controlled. This is a Wildcard-tier card under the report's descriptive-only discipline for the earliest-stage names — positioning extraction only, no winner-or-loser verdict, and the acquisition is treated as an exit, not a death. My read: Astrix is the resolved-Wildcard case study of §8.1's central thesis made literal. It is a non-human-identity pure-play graduating directly into a platform, justified in the acquirer's own words by the "agentic workforce" — the exact pattern of NHI being bought into existence by the platform players before any independent reaches escape velocity. The four-hundred-million-dollar exit is the validation of the category, and the demonstration that, in identity right now, the NHI Wildcard's most likely next step is to become a platform module.
Aembit (Wildcard)
"IAM for Agentic AI. Aembit enforces access to sensitive data and accelerates AI use with confidence through policy, context, and audit based on unique agent identities." — [aembit.io, accessed 2026-06-17]31
Aembit is the surviving independent non-human-identity Wildcard. Where Astrix exited into Cisco, Aembit remains standalone — the cleanest live read of what an independent NHI company sounds like in its own voice. Its homepage leads with "IAM for Agentic AI," framing the product as access enforcement "based on unique agent identities" through "policy, context, and audit." It organizes around secretless authentication ("short-lived access without stored credentials"), secure autonomy for AI agents, and a policy-driven rather than script-driven model — the workload-identity-and-access-management discipline applied to agents, MCP servers, and CI/CD workloads.31 The stated USP is access without stored secrets or certificates, granted to workload and agent identities in real time per task. The target buyer is the platform and security engineering team securing machine-to-machine and agent-to-resource access across distributed cloud and on-premise environments. Architecturally Aembit classifies as a non-human / workload identity-and-access platform, cloud-native, SOC 2 and ISO 27001 certified, private.
The capital picture is a Wildcard's, with a notable strategic-investor signal. Aembit has raised approximately USD 45 million in total. The USD 25 million Series A closed in September 2024 led by Acrew Capital, with CrowdStrike among its investors alongside Ballistic Ventures and Ten Eleven Ventures, and it positions its "IAM for Agentic AI" offering as generally available in 2026.32 Published-material tier is vendor-controlled plus named-outlet funding coverage. This is a Wildcard-tier card under the report's descriptive-only discipline for the earliest-stage names — positioning extraction only, no verdict. My read: Aembit is the independent counterpart to the now-absorbed Astrix, and the most strategically interesting thing about it is the investor list. CrowdStrike, which separately agreed to acquire SGNL for a sum reported around USD 740 million in January 2026, is on Aembit's cap table. That places the surviving NHI Wildcard one degree of separation from the same SOC-platform consolidation wave that already claimed Astrix. Aembit is the live test of whether a non-human-identity pure-play can stay independent through the convergence, or whether the NHI Wildcard's gravitational endpoint really is a platform.
ProductBeacon
8.4 Their Plays
8.4 Their Plays
The plays of the identity front do not read like the plays of the older theaters in this report. There is no installed base being slowly displaced, no decade-old standoff being renegotiated. Instead there is a single dominant motion — consolidation into platforms — and three sub-motions resolving underneath it. The four plays below are stated as public observations, named participants, and conditional outcomes that resolve against a signal an outsider can watch and date. The first is the spine. It is the most heavily evidenced move in this entire front, and the cross-front exhibit for the report's "identity converges with the SOC" thesis. The other three are the disciplines underneath — privileged access becoming a platform, governance modernizing into the cloud, and the non-human-identity category resolving by acquisition. Throughout, the SOC and network incumbents (Palo Alto, CrowdStrike, Cisco, Microsoft) are characterized primarily in Front 5; here they appear only as identity moves, named by the identity asset they bought or built, not graded as identity contenders.
ProductBeacon
Play 1: The Platform-Absorbs-I...
Play 1: The Platform-Absorbs-Identity Consolidation Play
Observation. In roughly thirteen months, each of the three platform giants that anchor the detection segment bought an identity capability, and Microsoft built one. Every one of those moves is justified, in the acquirer's own words, by the AI-agent and non-human-identity problem, not by legacy workforce single sign-on. Palo Alto Networks completed its ~$25 billion acquisition of CyberArk on February 11, 2026, naming Identity Security a core platform pillar and stating the addition lets it "secure every identity across the enterprise — human, machine, and agentic."33 CrowdStrike announced its ~$740 million acquisition of SGNL on January 8, 2026, explicitly to grant and revoke access for "human, non-human (NHI), and AI identities" in real time, and shipped "Continuous Identity for AI Agents" at Identiverse on June 15, 2026.34 Cisco announced its ~$400 million acquisition of Astrix Security in May 2026 to secure "the agentic workforce" of autonomous AI agents, folding it into Cisco Identity Intelligence.35 Microsoft, rather than buy, built: Entra Agent ID reached general availability in April 2026, making agent identities a first-class construct inside Agent 365.36 The vector is unmistakable and dated. The three SOC/platform giants each now own an identity control plane, and the rationale each gave is the machine-and-agent identity explosion, not the front door.
Participants. Palo Alto Networks (CyberArk → Identity Security pillar), CrowdStrike (SGNL → Next-Gen Identity / Continuous Identity for AI Agents), and Cisco (Astrix → Identity Intelligence) are the absorbing SOC/platform giants, each holding its primary contender slot in Front 5. Microsoft (Entra Agent ID) is the build-not-buy incumbent, also characterized primarily in Front 5. CyberArk and Astrix are the absorbed identity assets, now platform pillars rather than independents.
Conditional outcome.We expect the platform-absorbs-identity pattern to validate as the default resolution for the identity control plane if the next one or two notable identity acquisitions are again framed around machine, agent, or non-human identity and folded into a SOC or network platform. That is observable in the acquirers' own dated press and analyst coverage over the next two-to-four quarters, and the independent identity layer would keep thinning at its NHI edge. The thesis weakens instead if a workforce-IAM pure-play is acquired on a classic SSO rationale, or if a standalone identity vendor reaches genuine scale on workforce identity alone with no platform absorption. In that case identity holds as a distinct, defensible buying center.
Evidence. Palo Alto Networks, "Palo Alto Networks Completes Acquisition of CyberArk to Secure the AI Era," February 11, 2026 (paloaltonetworks.com, accessed 2026-06-17).33 CrowdStrike, "CrowdStrike to Acquire SGNL to Transform Identity Security for the AI Era," January 8, 2026, and Identiverse product coverage June 15, 2026 (crowdstrike.com, accessed 2026-06-17).34 SecurityWeek, "Cisco Moves to Acquire Astrix Security," May 6, 2026 (securityweek.com, accessed 2026-06-17).35 Microsoft Entra Agent ID GA documentation, April 2026 (learn.microsoft.com, accessed 2026-06-17).36
ProductBeacon
Play 2: The PAM-Becomes-a-Plat...
Play 2: The PAM-Becomes-a-Platform Play
Observation. Privileged Access Management — the discipline that guards the crown-jewel admin accounts and secrets vaults — is no longer being sold as a standalone vault. It is becoming a platform, and the expansion vector is runtime authorization for non-human and AI-agent access. CyberArk, the category originator, is the clearest case. It did not stay a standalone PAM vendor; it became the Identity Security pillar inside Palo Alto Networks via the ~$25 billion deal completed February 11, 2026 — privileged access absorbed into a platform rather than defended as a category.33 Delinea, the TPG-backed PAM incumbent, is consolidating rather than being consolidated. It completed its acquisition of StrongDM on March 5, 2026 (announced January 15), unifying PAM with just-in-time runtime authorization for NHI and AI-agent access under the "Delinea Iris AI" banner.37 BeyondTrust, the third established PAM contender (Francisco Partners majority since 2018), sits at the other end of the same motion. It is reportedly the subject of a multi-billion-dollar sale exploration by its private-equity owner — sourced but unconsummated, and a sign that even the standalone PAM contenders are being pulled toward a platform outcome.38 The common thread is that PAM's defensible perimeter is moving from "vault the password" to "broker every privileged action, human or machine, at the moment of use."
Participants. CyberArk (now Palo Alto Networks' Identity Security pillar) is the category originator absorbed into a platform. Delinea (StrongDM acquisition, JIT runtime authorization for NHI/AI agents) is the actively-consolidating PAM incumbent. BeyondTrust (Francisco Partners majority; reportedly exploring a sale) is the standalone contender under exit pressure. Palo Alto Networks appears here only as the acquirer of CyberArk, its primary characterization being in Front 5.
