Insider Risk Management (IRM) is the discipline of detecting, investigating, and acting on risks created by people inside an organization who have legitimate access to data, systems, and decisions. The buyer noun is people — who, what, why, when — not data flows (DLP) or data at rest (DSPM). The architectural anchor is behavioral and contextual analysis of signals ingested from communication, file, identity, and endpoint surfaces, then scored against role-baselines and policy templates that produce alerts a human reviewer triages into cases.

Where the categories overlap. IRM overlaps with DLP on context-aware enforcement, with DSPM on access-pattern visibility, and with SOC platforms on case orchestration. The category test is which question a vendor's product actually answers: IRM answers who is doing what, and why; DLP answers what data is moving where; DSPM answers what data exists, and who can reach it. When a vendor's hero page claims all three, the practical test is which question their pricing, sales motion, and alert experience are actually built around.

The IRM category sits in the people / detect-and-review quadrant. DLP and DSPM share the data side; SOC platforms sit above as cross-domain case orchestrators. UEBA is a signal source to IRM, not a peer category.

What IRM IS. A behavioral and policy-driven workflow for risks where a known identity does a thing — exfil before resignation, sharing IP with a personal account, abnormal access to a sensitive folder, prompt-injecting sensitive content into a public LLM, escalating privilege without ticketed justification. It is policy-template driven (departing-user template, priority-user template, AI-usage template) and produces case files reviewers work in collaboration with HR and Legal.

What IRM IS NOT. Not a SIEM (correlates external threats too), not a DLP (here, enforcement is human-reviewer notification or HR escalation, not inline block), not a UEBA tool alone (those are an input signal, not the workflow), and not a SOAR (the playbooks here cross HR and Legal, not just SecOps).

Three common buyer misconceptions. First: "we already have DLP, we don't need IRM." DLP fires on data movement; IRM fires on a person's risk trajectory across many movements and signals, including ones DLP doesn't see. Second: "IRM is just employee monitoring with extra steps." The privacy-by-design posture of the modern category (Microsoft Purview pseudonymizes by default per its product docs ¹; DTEX cites a "privacy-first" architecture ²) is the difference between IRM and 2010s surveillance tooling. Third: "AI agents aren't insiders." Above Security's funding thesis (March 2026, $50M Series A ³) and Microsoft Purview's new "Risky Agents" policy template ⁴ both treat non-human identities as in-scope; this is becoming consensus.

Market sizing. Two estimates worth naming side-by-side, not averaged: Custom Market Insights projects $4.5B in 2026 with a 12.6% CAGR through 2035 ⁵; Future Market Insights projects $3.2B in 2025 growing to $10.3B by 2035 at 12.5% CAGR ⁶. Both sources are private firms and not endorsed by Gartner or IDC; the 2026 Gartner Market Guide for IRM Solutions (the most-cited primary analyst document in vendor marketing) does not publish a sizing number in the publicly accessible material ⁷. The takeaway is not a precise number — it is that two independent forecasters land within ~30% of each other in the same year, and both project a sustained low-teens CAGR. The market is mid-sized, growing steadily, and consolidating buyers who previously held DLP and IRM as separate line items.

Buyer trends. Three signals shape the 2026 buyer. First, the CISO consolidation push: the buyer increasingly evaluates IRM as a module of a broader data-security or human-risk platform, not as a standalone PO. Mimecast's acquisition of Code42 (July 2024 ⁸) and Proofpoint's positioning of ITM inside its email/data platform ⁹ both indicate this. Second, the AI-usage policy template has become table-stakes — Microsoft Purview has shipped both "Risky AI usage" and "Risky Agents (preview)" templates ⁴; Cyberhaven, DTEX, and Above all lead with AI-actor framing in their 2026 messaging ¹⁰²³. Third, privacy-by-design is no longer a differentiator — it is a deal-disqualifier if absent, particularly for EU buyers under GDPR and (increasingly) the EU AI Act.

User trends. The end-user experience IRM tools touch has bifurcated. Reviewers (SOC analysts plus HR partners plus Legal counsel) want a single case file with the narrative of risk — what happened, in what order, with what context — not a stream of disconnected alerts. The "Triage Agent" UX in Microsoft Purview ⁴ and the "Linea AI Analyst Agent" autonomous-investigation pattern in Cyberhaven ¹⁰ are both responses to alert-fatigue at the reviewer tier.

