Last week, Palo Alto Networks announced its intention to acquire CyberArk for $25B. This is Palo Alto Networks’ first move into the identity security market, and given the size of the reported transaction – it’s a bold and strategic one.
Here at Silverfort, we’ve seen firsthand that identity has become the new perimeter, and the only remaining line of defense for enterprises, both on-prem and in the cloud. This becomes even more true in the AI era. As such, securing identities requires taking a similar approach to what we’ve seen in other areas of cybersecurity like endpoint security or cloud security. It requires a comprehensive platform that enables unified visibility, intelligence, and active protection capabilities. It’s time to move beyond point solutions like PAM, MFA, NHI, CIEM, ITDR or ISPM – and adopt a consolidated approach that solves this problem end to end.
Where does identity security go from here, now that one of the largest cybersecurity companies in the world is making it a priority? In this blog, I’ll share some of my thoughts about this pivotal moment and what the future holds for identity security.
Why is Palo Alto Networks making such a strategic investment in Identity Security?
In Palo Alto Networks’ press release, the company states that this acquisition means “establishing Identity Security as a new core platform”. In addition, CEO Nikesh Arora says: “Our market entry strategy has always been to enter categories at their inflection point, and we believe that moment for Identity Security is now… Today, the rise of AI and the explosion of machine identities have made it clear that the future of security must be built on the vision that every identity requires the right level of privilege controls, not the ‘IAM fallacy’.”
Let’s go through each of these key points:
- The moment for identity security is now: According to research from analyst Francis Odum, 93% of breaches are preventable through improved identity security controls. After years of investing heavily in areas like endpoint, network and cloud security, many organizations now realize that identity security was left behind, with legacy technologies and point solutions, and identity has become the weakest link. An example is the recent attacks on the UK retail sector which stemmed from a known ransomware group exploiting identities and then moving laterally within targeted environments. Identity creates a sprawling attack surface, but with modern technologies and a platform approach, comprehensive security is finally possible.
- The rise of AI: IBM’s 2025 Cost of a Data Breach report states that 63% of organizations lack AI governance policies. Various teams across the organization are spinning up new AI tools and feeding them with sensitive information, without any real cybersecurity oversight. Outside of human users leveraging AI tools, agentic AI creates an even bigger security challenge. AI agents can’t be protected the same way as humans, but they also don’t behave like the old and predictable “machine identities” that vendors have been working to secure in recent years, meaning they need an entirely different type of protection. The key to securing AI agents lies in treating them as their own category of identity, with dedicated security controls that are designed for addressing their unique nature, and providing the necessary visibility, risk analysis, and access control.
- Explosion of machine identities: Non-human identities (NHIs) like API keys, tokens and service accounts outnumber human users by at least 50:1 in large enterprises, and 80% of those identities have major security posture issues that leave organizations susceptible to common attack techniques. Further, according to our research, only 5.7% of surveyed organizations believe they have good visibility into their non-human identities. Mapping, analyzing and protecting non-human identities is now a top priority for enterprises, and new technologies finally make it possible to achieve it at scale.
- Every identity requires the right level of privilege controls, not the IAM fallacy: While some vendors still try to stitch together IAM, IGA, and PAM and label it “identity security,” the market gradually realized that identity security requires a more modern approach, and that it’s very different from identity infrastructure. Identity security focuses on protecting identities from compromise, while identity infrastructure (or “IAM”) focuses on managing those identities and their lifecycle. Just like we no longer view cloud security as just a feature of the cloud infrastructure, or endpoint security as a feature of the endpoint itself, it’s becoming clear that identity security must be decoupled from the different silos of the IAM infrastructure to become truly effective. I explain this concept in-depth in a recent interview.
Identity security – the next frontier
It’s exciting to witness CyberArk, the company that pioneered the PAM category and played a big role in creating what is now the Identity Security market, get to such an impressive scale. I deeply respect what Udi, Matt and their team have built, and how they helped push the market forward. This acquisition makes it evident that identity security is finally taking the center stage, and there’s no slowing down.
The more I speak with customers, the more it’s clear to me that identity security has become the top cybersecurity concern (alongside AI security, and those two are very connected). Now is the time to shift from siloed sub-categories and point solutions like PAM, ITDR, ISPM, NHI, MFA, and IGA to adopting true “Identity Security.” It’s also time for Identity Security to fully decouple from the Identity Infrastructure and become a standalone layer that protects all the different Identity Infrastructure silos with a unified control plane. I am hopeful that Palo Alto Networks will help move the market in this direction and go beyond the traditional PAM market, to join us and others in creating a true Identity Security category and help customers address this critical need end to end. After seeing the exact same evolution in all the other major categories of cybersecurity (endpoint, network, cloud, data, etc.), it’s time for Identity Security to evolve as well and stop lagging.
At Silverfort, we’re proud to be leading this revolution and building the next generation of identity security platforms, which is already trusted by more than 1,000 enterprises including many of the Global Fortune 100. We look at CyberArk’s journey as an inspiration as we continue our own and are excited to see where identity security will go from here!
See what our customers have to say about the power of modern identity security.