Conditional outcome.Two signals over the next two-to-four quarters would validate PAM-becomes-a-platform as the discipline's resolution. One is a PAM contender shipping or acquiring a named non-human or agent runtime-authorization capability and disclosing it as a growth driver. The other is BeyondTrust's sale exploration converting into a dated transaction. Privileged access would then survive only as a function inside a broader identity-and-runtime platform. PAM holds as a defensible standalone discipline instead if PAM contenders keep selling standalone vaulting with no NHI or agent runtime expansion, and BeyondTrust's exploration lapses with the company independent and unchanged.
Evidence. Palo Alto Networks, "Completes Acquisition of CyberArk," February 11, 2026 (paloaltonetworks.com, accessed 2026-06-17).33 Delinea / GlobeNewswire, StrongDM acquisition completed March 5, 2026 (delinea.com, accessed 2026-06-17).37 Private Equity Wire / CyberExperts, Francisco Partners BeyondTrust sale-exploration first reported August 2025 (Bloomberg, 2025-08-13), coverage accessed 2026-06-17.38
ProductBeacon
Play 3: The IGA Cloud-Moderniz...
Play 3: The IGA Cloud-Modernization Contest
Observation. Identity Governance & Administration — the discipline that answers "should you have this access at all, and can we prove we reviewed it" — is being contested as a cloud-modernization race between a re-scaled incumbent and a heavily-capitalized cloud-first challenger. SailPoint, the governance category leader, returned to the public markets after its Thoma Bravo ownership period and trades as NASDAQ: SAIL. It reported Q1 FY2027 revenue of $280 million (up 22% year over year) and ARR of $1.163 billion, up 26% — the scale incumbent re-establishing itself in public view.39 Against it, Saviynt, the cloud-first IGA challenger, raised $700 million at roughly a $3 billion valuation in a KKR-led round that closed December 9, 2025 (Sixth Street, TenEleven, and Carrick also participating), with the AI-identity governance thesis as its explicit pitch.40 The contest is not whether governance matters — the audit calendar guarantees it does. It is whether the modern, AI-driven, cloud-native governance buyer goes to the re-scaled public incumbent or to the freshly-capitalized challenger that built cloud-first. Both are arming for the same enterprise governance budget at the same moment.
Participants. SailPoint (NASDAQ: SAIL; re-IPO'd from Thoma Bravo; ARR $1.163B, +26%) as the scale incumbent; Saviynt ($700M raise at ~$3B, KKR-led, December 2025; cloud-first, AI-identity-governance pitch) as the capitalized cloud challenger contesting the same IGA buying center.
Conditional outcome.If Saviynt converts its $700 million war chest into disclosed ARR growth, named enterprise displacements, or analyst-category share gains while SailPoint's growth rate compresses, we expect a clear read. The cloud-modernization challenger would validate as a genuine contender for the governance buyer, not a well-funded follower. That window is the next two-to-four quarters. The re-scaled incumbent holds the governance center instead if SailPoint sustains its mid-twenties ARR growth and Saviynt's capital does not surface as disclosed traction beyond the round itself. In that case the challenger's raise reads as runway, not displacement.
Evidence. SailPoint, Q1 FY2027 results and NASDAQ: SAIL trading data, June 2026 (stockanalysis.com / company IR, accessed 2026-06-17);39 Saviynt / SecurityWeek, "$700M raise at ~$3B led by KKR," December 9, 2025 (saviynt.com, securityweek.com, accessed 2026-06-17).40
ProductBeacon
Play 4: The Non-Human-Identity...
Play 4: The Non-Human-Identity Wave
Observation. Non-Human Identity — securing the service accounts, API keys, machine tokens, and autonomous AI agents that already outnumber human identities — is the newest discipline of this front. It is resolving not by an independent vendor reaching scale but by acqui-graduation into platform incumbents. Astrix Security, one of the two NHI pure-plays, graduated into Cisco via the ~$400 million acquisition announced May 2026. It had raised a $45 million Series B in December 2024 (Menlo Ventures; ~$85 million total) — the canonical "NHI startup graduates into a platform" data point, resolved in real time.35 Aembit, the other pure-play, remains independent on roughly $45 million raised (Series A $25 million, September 2024). But it carries a telling tie: CrowdStrike is among its investors, and CrowdStrike has just bought SGNL in the same identity space. That makes Aembit a forward M&A watch item — the cleanest live test of whether an NHI pure-play stays independent through the consolidation wave.41 The pattern the §8.2 terrain anticipated — one or two NHI pure-plays graduate into platforms while the rest get absorbed — is tracking, but faster and at higher prices than a "Series B by late 2026" framing would have implied. The category is resolving by acquisition, not by an independent reaching escape velocity.
Participants. Astrix Security (acquired by Cisco, ~$400 million, May 2026; Menlo Ventures backers) is the graduated NHI pure-play. Aembit (independent; ~$45M raised; CrowdStrike a strategic investor) is the surviving independent under forward-acquisition watch. Cisco and CrowdStrike are the platform acquirers, both characterized primarily in Front 5. (Astrix appears as a Wildcard card in §8.3 as the vendor and here as the Cisco/Astrix Play as the acquirer's move — the same May 2026 ~$400M event read from two angles, not two events.)
Conditional outcome.We expect the NHI wave to validate as a category that resolves by acqui-graduation rather than by independent scaling if a second NHI pure-play is acquired by a platform incumbent in dated coverage over the next two-to-four quarters. Aembit by CrowdStrike is the most-telegraphed candidate, given the existing investor tie. The NHI category holds a path to standalone survival instead if Aembit closes a disclosed independent up-round and no further NHI pure-play absorption surfaces, rather than becoming a feeder for platform identity portfolios.
Evidence. SecurityWeek, "Cisco Moves to Acquire Astrix Security to Tackle Non-Human Identity Risks," May 6, 2026 (securityweek.com, accessed 2026-06-17).35 Aembit Series A coverage and CrowdStrike investor disclosure, September 2024 (aembit.io, accessed 2026-06-17).41 CrowdStrike, SGNL acquisition, January 8, 2026 (crowdstrike.com, accessed 2026-06-17).34
ProductBeacon
8.5 War Chests & Casualties
8.5 War Chests & Casualties
The capital picture of the identity front tells the same story the plays do, and it tells it with money. The defining motion here is not distress — there is no entity-level distress event among the eight identity-native vendors that clears this report's two-source bar for a casualty claim. The defining motion is consolidation into platforms, and the two largest "exits" are premium acquisitions, not collapses. Read the two acquired names below as graduation events — positive-or-neutral platform exits — not as distress.
Vendor
Most Recent Round / Status
Valuation
Strategic Investor
Distress Signal
Okta (NASDAQ: OKTA)
Independent public co.; FY2026 revenue ~$2.919B (+12% YoY); acquired Axiom Security (PAM/NHI, ~$100M, Aug 2025)42
Public (market-cap, not disclosed here)
Public-market investors
(empty — no public distress event)
CyberArk → Palo Alto Networks (exit)
Acquired ~$25B, completed Feb 11, 2026; now PANW Identity Security pillar43
Acrew Capital (lead), CrowdStrike, TenEleven, Ballistic Ventures
(empty — no public distress event; forward M&A watch)
The capital is voting that identity security is a growth center, not a maintenance line. The single highest war-chest mark in the front is Saviynt's $700 million KKR-led round at roughly a $3 billion valuation (December 2025) — a heavily-capitalized challenger arming for the governance contest, the exact opposite of a distress story. Around it, the established public names are scaling, not contracting: Okta at ~$2.9 billion FY2026 revenue and SailPoint back in public view with $1.163 billion ARR growing 26%. Delinea is an active acquirer, not a target, having pulled StrongDM in to extend PAM into NHI runtime authorization.
The two largest exits — CyberArk into Palo Alto Networks at ~$25 billion (February 11, 2026) and Astrix into Cisco at ~$400 million (May 2026) — are precisely that: premium events that graduate the asset into a platform. CyberArk was acquired at a ~$25 billion price; that is a strength signal, not a distress signal, and it anchors the consolidation thread of §8.4 Play 1. The only entry carrying any exit-pressure caveat is BeyondTrust, and it carries it carefully. Its owner Francisco Partners is reportedly exploring a multi-billion-dollar sale. But that is a sourced, unconsummated report past a typical private-equity hold — a flagged watch item, framed as exit pressure, not asserted as distress. None of the eight identity-native vendors is a casualty. The defining motion of this front is platform absorption, and the war chests confirm it: capital is flowing toward identity, the strongest assets are being bought at premiums, and the challengers are being funded, not buried.