Tech trends. Behavioral analysis engines have shifted from rule-and-anomaly architectures to LLM-driven semantic understanding of content (Cyberhaven Large Lineage Models ¹⁰; DTEX behavioral intelligence engine ²; Above's "thousands of AI agents" model ³). The shared technical claim is that LLMs reduce false positives by understanding what the content is and why the user touched it, not just that a file moved. Whether this delivers the 90%-FP-reduction numbers some vendors quote in practice is a separate question; the architecture shift is real.

Regulatory trends. Three items shape 2026: EU AI Act enforcement on high-risk automated decision systems (in scope where IRM scores influence HR action); HIPAA / HITECH templates for healthcare insider risk (Microsoft Purview's "Patient data misuse (preview)" template ⁴); and the maturation of insider-threat reporting expectations for US federal contractors via NITTF / E.O. 13587 lineage, which is where Everfox's heritage sits.

Eight vendors selected for this chapter, distributed across three tiers: 3 Gravity (public or post-$100M private), 4 Attention (analyst-mentioned, growing), and 1 Wildcard (seed or early Series A).

Author's read of public material, May 2026. Vendor positions are conceptual, not data-derived. Color-coding by tier: amber for Gravity (incumbents), green for AI-native challengers, grey for specialists and Wildcards. Not investment advice.

"Microsoft Purview Insider Risk Management is a compliance solution that helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization." — Microsoft Learn product docs, accessed 2026-05-11 ¹¹

Purview IRM is the volume leader by distribution reach. Distribution is bundled inside Microsoft 365 E5 and Purview SKUs; the buyer rarely makes a standalone IRM purchase decision — IRM activates as part of a broader Purview rollout. Stated USP is the breadth of Microsoft 365 + Graph signal coverage and a library of pre-built policy templates (twelve listed in current docs including "Data theft by departing users," "Risky AI usage," and "Risky Agents (preview)" ¹¹). Target buyer is the CISO at a Microsoft-standard enterprise, with the actual purchasing motion routed through the M365 contract. Pricing signal: bundled inside E5 + per-user Purview add-on; not separately listed. Architectural classification: cloud-native, signal-rich, Microsoft-tenant-bounded. Published-material tier: heavy — product docs, Mechanics videos, Gartner Peer Insights presence, PwC co-published rollout playbook ¹¹.

Varonis

"Confidently adopt AI, reduce data exposure, and stop AI-powered threats, automatically." — Varonis homepage, accessed 2026-05-11 ¹²

Varonis is the publicly-traded data-security veteran (NASDAQ: VRNS) whose insider-risk capability ships inside its Data Security Platform and its Managed Data Detection and Response (MDDR) service. Q4 2025 results: total ARR $745.4M up 16% YoY; SaaS ARR $638.5M (86% of total ARR), 32% YoY growth excluding conversions ¹³. The IRM message lives under the wider "data security" umbrella; the company's hero positioning is data and AI security, not insider risk per se. Stated USP is depth of permissions and access-graph telemetry on Microsoft 365, Salesforce, and adjacent SaaS — the "who can access what, and who actually did" data. Target buyer is the enterprise data-security buyer in regulated industries. Pricing signal: subscription per data store, list pricing not public. Architectural classification: SaaS-platform-first as of FY2025 transition; hybrid deployment with Azure-hosted analytics plane and customer-side Collectors for on-prem data sources. Published-material tier: heavy — earnings transcripts, S-1 / 10-K disclosure, analyst coverage.

Proofpoint (Insider Threat Management, formerly ObserveIT)

"Contain Insider Threats. Proofpoint insider threat management (ITM) provides visibility into risky behavior that leads to business disruption and revenue loss by careless, malicious and compromised users." — Proofpoint ITM product page, accessed 2026-05-11 ¹⁴

Proofpoint acquired ObserveIT in 2019 for $225M, taking ITM private inside the Proofpoint email-security platform; Thoma Bravo subsequently took Proofpoint private in 2021 at $12.3B ¹⁵. As of mid-2026, Proofpoint is publicly signaling IPO intent and has announced a $1B+ acquisition of Hornetsecurity to fuel European scale ¹⁶. ITM positioning inside the Proofpoint platform leads with endpoint visibility and screen-record forensic evidence — the heritage UX from ObserveIT. Stated USP is unified email + endpoint + cloud visibility for user-centric risk. Target buyer is the email-security-led CISO who has standardized on Proofpoint. Pricing signal: per-user, bundled into Proofpoint platform pricing, not public. Architectural classification: hybrid endpoint + cloud, with the heaviest forensic-evidence experience among the Gravity tier. Published-material tier: heavy — press releases, layoff disclosures via named outlets, Thoma Bravo portfolio commentary.

"Secure Data. Secure AI. Cyberhaven's AI & data security platform unifies DSPM, DLP, Insider Risk, and AI Security to protect data wherever it lives and goes across endpoints, cloud, on-prem, SaaS, and AI tools." — Cyberhaven homepage, accessed 2026-05-11 ¹⁷

Cyberhaven's $100M Series D in April 2025 at $1B valuation ¹⁸ crossed the post-$100M-private threshold but the company's positioning and analyst footprint still sit in the Attention tier rather than Gravity — it has not been public-vendor-grade in earnings visibility. The product story is a unified DSPM + DLP + IRM + AI-Security platform, which deliberately blurs the front boundaries this report enforces; for IRM purposes, the IRM module is positioned as the "user behavior signal" layer of the wider data-lineage engine. Stated USP is data lineage — the "where did this data come from, who touched it, where is it going" graph — fed into IRM as the why behind a user's actions. Target buyer is the AI-era CISO consolidating multiple data-security line items into one platform. Pricing signal: enterprise subscription, not public. Architectural classification: cloud-analytics, multi-source-collection (endpoints + browser extensions + cloud apps); unified data-lineage engine. Published-material tier: medium — PR Newswire funding announcements, product launch pressers, Latka revenue disclosures ($52.4M FY 2026 ¹⁹).

DTEX Systems

"The Unified Platform for Human + Data + AI Risk. Prevent incidents using the industry's most advanced behavioral intelligence engine." — DTEX homepage, accessed 2026-05-11 ²⁰

DTEX is the AI-era behavioral-intelligence-led IRM contender, anchored by a $50M Series E in March 2024 led by Alphabet's CapitalG at a valuation north of $400M ²¹. The InTERCEPT platform claim is that DLP, UBA, and user-activity-monitoring capabilities are consolidated into a single light-weight endpoint footprint. Stated USP is behavioral intelligence sensitivity at the endpoint without traditional UAM's privacy cost. Target buyer is the enterprise CISO with a stated "insider risk" line item and a preference for behavioral telemetry over content-aware DLP. Pricing signal: per-endpoint, not public. Architectural classification: endpoint-led, behavioral-metadata collection (~500 metadata elements per the vendor); cloud-hosted analytics. Published-material tier: medium — BusinessWire funding announcements, Axios coverage, Gartner Market Guide entries.

Mimecast Incydr (formerly Code42 Incydr)

"Adaptive data protection for a changing world. Get unmatched protection against shadow AI and the changing world of work. Incydr delivers adaptive data protection for and by AI." — Mimecast Incydr product page, accessed 2026-05-11 ²²

Mimecast acquired Code42 in July 2024 (deal value undisclosed ²³). The code42.com domain now 301-redirects to mimecast.com/products/incydr ²⁴, a structural signal worth flagging on its own (see the Mimecast Absorption Thesis below). The Incydr product itself was historically positioned as the mid-market "Insider Risk Cloud" pure-play; under Mimecast it now sits inside a broader Human Risk Management positioning that bundles security awareness training, email, and Incydr behavioral signal. Stated USP under the new positioning is "shadow AI" coverage on endpoint and SaaS. Target buyer is the Mimecast-standard mid-enterprise. Pricing signal: bundled inside Mimecast HRM tiers, not public. Architectural classification: endpoint-agent + cloud-SaaS-API; cloud-analytics plane. Published-material tier: medium — Mimecast press releases, named-outlet acquisition coverage (Dark Reading, StarTribune, The Deal).