ProductBeacon
8.6 Winning & Losing
8.6 Winning & Losing
This front is not won or lost vendor-versus-vendor, and the cards in §8.3 make plain why. Two of the eight contenders are already inside platforms, the two largest "exits" are premium acquisitions rather than collapses, and there is no entity-level casualty I am willing to name. So I am not going to manufacture a winners-and-losers scoreboard at the company level. That would be the exact directional verdict on individual vendors' fates this report's discipline forbids, and in a front whose defining motion is consolidation it would also be wrong. This front is won or lost one altitude up, at the level of platform consolidation. The contest that decides it is whether the identity control plane stays a distinct, defensible buying center, or gets absorbed into the SOC and network platforms the enterprise already owns. Every claim below is therefore stated about the market's motion — how the disciplines are consolidating, where the capital is voting, which structural pattern the dated public record supports — never as a survival call on any one company. The two acquisitions of the period (CyberArk into Palo Alto, Astrix into Cisco) are read here as positive-to-neutral consolidation exits, because a ~$25 billion premium and a ~$400 million graduation are the strongest signals a vendor can send, not casualties.
Three category-level patterns explain the motion. The first is the spine of the entire front, and the single most important claim of this chapter: the identity control plane is converging with the SOC. It is the evidence the report's later cross-front syntheses lean on. The second is the discipline doing the converging fastest: non-human identity, resolving by acqui-graduation into platforms rather than by independent scaling. The third is the compression pressure shaping who survives as an independent: Microsoft's bundled Entra economics, now extending to agent identity. Each is stated as a dated public observation, a labeled read, and a falsifiable conditional. Each resolves against a market signal an outsider can watch and date — an M&A event, a funding round, an earnings-disclosed metric, or an analyst category. None of them grounds on a regulatory effective date. This front's analytic trap is to mistake a policy deadline for a market event, and I am holding every threshold to a public market signal instead.
ProductBeacon
Pattern Claim 1 — The Identity...
Pattern Claim 1 — The Identity-Converges-with-the-SOC Thesis
Observation.
In roughly thirteen months, each of the three platform giants that anchor the detection segment acquired an identity capability, and a fourth built one. Every one of those moves is justified, in the acquirer's own words, by the AI-agent and non-human-identity problem, not by legacy workforce single sign-on.
Palo Alto Networks completed its ~$25 billion acquisition of CyberArk on February 11, 2026, naming Identity Security a core platform pillar. It stated the addition lets it "secure every identity across the enterprise — human, machine, and agentic."50
CrowdStrike announced its ~$740 million acquisition of SGNL on January 8, 2026, explicitly to grant and revoke access for "human, non-human (NHI), and AI identities" in real time. It then shipped "Continuous Identity for AI Agents" at Identiverse on June 15, 2026.51
Cisco announced its ~$400 million acquisition of Astrix Security in May 2026 to secure "the agentic workforce" of autonomous AI agents, folding it into Cisco Identity Intelligence.52
Microsoft, rather than buy, built: Entra Agent ID reached general availability in April 2026, making agent identities a first-class construct in the directory.53
Around these sit Okta's ~$100 million purchase of Axiom Security (August 2025) and Delinea's StrongDM acquisition (completed March 5, 2026) — the same vector running inside the identity-native field.54
The vendors' own homepages now say it out loud: six of the eight identity-native vendors graded in §8.3 lead with the human-machine-AI identity triad as of June 17, 2026.55
My read.
I read this as the central structural finding of the entire front, and I want to be precise about what makes it strong. It is not a forecast. It is dated fact already on the public record.
The striking thing is not that consolidation is happening — that is the expected end state of any maturing security discipline. The striking thing is the vector. Every one of these deals is justified by the acquirer in its own words by the agent-identity problem, not by legacy SSO.
That tells me the platforms are not buying identity to own the front door. They are buying it because the SOC's job — detect, authorize, respond — now runs on identity, and the agent population is the part of identity growing fastest.
When the PAM category originator becomes a network-platform "pillar" on a human-machine-agentic rationale, the identity control plane and the SOC are not adjacent markets converging slowly. They are merging in public, on dated press releases.
I am stating this at the category level: the claim is about the control plane's motion toward the SOC, not a bet on any single platform winning. And per the cross-front rule, Palo Alto, CrowdStrike, Cisco, and Microsoft are characterized as contenders in Front 5. Here they appear only as the platform side of the convergence, named by their identity move.
Conditional prediction.
The thesis validates if the next one or two notable identity acquisitions are again framed around machine, agent, or non-human identity and folded into a SOC or network platform. That is observable in the acquirers' own dated press and named-outlet M&A coverage over the next two-to-four quarters.
The inverse signal that would weaken it is equally concrete and watchable. One such signal is a workforce-IAM pure-play acquired on a classic SSO rationale. The other is a standalone identity vendor that, on workforce identity alone and with no platform absorption, reaches genuine disclosed scale.
A second confirming proxy is whether the SOC-platform acquirers begin reporting named agent-identity or NHI SKUs as disclosed growth drivers in earnings, rather than burying them as undifferentiated identity line-items.
I am grounding this on the M&A and earnings-disclosure record, not on any regulation's timing.
Pattern Claim 2 — The Non-Human-Identity Wave Thesis
Observation.
Non-human identity is the hottest sub-category of this front. It secures the service accounts, API keys, machine tokens, and autonomous AI agents that already outnumber human identities. The public record shows it resolving by acqui-graduation into platforms faster than by independent graduation.
Astrix Security, one of the two NHI pure-plays graded in §8.3, graduated into Cisco via the ~$400 million acquisition announced May 2026. It had taken a $45 million Series B in December 2024 (Menlo Ventures; ~$85 million total) — a Wildcard exiting into a platform before reaching scale.52
SGNL, the continuous-identity vendor CrowdStrike bought for ~$740 million in January 2026, sits in the same machine-and-agent identity space.51
Aembit, the surviving independent NHI pure-play, remains standalone on roughly $45 million raised (Series A $25 million, September 2024). But it carries a telling tie: CrowdStrike is among its investors, and CrowdStrike has separately just bought SGNL in the same space.56
The capital framing the wave is unambiguous. Saviynt raised $700 million at roughly a $3 billion valuation (KKR-led, December 9, 2025) on an explicit AI-identity-governance pitch.
And the analyst lenses size NHI access management in the ten-billion-plus range by 2026, with the figures diverging most by definition — proof no two firms yet agree where the machine-identity boundary falls.57
My read.
I read NHI as the discipline where the convergence of Pattern Claim 1 is happening first and fastest. It is resolving by absorption rather than by an independent reaching escape velocity.
My view is that the economics favor the platform. A SOC or network incumbent can fold NHI discovery-and-governance into a platform the enterprise already runs and cross-sell it instantly. A venture-funded NHI specialist, by contrast, has to build distribution from zero against exactly that bundling pressure.
Astrix is the resolved case study — a pure-play graduating directly into a platform, justified in the acquirer's own words by the "agentic workforce."
That makes Aembit the watch item that defines the category's open question. It is the cleanest live test of whether an NHI pure-play can stay independent through the wave, and the CrowdStrike-on-the-cap-table tie places it one degree of separation from the same absorption that already claimed Astrix.
I am stating this at the category level. The claim is about how the NHI category resolves, not a directional bet that any one Wildcard lives or dies. The two acquisitions are graduation exits, never casualties.
Conditional prediction.
The NHI wave validates as a category that resolves by acqui-graduation rather than by independent scaling if a second NHI pure-play is acquired by a platform incumbent in dated, named-outlet coverage over the next two-to-four quarters. Aembit by CrowdStrike is the most-telegraphed candidate, given the existing investor tie.
The inverse, weakening signal is equally watchable: Aembit closing a disclosed independent up-round and no further NHI pure-play absorption surfacing, which would mean the category holds a path to standalone survival.
A confirming secondary proxy is whether an analyst firm formalizes a named "non-human identity" or "machine identity" market segment with its own Magic Quadrant or Market Guide. That would signal the category has cohered enough to be tracked as more than a sub-feature of legacy IAM.
I am grounding this on the M&A record, disclosed funding rounds, and analyst category creation — not on any regulatory date.
Microsoft Entra ID is the access-management layer most enterprises already pay for inside their Microsoft 365 and E5 licensing. Microsoft is now extending that bundled position to agent identity rather than buying its way in.
Entra Agent ID reached general availability in April 2026, making AI-agent identities a first-class directory construct inside Agent 365 — the build-not-buy move alongside the three platform acquisitions of Pattern Claim 1.53
The standalone identity-native vendors selling into the same buying center carry the structural counterweight in their disclosures. Okta, the access-management Gravity anchor, reported FY2026 revenue of roughly $2.9 billion, up about 12% year over year, and bought Axiom Security (~$100 million, August 2025) to extend toward the PAM and NHI disciplines it did not natively own.54
On the PAM side, the privilege-specific vendors retain their own moat. CyberArk became a ~$25 billion platform pillar, and Delinea is an active consolidator (StrongDM, completed March 5, 2026). BeyondTrust carries roughly $500 million in ARR with its owner reportedly exploring a sale — a privileged-access perimeter that the front-door bundle does not natively reach.5058
Analyst lenses corroborate the structural split. PAM grows fastest of the established disciplines at a 21.72% CAGR off a real revenue base, while the broad IAM aggregate — the access-management home turf — grows slowest off the largest base.59
My read.
I read Entra's bundled economics as a standing compression force on standalone identity deal sizes, concentrated on the access-management discipline and now extending to agent identity. My view is structural, not a knock on any vendor.
When the directory-and-SSO layer is already paid for inside an enterprise agreement, the marginal cost of "good enough" access management trends toward zero. A standalone access-management vendor then has to clear a higher bar to justify a separate line item — and that bar gets higher, not lower, once Entra gives agents first-class directory identities too.
That pressure lands hardest on the front door (access management, Okta's home turf) and lightest on the privilege-specific moat. PAM controls the dangerous accounts at the moment of use and produces a distinct control surface the bundle does not natively cover.
The public record bears this out: PAM is the fastest-growing established discipline, its category originator commanded a ~$25 billion premium, and its contenders are consolidating rather than commoditizing.
The category-level claim I will stand behind is that compression sorts the front by defensibility of the discipline. Access management is the most exposed to the bundle, governance sits in the middle (the audit calendar gives it independent budget authority), and privileged access is the most structurally defensible.
I am grounding this on vendor and analyst proxies, explicitly not on any regulation's timing.
Conditional prediction.
The compression-sorts-by-defensibility thesis validates if, over the next two-to-four quarters, the standalone access-management discipline shows compression in disclosed signals while the PAM contenders sustain premium valuations and disclosed growth.
The compression signals to watch are Okta's revenue growth rate decelerating in earnings, a workforce-IAM pure-play acquired below prior-round marks, or analyst coverage noting Entra Agent ID displacing standalone agent-identity spend.
The corroborating PAM-strength signals are CyberArk-in-Palo Alto, Delinea, and a BeyondTrust sale clearing at a multi-billion mark.
The inverse, weakening signal is a standalone access-management vendor posting accelerating disclosed growth against the Entra bundle, or a PAM contender commoditizing into a flat or down round. Either would say the bundle's compression is weaker or more uniform than the discipline-by-discipline read implies.
I am grounding every threshold on earnings-disclosed metrics, dated M&A marks, and analyst category coverage — observable public proxies, not a regulatory effective date.
The decisive signals in this front are unusually easy to watch, because the front's defining motion is M&A and capital allocation — and those move in public, dated press releases, SEC filings, funding announcements, earnings disclosures, and analyst category reports. None of the seven signals below requires privileged access, and not one of them is a regulatory date. This front's analytic trap is to mistake a zero-trust mandate or an AI-governance deadline for a market event, and I am holding every threshold to a public market signal an outsider can monitor through H2 2026.
Does a fourth platform giant buy identity? Signal: whether a SOC, network, or hyperscale platform beyond Palo Alto, CrowdStrike, Cisco, and Microsoft acquires an identity capability in dated, named-outlet M&A coverage. Threshold: a fourth platform acquisition framed around machine/agent identity confirms the convergence of Pattern Claim 1 as an industry-wide default, not a three-deal coincidence. A period passing with no further platform identity acquisition leaves the convergence as a striking-but-bounded triad. Primary source: acquirer press releases, SEC Form 8-K filings, and named-outlet M&A coverage.60
NHI graduation versus absorption — Aembit's path. Signal: whether Aembit, the surviving independent NHI pure-play, is acquired by a platform incumbent (CrowdStrike being the most-telegraphed candidate given its existing investor tie) or instead closes a disclosed independent up-round. Threshold: an Aembit acquisition in dated coverage confirms the NHI wave resolves by acqui-graduation (Pattern Claim 2); a disclosed independent up-round with no further NHI absorption says the category retains a standalone-survival path. Primary source: dated funding announcements and named-outlet M&A coverage.56
The Entra agent-identity compression signal. Signal: whether Entra Agent ID's general availability shows up as compression on standalone access-management economics — Okta's disclosed revenue-growth rate decelerating, a workforce-IAM pure-play acquired below prior marks, or analyst coverage citing Entra displacing standalone agent-identity spend. Threshold: any of those disclosed signals confirms the Entra Compression thesis (Pattern Claim 3) landing on the access-management discipline; accelerating standalone-AM growth against the bundle weakens it. Primary source: Okta and Microsoft earnings disclosures, dated M&A marks, and analyst commentary.5453
The SailPoint-versus-Saviynt IGA cloud contest. Signal: whether Saviynt converts its $700 million KKR war chest into disclosed ARR growth, named enterprise displacements, or analyst-category share gains, while SailPoint sustains or compresses its mid-twenties ARR growth (ARR $1.163 billion, +26%). Threshold: disclosed Saviynt traction beyond the round itself validates the cloud-first challenger as a genuine contender for the governance buyer; SailPoint sustaining growth with Saviynt's capital not surfacing as disclosed traction reads the raise as runway, not displacement. Primary source: SailPoint quarterly results (NASDAQ: SAIL) and Saviynt disclosed metrics in named outlets.57
The BeyondTrust sale resolution. Signal: whether Francisco Partners' reportedly-explored multi-billion-dollar sale of BeyondTrust (sourced, unconsummated as of June 2026) converts into a dated transaction, and at what mark. Threshold: a closed BeyondTrust sale into a platform confirms PAM consolidation pulling in even the standalone contenders; a clearing at a premium mark reinforces PAM's defensibility (Pattern Claim 3); the exploration lapsing with the company independent and unchanged says PAM holds as a standalone discipline. Primary source: named-outlet M&A coverage and any acquirer filing.58