Everfox (Insider Threat Solutions, formerly Forcepoint Insider Threat)

TPG acquired the Forcepoint Global Governments and Critical Infrastructure (G2CI) business — which contains the Insider Threat / Cross Domain heritage — from Francisco Partners for $2.45B in Q4 2023; the asset was rebranded Everfox in January 2024 ²⁵. Stated USP is government-grade insider-threat and cross-domain solutions — the NITTF / federal-contractor heritage is the moat, not a side note. Target buyer is the federal civilian, DoD, defense-industrial-base, or government-adjacent regulated enterprise. Pricing signal: enterprise contract, not public. Architectural classification: hybrid on-prem + cloud, government-deployment-hardened. Published-material tier: medium — Washington Technology, GovCon Wire, BusinessWire — federal-trade-press dense, commercial-trade-press thin.

"AI agents are becoming insiders in everything but name." — Aviv Nahum, Co-Founder, quoted in PR Newswire and Ynet News funding coverage, March 2026 ²⁶²⁷

Above Security emerged from stealth in March 2026 with $50M total funding ($7M Seed + ~$43M Series A) led by Ballistic Ventures, Merlin Ventures, and Norwest, with Jump Capital and QPV participating ²⁶. Founders are Aviv Nahum (Unit 81 alum) and Amir Boldo (Unit 49 alum), both Israeli intelligence-veteran lineage. The thesis is that AI agents — non-human identities operating at machine speed across enterprise systems — are insiders in everything but name, and that conventional IRM scoring built around human-baseline behavior misses them entirely. The product claim is rapid deployment "in minutes, without writing a single policy, rule, or configuration" using thousands of AI agents observing both human and machine behavior. Architectural classification: multi-source collection (endpoint + identity + SaaS + AI environments); cloud-hosted AI-investigator fleet. Published-material tier: Wildcard-level — named-outlet coverage (Calcalist, Ynet, PR Newswire, SecurityMEA, StartupHub.ai, Pulse2, Artiverse) but no analyst coverage, no public reference customers named in primary materials, no public pricing.

Four strategic moves in motion across 2026.

Play 1: The Unified Data Security Platform Bundle

• Observation. Cyberhaven launched a unified DSPM + DLP + IRM + AI-Security platform in February 2026 ²⁸. Varonis' SaaS ARR transition (86% of ARR by Q4 2025 ¹³) and its MDDR + Copilot positioning collapse data classification, access governance, and insider-risk telemetry into one subscribable platform. Microsoft Purview houses IRM inside the broader Purview suite by design.
• Participants. Cyberhaven, Varonis, Microsoft.
• Conditional outcome. If the unified-platform pitch displaces standalone IRM line items in 2026 enterprise renewals, the standalone IRM specialists (DTEX, Mimecast Incydr post-absorption, Teramind) face structural buyer-side pressure on renewal pricing. If the platform pitch under-delivers on IRM depth — and reviewer-level UX is the most likely failure mode — specialists retain their lane on the renewal cycle through 2027.
• Evidence. Cyberhaven Fall 2025 product launch page; Varonis Q4 2025 earnings transcript ¹³.

• Observation. Microsoft Purview shipped "Risky AI usage" and "Risky Agents (preview)" policy templates in 2025-2026 ¹¹. Above Security's funding thesis explicitly frames AI agents as insiders ²⁶. Cyberhaven's Linea AI Detection Agent and Linea AI Analyst Agent (announced 2025) reposition the product around AI-native detection and investigation ¹⁷²⁹. DTEX's "Human + Data + AI Risk" homepage tagline as of 2026-05-11 places AI on equal footing with the human-risk category ²⁰.
• Participants. Microsoft, Above, Cyberhaven, DTEX, and increasingly the entire field.
• Conditional outcome. If by Q4 2026 every Gravity-tier vendor has shipped both an AI-usage detection template and an autonomous-agent-investigation experience, AI-actor framing becomes table stakes — no longer a differentiator. If only a subset does (most likely Microsoft, Varonis, Cyberhaven), the AI-actor framing remains a wedge that the platform-incumbents extract more value from than the specialist tier.
• Evidence. Microsoft Learn policy template list ¹¹; Above PR Newswire ²⁶; Cyberhaven Linea product page ²⁹.