Does identity ITDR surface as a disclosed SOC-platform attach metric? Signal: whether the platform acquirers begin reporting named agent-identity, NHI, or identity-threat-detection-and-response (ITDR) SKUs as disclosed growth drivers in earnings, rather than burying them as undifferentiated identity line-items. Threshold: a named identity/ITDR attach metric disclosed in a platform's earnings confirms the control plane is converging with the SOC at the revenue level, not just the deal level (Pattern Claim 1). Continued non-disclosure leaves the convergence visible in M&A but not yet in the P&L. Primary source: Palo Alto, CrowdStrike, Cisco, and Microsoft earnings disclosures and investor materials.61
Does an analyst firm formalize a non-human / agent identity market category? Signal: whether Gartner, Forrester, or a peer publishes a named Magic Quadrant or Market Guide for non-human / machine / agent identity, where today the market lenses diverge most by definition. Threshold: a named, consolidated NHI/agent-identity analyst category confirms the discipline has cohered enough to be tracked as a market in its own right (Pattern Claim 2); continued fragmentation across broad-IAM and machine-identity lenses says the boundary is still being drawn. Primary source: published analyst category reports and vendor announcements citing placement.59
ProductBeacon
References & Footnotes
References & Footnotes
References
1. Identity as the layer underneath every alert ("every alert is an identity did a thing") and the rule that Front 8 treats identity as a distinct buying center (the IAM/PAM org chart is often separate from the data-security org chart) rather than a horizontal layer. State of Cyber Security Markets 2026, the report's taxonomy §2.7 and §7 (Part-2 Delta, Layer 1 — Identity). ↩
2. Access Management (SSO/MFA/CIAM) defined as the front-door identity discipline — proving identity once and carrying it across applications — with Okta as the category anchor (Okta Workforce Identity and Customer Identity / Auth0). Okta, "What is Identity and Access Management (IAM)?", accessed 2026-06-17. https://www.okta.com/identity-101/ ↩
3. IGA (Identity Governance & Administration) defined as joiner-mover-leaver lifecycle, access certification, segregation-of-duties, and audit evidence — distinct from the access-management front door. Grand View Research, "Identity Governance And Administration Market Report, 2033," accessed 2026-06-17. https://www.grandviewresearch.com/industry-analysis/identity-governance-administration-market-report ↩
4. PAM (Privileged Access Management) defined as control of crown-jewel/admin accounts, root access, and secrets vaults on a least-privilege-for-the-most-dangerous-accounts principle, with CyberArk as category originator and BeyondTrust/Delinea as contenders. Mordor Intelligence, "Privileged Access Management (PAM) Market," accessed 2026-06-17. https://www.mordorintelligence.com/industry-reports/privileged-access-management-pam-market ↩
5. Non-Human / Workload Identity (NHI) defined as securing service accounts, API keys, machine tokens, and autonomous AI agents — which already outnumber human identities in most enterprises — with Astrix and Aembit as pure-plays. Grand View Research, "Non-Human Identity Access Management Market," accessed 2026-06-17. https://www.grandviewresearch.com/industry-analysis/non-human-identity-access-management-market-report ↩
6. Palo Alto Networks completed its ~USD 25 billion acquisition of CyberArk on 2026-02-11, naming Identity Security a core platform pillar. Verbatim: the addition of the CyberArk Identity Security Platform "enables Palo Alto Networks to secure every identity across the enterprise — human, machine, and agentic"; CyberArk shareholders received USD 45.00 in cash plus 2.2005 PANW shares per ordinary share; the transaction closed following U.S., EU, UK and Israel regulatory clearances. Palo Alto Networks, "Palo Alto Networks Completes Acquisition of CyberArk to Secure the AI Era," 2026-02-11, accessed 2026-06-17. https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-completes-acquisition-of-cyberark-to-secure-the-ai-era ↩
7. CrowdStrike agreed to acquire SGNL (a "Continuous Identity" vendor) for ~USD 740 million, announced 2026-01-08, predominantly cash. Verbatim rationale: the deal accelerates "Next-Gen Identity Security, enabling access for human, non-human (NHI), and AI identities to be continuously granted and revoked based on real-time risk." CrowdStrike, "CrowdStrike to Acquire SGNL to Transform Identity Security for the AI Era," 2026-01-08, accessed 2026-06-17. https://www.crowdstrike.com/en-us/press-releases/crowdstrike-to-acquire-sgnl-to-transform-identity-security-for-ai-era/ ; CNBC, "CrowdStrike buys identity security startup SGNL for $740 million," 2026-01-08, accessed 2026-06-17, https://www.cnbc.com/2026/01/08/crowdstrike-ai-cybersecurity-sgnl-acquisition.html ↩
8. Cisco announced its acquisition of Astrix Security (~USD 400 million), a non-human-identity pure-play, in May 2026, to secure the "agentic workforce" of autonomous AI agents and fold NHI discovery, lifecycle, and threat detection into the Cisco Identity Intelligence platform. SecurityWeek, "Cisco Moves to Acquire Astrix Security to Tackle Non-Human Identity Risks," 2026-05-06, accessed 2026-06-17. https://www.securityweek.com/cisco-moves-to-acquire-astrix-security-to-tackle-non-human-identity-risks/ ↩
9. Cross-front boundary policy — SOC/platform incumbents (Microsoft Defender/Sentinel, Palo Alto Cortex, CrowdStrike Falcon, Cisco) are characterized primarily in Front 5 and appear in Front 8 only as identity "moves" named by their identity product/acquisition, not graded as identity contenders; the consolidation throughline (Palo Alto→CyberArk, CrowdStrike→SGNL, Cisco→Astrix) is a cross-front coherence fact. State of Cyber Security Markets 2026, the report's taxonomy §2.7, §7.2 (Boundary Policy §3.5) and §7.3 (Consolidation Throughline). ↩
10. Broad IAM lens — Grand View Research sizes the 2026 market at USD 29.68B (from USD 26.77B in 2025) reaching USD 62.90B by 2033 at 11.3% CAGR; MarketsandMarkets puts it at USD 25.96B (2025) → USD 42.61B (2030) at 10.4% CAGR. Grand View Research, "Identity And Access Management Market Size Report, 2033," accessed 2026-06-17, https://www.grandviewresearch.com/industry-analysis/identity-and-access-management-iam ; MarketsandMarkets, "Identity and Access Management (IAM) Market worth $42.61 billion by 2030," accessed 2026-06-17, https://www.marketsandmarkets.com/PressReleases/identity-access-management-iam.asp ↩
11. IGA lens (governance/audit, not the front door) — Fortune Business Insights sizes 2026 at USD 10.7B reaching USD 33.1B by 2034 at 15.16% CAGR; GII Research puts 2026 at ~USD 11.04B at 13.89% CAGR. Fortune Business Insights, "Identity Governance and Administration Market," accessed 2026-06-17, https://www.fortunebusinessinsights.com/identity-governance-and-administration-market-110229 ; GII Research, "Identity Governance & Administration Market — Global Forecast 2026-2032," accessed 2026-06-17, https://www.giiresearch.com/report/ires1978803-identity-governance-administration-market-by.html ↩
12. PAM lens (crown-jewel accounts) — Mordor Intelligence sizes 2026 at USD 5.17B (from USD 4.25B in 2025) reaching USD 13.83B by 2031 at 21.72% CAGR; North America led with 38.10% share in 2025. Mordor Intelligence, "Privileged Access Management (PAM) Market," accessed 2026-06-17. https://www.mordorintelligence.com/industry-reports/privileged-access-management-pam-market ↩
13. Non-human / machine identity lens — Grand View Research sizes NHI access management at USD 12.44B (2026, from USD 11.14B in 2025) reaching USD 27.33B by 2033 at 11.9% CAGR; MarketsandMarkets, on a narrower scope, sizes NHI access management at USD 9.45B (2024) → USD 18.71B (2030) at 11.9% CAGR. The figures diverge most by definition (no firm-level agreement on the machine-identity boundary). Grand View Research, "Non-Human Identity Access Management Market," accessed 2026-06-17, https://www.grandviewresearch.com/industry-analysis/non-human-identity-access-management-market-report ; MarketsandMarkets, "Non-Human Identity (NHI) Access Management Market worth USD 18.71 billion by 2030," accessed 2026-06-17, https://www.marketsandmarkets.com/PressReleases/non-human-identity-nhi-access-management.asp ↩