• Observation. Everfox's January 2024 rebrand from Forcepoint Federal explicitly anchors the asset in defense-grade insider-threat and cross-domain solutions ²⁵; Everfox subsequently acquired Garrison Technology in June 2024 ³⁰. The federal insider-threat program lineage (NITTF / E.O. 13587) is a different buying motion from commercial IRM.
• Participants. Everfox, with quieter federal exposure from Microsoft (FedRAMP-authorized Purview) and Proofpoint (FedRAMP-authorized email/ITM).
• Conditional outcome. If federal IRM spend continues to grow at the regulatory-driven rate signaled by 2024-2025 budget activity, Everfox's specialist position is structurally protected and the commercial-side IRM platforms cannot economically pursue the same buyer. If federal procurement reorients toward "approved commercial platform" preferences (Microsoft, Proofpoint), Everfox's moat narrows to cross-domain solutions specifically, with the broader insider-threat capability becoming a commercial-platform feature.
• Evidence. Washington Technology January 2024 ²⁵; BusinessWire June 2024 Garrison announcement ³⁰.

• Observation. Proofpoint announced a $1B+ acquisition of Hornetsecurity in May 2025 framed by CNBC as IPO-prep ¹⁶. Proofpoint's CEO publicly signaled return-to-public-markets intent in 2026 ¹⁶. ITM sits inside the Proofpoint platform that would re-IPO.
• Participants. Proofpoint, Thoma Bravo, potential 2026 IPO market window.
• Conditional outcome. If Proofpoint re-IPOs in 2026 with ITM as a named segment, the public-market disclosure cadence raises the analytic visibility of the entire IRM category — earnings transcripts and 10-K segment reporting become a new IRM benchmark alongside Varonis. If the IPO slips to 2027 or the platform is sold rather than IPO'd, ITM remains a sub-line in private-company press cycle.
• Evidence. CNBC May 2025 ¹⁶; Thoma Bravo portfolio commentary ³¹.

Snapshot of recent funding events, valuations, strategic investors, and any documented distress signals across the IRM front. All figures trace to vendor-controlled surfaces, SEC filings, or named-outlet journalism (TechCrunch, Reuters, Bloomberg, Calcalist, BusinessWire, SecurityWeek, PR Newswire, GlobeNewswire). Executive departures appear only when corroborated by two or more named outlets; LinkedIn-only signals are treated as positioning facts, not distress events.

A five-year compression of the IRM money story: Thoma Bravo's $12.3B take-private of Proofpoint in 2021; the late-stage round cluster across DTEX, Cyberhaven, and Mimecast/Code42 in 2024; Cyberhaven crossing $1B in April 2025; the Varonis re-rating in October 2025; and Above Security closing the most recent round, at $50M, in March 2026.

The IRM funding picture splits three ways. Platform-bundled positioning — Microsoft Purview included in M365 E5 — competes on attach, not on IRM ARR; revenue is not separately disclosed ³². The public pure-play — Varonis — re-rated sharply on Oct 28, 2025 after disclosing weaker renewals and ARR conversion in its SaaS transition; the 48.67% single-day drop, the ~5% workforce reduction, and the subsequent securities class action collectively anchor the distress label in row 2 — the only such call in this chapter — to specific cited public events ^{35 36 37}. The VC-funded specialists — Cyberhaven, DTEX, Above Security — raised at progressively richer terms through 2024 – 2026, with Cyberhaven crossing $1B in Apr 2025 ⁴¹ and Above closing the most recent round at $50M in Mar 2026 ²⁶. CapitalG (DTEX) and StepStone (Cyberhaven) both signal late-stage growth-investor conviction in pure-play IRM despite the Varonis re-rating.

Cross-reference. See the Venture Landscape chapter for deep cross-segment analysis. The Cyberhaven $1B Series D anchors Pattern Claim 2 below — on late-stage growth conviction in pure-play data-lineage IRM.

Not investment advice. See Disclosures.