14. Capital-allocation signal that identity security is a growth center — the §8.1 consolidation triad (Palo Alto→CyberArk ~$25B, CrowdStrike→SGNL ~$740M, Cisco→Astrix ~$400M, all within ~13 months), plus Saviynt's ~USD 700M raise at ~USD 3B valuation led by KKR (December 2025) and SailPoint's return to the public markets (NASDAQ: SAIL). SecurityWeek, "Cisco Moves to Acquire Astrix Security to Tackle Non-Human Identity Risks," 2026-05-06, accessed 2026-06-17, https://www.securityweek.com/cisco-moves-to-acquire-astrix-security-to-tackle-non-human-identity-risks/ ; CNBC, "CrowdStrike buys identity security startup SGNL for $740 million," 2026-01-08, accessed 2026-06-17, https://www.cnbc.com/2026/01/08/crowdstrike-ai-cybersecurity-sgnl-acquisition.html ↩
15. Agentic-AI / NHI demand driver grounded on shipped product and stated acquisition rationale (not regulatory dates) — CrowdStrike's SGNL deal to grant/revoke access for "human, non-human (NHI), and AI identities" in real time, Cisco's Astrix deal for "the agentic workforce," and Microsoft Entra Agent ID reaching general availability in April 2026 to give AI agents first-class directory identities. CrowdStrike, "CrowdStrike to Acquire SGNL to Transform Identity Security for the AI Era," 2026-01-08, accessed 2026-06-17, https://www.crowdstrike.com/en-us/press-releases/crowdstrike-to-acquire-sgnl-to-transform-identity-security-for-ai-era/ ; Cisco / SecurityWeek, "Cisco Moves to Acquire Astrix Security to Tackle Non-Human Identity Risks," 2026-05-06, accessed 2026-06-17, https://www.securityweek.com/cisco-moves-to-acquire-astrix-security-to-tackle-non-human-identity-risks/ ↩
16. NHI pure-plays graduating from feature to funded category — Astrix Security (acquired by Cisco, ~$400M, May 2026) and Aembit (workload-identity platform; CrowdStrike among its investors), illustrating that non-human / workload identity has become a standalone funded discipline rather than a sub-feature of legacy IAM. SecurityWeek, "Cisco Moves to Acquire Astrix Security to Tackle Non-Human Identity Risks," 2026-05-06, accessed 2026-06-17. https://www.securityweek.com/cisco-moves-to-acquire-astrix-security-to-tackle-non-human-identity-risks/ ↩
17. Okta homepage, hero "Okta secures AI" with sub-headline "And every other identity, from machine to human." and pillar "To get AI agent security right, you have to get identity right." https://www.okta.com/ (accessed 2026-06-17). ↩
18. Okta reported FY2026 revenue of ~USD 2.9B (up ~12% YoY) and guided FY2027 to ~USD 3.185–3.205B; in August 2025 Okta acquired Axiom Security (privileged access / non-human identity) for a figure reported at ~USD 100M, extending toward the PAM and NHI disciplines. Okta Investor Relations / FY2026 results, https://investor.okta.com/overview/default.aspx ; TechCrunch / named-outlet coverage of the Axiom Security acquisition (August 2025) (accessed 2026-06-17). ↩
19. SailPoint homepage, hero "The new era of adaptive identity," sub-headline "Identity-first security for humans, machines, and AI," and section pillar "One platform to secure every identity"; body "Adaptive identity security, powered in real time." https://www.sailpoint.com/ (accessed 2026-06-17). ↩
20. SailPoint trades on NASDAQ under SAIL (~USD 14.80 on 2026-06-15) following its return to the public markets; Q1 FY2027 revenue USD 280M (up 22% YoY) and ARR USD 1.163B (up 26%); CEO Mark McClain, CPO Levent Besik; a June 8, 2026 board change (a Thoma Bravo designee seat) is routine and not a disagreement. SailPoint Investor Relations / Q1 FY2027 results, https://investors.sailpoint.com/ (accessed 2026-06-17). ↩
21. Saviynt homepage, hero "We Deliver Enterprise Control Over AI." with sub-headline "Build and deploy AI innovation with complete confidence. Saviynt secures every identity — human, non-human, and AI."; section pillar "See. Enforce. Govern. Every AI agent, everywhere, for every action."; tagline "Identity security for AI. AI for Identity Security." https://saviynt.com/ (accessed 2026-06-17). ↩
22. Saviynt raised USD 700M at a ~USD 3B valuation in a round led by KKR that closed 2025-12-09, with Sixth Street, TenEleven, and Carrick participating. Named-outlet funding coverage (December 2025); https://saviynt.com/ (accessed 2026-06-17). ↩
23. CyberArk Identity Security Platform, platform pillar "Secure every identity — human, machine and AI — with the right level of privilege controls."; supporting line "Seamlessly secure identities throughout the cycle of accessing any resource across any infrastructure, including hybrid, SaaS and multi-cloud." https://www.cyberark.com/ (accessed 2026-06-17). ↩
24. Palo Alto Networks completed its acquisition of CyberArk on 2026-02-11 in a transaction valued at ~USD 25B (USD 45.00 cash plus 2.2005 PANW shares per CyberArk ordinary share; 99.8% shareholder approval), naming CyberArk its Identity Security pillar; verbatim rationale: the addition "enables Palo Alto Networks to secure every identity across the enterprise — human, machine, and agentic." Palo Alto Networks, "Palo Alto Networks Completes Acquisition of CyberArk to Secure the AI Era," 2026-02-11. https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-completes-acquisition-of-cyberark-to-secure-the-ai-era (accessed 2026-06-17). ↩
25. BeyondTrust homepage, verbatim pillar "BeyondTrust discovers agentic identities across AWS, Azure, Google, OpenAI, Salesforce, and ServiceNow, then enforces the same privilege controls that secure your human administrators." https://www.beyondtrust.com/ (live homepage pillar retrieved via search index 2026-06-17; the vendor surface returns HTTP 403 to direct automated fetch) (accessed 2026-06-17). ↩
26. BeyondTrust has been majority-owned by Francisco Partners since 2018 (Clearlake Capital minority); ~USD 500M ARR by widely-cited reporting; Francisco Partners is reportedly exploring a multi-billion-dollar sale of the company — an early-stage process, no transaction announced, consistent with a hold past the typical PE duration. Flagged per §2.4b as sourced exit-pressure to watch, not a casualty or distress assertion. Named-outlet reporting (Reuters / Bloomberg-type coverage of the exploration); https://www.beyondtrust.com/ (accessed 2026-06-17). ↩
27. Delinea homepage, hero "The future of identity security is continuous" and tagline "Access granted isn't access secured. Delinea continuously authorizes every identity, session, and action — protecting your human and agentic workforce with control that goes far beyond login."; platform "powered by Iris AI." https://delinea.com/ (accessed 2026-06-17). ↩
28. Delinea (Thycotic + Centrify post-merger, TPG-backed) acquired StrongDM — announced 2026-01-15, completed 2026-03-05, terms undisclosed — unifying its PAM heritage with StrongDM's just-in-time runtime-authorization layer for non-human and AI-agent access ("Delinea Iris AI"). Named-outlet acquisition coverage (January–March 2026); https://delinea.com/ (accessed 2026-06-17). ↩
29. Astrix Security homepage, hero "Discover, secure, and deploy AI agents responsibly across the enterprise"; tagline "AI Agents + NHIs > Humans"; pillars "Discover. Secure. Deploy." and "Secure the Identities that Matter"; framing that the vast majority of non-human identities are ungoverned. https://astrix.security/ (accessed 2026-06-17). ↩
30. Cisco completed its acquisition of Astrix Security (a non-human-identity pure-play) at a figure reported at ~USD 400M, announced May 2026, folding NHI discovery, lifecycle, and threat detection into Cisco Identity Intelligence (alongside Duo, Secure Access, and Splunk); Astrix had raised ~USD 85M total, anchored by a USD 45M Series B (December 2024) with Menlo Ventures among investors. SecurityWeek, "Cisco Moves to Acquire Astrix Security to Tackle Non-Human Identity Risks," 2026-05-06, https://www.securityweek.com/cisco-moves-to-acquire-astrix-security-to-tackle-non-human-identity-risks/ ; https://www.crunchbase.com/organization/astrix-security (accessed 2026-06-17). ↩
31. Aembit homepage, hero "IAM for Agentic AI" with line "Aembit enforces access to sensitive data and accelerates AI use with confidence through policy, context, and audit based on unique agent identities."; pillars "Secretless Authentication," "Secure Autonomy," "Access, Not Secrets or Certs," "Policy-Driven, Not Script-Driven," "Cloud-Native, Enterprise-Grade" (SOC 2 and ISO 27001 certified). https://aembit.io/ (accessed 2026-06-17). ↩
32. Aembit has raised approximately ~USD 45M in total, anchored by a USD 25M Series A (September 2024) led by Acrew Capital, with CrowdStrike among its investors alongside Ballistic Ventures and Ten Eleven Ventures; "IAM for Agentic AI" positioned as generally available in 2026. CrowdStrike separately agreed to acquire SGNL for a sum reported at ~USD 740M (announced 2026-01-08). Named-outlet funding coverage (September 2024); https://aembit.io/ ; https://www.crunchbase.com/organization/aembit (accessed 2026-06-17). ↩
33. Palo Alto Networks completed its ~USD 25 billion acquisition of CyberArk on 2026-02-11, naming Identity Security a core platform pillar. Verbatim: the addition of the CyberArk Identity Security Platform "enables Palo Alto Networks to secure every identity across the enterprise — human, machine, and agentic." CyberArk shareholders received USD 45.00 in cash plus 2.2005 PANW shares per ordinary share; closed following U.S., EU, UK, and Israel regulatory clearances. Palo Alto Networks is characterized primarily in Front 5; in Front 8 it appears only as the acquirer of CyberArk. Palo Alto Networks, "Palo Alto Networks Completes Acquisition of CyberArk to Secure the AI Era," 2026-02-11, https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-completes-acquisition-of-cyberark-to-secure-the-ai-era (accessed 2026-06-17). ↩
34. CrowdStrike announced its ~USD 740 million acquisition of SGNL on 2026-01-08 (predominantly cash) and shipped "Continuous Identity for AI Agents" at Identiverse on 2026-06-15. Verbatim rationale: the deal accelerates "Next-Gen Identity Security, enabling access for human, non-human (NHI), and AI identities to be continuously granted and revoked based on real-time risk." CrowdStrike is characterized primarily in Front 5; in Front 8 it appears only as the acquirer of SGNL. CrowdStrike, "CrowdStrike to Acquire SGNL to Transform Identity Security for the AI Era," 2026-01-08, https://www.crowdstrike.com/en-us/press-releases/crowdstrike-to-acquire-sgnl-to-transform-identity-security-for-ai-era/ (accessed 2026-06-17); CNBC, "CrowdStrike buys identity security startup SGNL for $740 million," 2026-01-08, https://www.cnbc.com/2026/01/08/crowdstrike-ai-cybersecurity-sgnl-acquisition.html (accessed 2026-06-17). ↩
35. Cisco announced its acquisition of Astrix Security (~USD 400 million), a non-human-identity pure-play, in May 2026 (announced 2026-05-04), to secure the "agentic workforce" of autonomous AI agents and fold NHI discovery, lifecycle, and threat detection into Cisco Identity Intelligence (with Duo, Secure Access, and Splunk). Astrix had raised a $45M Series B in December 2024 (Menlo Ventures; ~$85M total). Cisco is characterized primarily in Front 5; in Front 8 it appears only as the acquirer of Astrix. This same event is referenced as a §8.3 Wildcard card (Astrix the vendor) and here as a §8.4 Play (the Cisco/Astrix move) — one event, two angles. SecurityWeek, "Cisco Moves to Acquire Astrix Security to Tackle Non-Human Identity Risks," 2026-05-06, https://www.securityweek.com/cisco-moves-to-acquire-astrix-security-to-tackle-non-human-identity-risks/ (accessed 2026-06-17). ↩
36. Microsoft Entra Agent ID reached general availability in April 2026, making AI-agent identities a first-class construct inside Agent 365 (governance-for-agents GA early May 2026; previewed at RSAC March 2026). Microsoft is characterized primarily in Front 5; in Front 8 it appears only as the build-not-buy identity move. Microsoft Learn / Tech Community, "Microsoft Entra Agent ID," 2026, https://learn.microsoft.com/en-us/entra/identity/ (accessed 2026-06-17). ↩
37. Delinea (private; Thycotic + Centrify; TPG-backed) completed its acquisition of StrongDM (announced 2026-01-15, completed 2026-03-05; terms undisclosed), unifying PAM with just-in-time runtime authorization for non-human and AI-agent access under the "Delinea Iris AI" banner. Delinea / GlobeNewswire, StrongDM acquisition, completed 2026-03-05, https://delinea.com/news (accessed 2026-06-17). ↩
38. BeyondTrust (private; Francisco Partners majority since 2018, Clearlake minority; ~$500M ARR): Francisco Partners is reportedly exploring a multi-billion-dollar sale of BeyondTrust (early-stage, no deal announced) — sourced but unconsummated, framed here as a §2.4b exit-pressure watch item, not a distress assertion. First reported by Bloomberg (2025-08-13); Private Equity Wire and CyberExperts coverage, https://www.privateequitywire.co.uk/ (accessed 2026-06-17). ↩
39. SailPoint (NASDAQ: SAIL): returned to the public markets after its Thoma Bravo ownership period; Q1 FY2027 revenue $280M (+22% YoY), ARR $1.163B (+26% YoY); ~$14.80/share as of 2026-06-15 (52-week range $10.30–24.95). SailPoint investor relations and stockanalysis.com/stocks/sail, June 2026 (accessed 2026-06-17). ↩
40. Saviynt (private; cloud-first IGA): raised USD 700 million at roughly a USD 3 billion valuation in a KKR-led round that closed 2025-12-09 (Sixth Street, TenEleven, and Carrick also participating), with the AI-identity-governance thesis as its explicit pitch. Saviynt press release and SecurityWeek, "Saviynt Raises $700M," 2025-12-09, https://saviynt.com/press-release (accessed 2026-06-17). ↩
41. Aembit (private; "IAM for Agentic AI" / workload-identity platform): ~$45M raised (Series A $25M, September 2024); investors include CrowdStrike, TenEleven, and Ballistic Ventures. The CrowdStrike strategic-investor tie is noted as a forward-looking M&A watch item given CrowdStrike's own SGNL acquisition. Aembit, company and funding pages, September 2024, https://aembit.io/ (accessed 2026-06-17). ↩
42. Okta (NASDAQ: OKTA): independent public company; FY2026 revenue ~USD 2.919 billion (+12% YoY); FY2027 guide $3.185–3.205B. Acquired Axiom Security (PAM/NHI) for ~$100M in August 2025. Okta FY2026 8-K, sec.gov/Archives/edgar/data/0001660134 (accessed 2026-06-17); Okta newsroom, Axiom Security acquisition, August 2025, https://www.okta.com/newsroom/ (accessed 2026-06-17). ↩
43. CyberArk (was NASDAQ: CYBR): acquired by Palo Alto Networks for ~USD 25 billion, completed 2026-02-11 (99.8% shareholder approval); now PANW's Identity Security pillar. A consolidation exit at a premium price, not a distress event. Palo Alto Networks, "Completes Acquisition of CyberArk," 2026-02-11, https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-completes-acquisition-of-cyberark-to-secure-the-ai-era (accessed 2026-06-17). ↩
44. SailPoint (NASDAQ: SAIL): re-IPO'd from Thoma Bravo; Q1 FY2027 revenue $280M (+22% YoY), ARR $1.163B (+26% YoY). A June 8, 2026 board change (Thoma Bravo designee) is routine and explicitly not a disagreement. SailPoint IR and stockanalysis.com/stocks/sail, June 2026 (accessed 2026-06-17). ↩
45. BeyondTrust (private): Francisco Partners majority since 2018 (Clearlake minority); ~$500M ARR. Francisco Partners reportedly exploring a multi-billion-dollar sale — sourced, unconsummated, past a typical 3–7 year PE hold. Framed as a §2.4b exit-pressure flag, not a distress assertion. First reported by Bloomberg (2025-08-13); Private Equity Wire and CyberExperts coverage, https://www.privateequitywire.co.uk/ (accessed 2026-06-17). ↩
46. Saviynt (private): raised USD 700 million at ~USD 3 billion valuation, KKR-led, closed 2025-12-09 (Sixth Street, TenEleven, Carrick). The war-chest high mark of the front. Saviynt press release and SecurityWeek, 2025-12-09, https://saviynt.com/press-release (accessed 2026-06-17). ↩
47. Delinea (private; TPG-backed): acquired StrongDM (announced 2026-01-15, completed 2026-03-05; terms undisclosed) to unify PAM with JIT runtime authorization for NHI/AI-agent access. An active acquirer, not a target. Delinea / GlobeNewswire, completed 2026-03-05, https://delinea.com/news (accessed 2026-06-17). ↩
48. Astrix Security (was independent NHI pure-play): acquired by Cisco for ~USD 400 million, announced May 2026 (2026-05-04); had raised a $45M Series B in December 2024 (Menlo Ventures; ~$85M total). A consolidation exit / graduation into a platform, not a distress event. SecurityWeek, "Cisco Moves to Acquire Astrix Security," 2026-05-06, https://www.securityweek.com/cisco-moves-to-acquire-astrix-security-to-tackle-non-human-identity-risks/ (accessed 2026-06-17). ↩