Three themes shape what's winning and losing in IRM today. Each is anchored to public evidence, framed explicitly as opinion, and stated as a falsifiable prediction that the next twelve months will either confirm or refute.

Winners.

• Microsoft Purview Insider Risk Management. Distribution moat via M365 E5 bundling is structural. Policy-template breadth (twelve templates including AI-specific templates ¹¹) is the broadest in the category by published-material count. The Winners label here is opinion-labeled: I read Microsoft's position as winning the default-choice slot in Microsoft-standard enterprises, not winning every IRM deal on technical depth.
• Varonis. Public-market discipline (NASDAQ:VRNS, 16% YoY total ARR growth in Q4 2025, 32% SaaS-ARR growth excluding conversions ¹³) and a successful SaaS-platform transition position Varonis as the most analyzable winner in the Gravity tier — the one whose performance can be tracked quarter-by-quarter rather than inferred from press cycle.
• Cyberhaven. Series D at $1B valuation April 2025 ¹⁸, $52.4M revenue ¹⁹, unified-platform launch February 2026 ²⁸: the company has compounded fundraising, revenue, and product-platform position simultaneously in a 14-month window. Winning the platform consolidation narrative among Attention-tier vendors.

• Proofpoint ITM. A layoff disclosure (280 employees Jan 2024 ⁵⁶) is a real signal but it is an enterprise-level Proofpoint cost action, not an ITM-specific casualty event. A casualty label requires the cited event to anchor a vendor-specific decline; what we have anchors enterprise-level cost discipline pre-IPO. Recategorized as Watch accordingly: track whether the H2 2026 IPO filing names ITM as a growth segment or as a maintenance segment.
• Mimecast Incydr. See Pattern Claim 1. The Watch signal is release-cadence and analyst-entry preservation through Q4 2026.

No IRM Contender earns a Losers label in this chapter. A vendor reaches this section only when a cited public event — layoff, missed quarter, down-round, named executive departure, or customer-churn disclosure — is specific to that vendor's IRM business, not a parent-company-wide action. As of May 2026, no IRM Contender meets that bar. Proofpoint's enterprise-level layoffs appear in Watch above. Code42's acquisition by Mimecast is restructuring, not a distress event. Quarterly refreshes will populate this section if IRM-specific signals emerge.

Five watchlist items for H2 2026.

1. Proofpoint IPO filing. Signal to monitor: S-1 filing date and segment reporting structure. Threshold for re-assessment: ITM named as a reportable segment with discrete revenue disclosure → revisit the Winners block above. Primary source: SEC EDGAR; CNBC Cybersecurity vertical.

1. Mimecast Incydr release cadence. Signal: Mimecast press-release stream and product-doc release notes through Q3-Q4 2026. Threshold: zero standalone "Incydr" branded press releases for two consecutive quarters → Pattern Claim 1's "absorbed" branch is realized. Primary source: Mimecast newsroom; Dark Reading insider-threat coverage.

1. Above Security customer references. Signal: public reference customers, analyst inclusion in Gartner Market Guide or Hype Cycle, and any expansion-round announcement past Q3 2026. Threshold: named Fortune-1000 reference + analyst inclusion → Above moves from Wildcard to Attention tier in the next refresh. Primary source: PR Newswire; Calcalist; Gartner Peer Insights.

1. AI-Agent template proliferation. Signal: which Gravity-tier vendors have shipped an "AI agent monitoring" or "non-human identity insider" capability with a documented detection model. Threshold: by end-2026 if Microsoft Purview and Varonis both have GA capabilities, the AI-actor framing is table-stakes per Pattern Claim 2's first branch. Primary source: vendor docs (Microsoft Learn, Varonis docs); analyst Magic Quadrant updates.

1. Cyberhaven public-market readiness. Signal: revenue trajectory disclosures, expansion fundraising rounds, M&A activity (per Cyberhaven's stated 2025 M&A intent ¹⁸). Threshold: ARR disclosure crossing $100M with sustained 80%+ growth → Gravity-tier reclassification in next refresh; alternatively, an acquisition by a Gravity-tier platform → Pattern Claim 1 generalizes to the Attention tier. Primary source: Cyberhaven press releases; PE/strategic-buyer M&A coverage in Reuters, Bloomberg.