49. Aembit (private): ~$45M raised; Series A $25M (September 2024); investors include CrowdStrike, TenEleven, and Ballistic Ventures. Still independent; the CrowdStrike tie is a forward M&A watch item. Aembit, company and funding pages, September 2024, https://aembit.io/ (accessed 2026-06-17). ↩
50. Palo Alto Networks completed its ~USD 25 billion acquisition of CyberArk on 2026-02-11, naming Identity Security a core platform pillar. Verbatim: the addition of the CyberArk Identity Security Platform "enables Palo Alto Networks to secure every identity across the enterprise — human, machine, and agentic." CyberArk shareholders received USD 45.00 in cash plus 2.2005 PANW shares per ordinary share; the transaction closed following U.S., EU, UK, and Israel regulatory clearances. Palo Alto Networks is characterized primarily in Front 5; in Front 8 it appears only as the acquirer of CyberArk. Palo Alto Networks, "Palo Alto Networks Completes Acquisition of CyberArk to Secure the AI Era," 2026-02-11, accessed 2026-06-17. https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-completes-acquisition-of-cyberark-to-secure-the-ai-era ↩
51. CrowdStrike announced its ~USD 740 million acquisition of SGNL (a "Continuous Identity" vendor) on 2026-01-08, predominantly cash, and shipped "Continuous Identity for AI Agents" at Identiverse on 2026-06-15. Verbatim rationale: the deal accelerates "Next-Gen Identity Security, enabling access for human, non-human (NHI), and AI identities to be continuously granted and revoked based on real-time risk." CrowdStrike is characterized primarily in Front 5; in Front 8 it appears only as the acquirer of SGNL. CrowdStrike, "CrowdStrike to Acquire SGNL to Transform Identity Security for the AI Era," 2026-01-08, accessed 2026-06-17. https://www.crowdstrike.com/en-us/press-releases/crowdstrike-to-acquire-sgnl-to-transform-identity-security-for-ai-era/ ; CNBC, "CrowdStrike buys identity security startup SGNL for $740 million," 2026-01-08, accessed 2026-06-17, https://www.cnbc.com/2026/01/08/crowdstrike-ai-cybersecurity-sgnl-acquisition.html ↩
52. Cisco announced its acquisition of Astrix Security (~USD 400 million), a non-human-identity pure-play, in May 2026 (announced 2026-05-04), to secure the "agentic workforce" of autonomous AI agents and fold NHI discovery, lifecycle, and threat detection into Cisco Identity Intelligence (alongside Duo, Secure Access, and Splunk). Astrix had raised a $45M Series B in December 2024 (Menlo Ventures; ~$85M total). Cisco is characterized primarily in Front 5; in Front 8 it appears only as the acquirer of Astrix. SecurityWeek, "Cisco Moves to Acquire Astrix Security to Tackle Non-Human Identity Risks," 2026-05-06, accessed 2026-06-17. https://www.securityweek.com/cisco-moves-to-acquire-astrix-security-to-tackle-non-human-identity-risks/ ↩
53. Microsoft Entra Agent ID reached general availability in April 2026, making AI-agent identities a first-class construct inside Agent 365 (governance-for-agents GA early May 2026; previewed at RSAC March 2026). Microsoft is characterized primarily in Front 5; in Front 8 it appears only as the build-not-buy identity move. Microsoft Learn / Tech Community, "Microsoft Entra Agent ID," 2026, accessed 2026-06-17. https://learn.microsoft.com/en-us/entra/identity/ ↩
54. Okta reported FY2026 revenue of ~USD 2.9 billion (up ~12% YoY) and guided FY2027 to ~USD 3.185–3.205 billion; in August 2025 Okta acquired Axiom Security (privileged access / non-human identity) for a figure reported at ~USD 100 million, extending toward the PAM and NHI disciplines. Okta Investor Relations / FY2026 results, https://investor.okta.com/overview/default.aspx ; named-outlet coverage of the Axiom Security acquisition (August 2025), accessed 2026-06-17. ↩
55. As of 2026-06-17, six of the eight identity-native vendors graded in §8.3 lead their live homepages with the human-machine-AI identity triad — Okta ("Okta secures AI. And every other identity, from machine to human."), SailPoint ("identity-first security for humans, machines, and AI"), Saviynt (securing "every identity — human, non-human, and AI"), Delinea (protecting "your human and agentic workforce"), CyberArk ("secure every identity — human, machine and AI"), and Aembit ("IAM for Agentic AI"). Vendor homepages, accessed 2026-06-17. https://www.okta.com/ ; https://www.sailpoint.com/ ; https://saviynt.com/ ; https://delinea.com/ ; https://www.cyberark.com/ ; https://aembit.io/ ↩
56. Aembit (private; "IAM for Agentic AI" / workload-identity platform): ~USD 45 million raised, anchored by a USD 25 million Series A (September 2024); investors include CrowdStrike, Ten Eleven Ventures, and Ballistic Ventures; "IAM for Agentic AI" positioned as generally available in 2026. The CrowdStrike strategic-investor tie is noted as a forward-looking M&A watch item given CrowdStrike's own ~$740 million SGNL acquisition (announced 2026-01-08). Aembit Series A coverage, September 2024, https://aembit.io/ ; https://www.crunchbase.com/organization/aembit, accessed 2026-06-17. ↩
57. Saviynt raised USD 700 million at a ~USD 3 billion valuation in a KKR-led round that closed 2025-12-09 (Sixth Street, TenEleven, and Carrick participating), on an explicit AI-identity-governance pitch. SailPoint (NASDAQ: SAIL) returned to the public markets and reported Q1 FY2027 revenue of USD 280 million (+22% YoY) and ARR of USD 1.163 billion (+26% YoY). On the NHI lens, Grand View Research sizes non-human identity access management at USD 12.44 billion in 2026 reaching USD 27.33 billion by 2033 at 11.9% CAGR, while MarketsandMarkets sizes a narrower NHI scope at USD 9.45 billion (2024) → USD 18.71 billion (2030); the figures diverge most by definition. Named-outlet funding coverage (December 2025); SailPoint Investor Relations / Q1 FY2027 results, https://investors.sailpoint.com/ ; Grand View Research, "Non-Human Identity Access Management Market," https://www.grandviewresearch.com/industry-analysis/non-human-identity-access-management-market-report, accessed 2026-06-17. ↩
58. BeyondTrust (private): majority-owned by Francisco Partners since 2018 (Clearlake Capital a minority holder); ~USD 500 million in ARR by widely-cited reporting; Francisco Partners is reportedly exploring a multi-billion-dollar sale of the company — an early-stage process, no transaction announced, consistent with a hold past a typical 3–7 year private-equity duration. Flagged per §2.4b as sourced exit-pressure to watch, not a casualty or distress assertion. Delinea (TPG-backed) separately completed its acquisition of StrongDM (announced 2026-01-15, completed 2026-03-05; terms undisclosed), unifying PAM with just-in-time runtime authorization for non-human and AI-agent access. Named-outlet reporting (Private Equity Wire / Reuters-type coverage of the exploration), https://www.privateequitywire.co.uk/ ; Delinea / GlobeNewswire, StrongDM acquisition, https://delinea.com/news, accessed 2026-06-17. ↩
59. PAM grows fastest of the established disciplines — Mordor Intelligence sizes the PAM market at USD 5.17 billion in 2026 (from USD 4.25 billion in 2025) reaching USD 13.83 billion by 2031 at a 21.72% CAGR; the broad IAM aggregate (access-management-dominated) grows slowest off the largest base (Grand View Research: USD 29.68 billion in 2026 → USD 62.90 billion by 2033 at 11.3% CAGR). Mordor Intelligence, "Privileged Access Management (PAM) Market," https://www.mordorintelligence.com/industry-reports/privileged-access-management-pam-market ; Grand View Research, "Identity And Access Management Market Size Report, 2033," https://www.grandviewresearch.com/industry-analysis/identity-and-access-management-iam, accessed 2026-06-17. ↩
60. Acquirer press releases, SEC Form 8-K filings, and named-outlet M&A coverage are the public source class for any fourth-platform identity acquisition. SEC EDGAR full-text search, accessed 2026-06-17. https://www.sec.gov/edgar/search/ ↩
61. Quarterly earnings disclosures and investor materials from Palo Alto Networks, CrowdStrike, Cisco, and Microsoft are the public source class for any named agent-identity / NHI / ITDR attach metric reported as a disclosed growth driver. Company investor-relations pages and SEC filings, accessed 2026-06-17. https://investors.paloaltonetworks.com/ ; https://ir.crowdstrike.com/ ; https://investor.cisco.com/overview/default.aspx ; https://www.microsoft.com/en-us/investor/default ↩