COMMENTARY: The move by Palo Alto Networks to acquire CyberArk for $25 billion sends an unmistakable message to CISOs: identity security has become the center of the cybersecurity universe.Palo Alto’s deal underscores an urgent shift away from fragmented tools and static permissions toward unified, real-time governance for every identity, whether that’s human, machine, or AI Agents that can initiate transactions, make decisions, and interact with sensitive systems.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]It’s more than a deal: it’s a declaration that tells the world what many in identity security have long understood: identity has become the control plane for securing modern multi-cloud, on-prem, and hybrid environments. It validates our new paradigm, as well as the approach that forward-looking organizations have been building toward in recent years.Meeting these challenges requires a fundamentally different approach to securing identities and runtime access: one that’s identity-first, dynamic, and capable of spanning every identity type, not just humans, across any type of infrastructure, applications, and data.For security leaders, it’s clear we’re heading toward and identity-first future. Governance must cover every identity type, respond instantly to changing context, and integrate tightly with the broader security ecosystem. Organizations that embrace this approach will better protect sensitive data, maintain compliance, and ensure resilience in AI-driven, cloud-native environments.The $25 billion price tag on the Palo Alto–CyberArk deal signals that the market has moved fast toward unified identity governance. Enterprises that act now will secure the perimeter that matters most: identity.Organizations that fall short risk being left with gaps that adversaries will happily exploit.Art Poghosyan, co-founder and CEO, BritiveSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Identity becomes the new security perimeter
Today, workloads, applications, and data reside everywhere: on-premises, in multiple clouds, across countless SaaS platforms, and they move constantly. The traditional network perimeter has dissolved, leaving identity as the “connective tissue” that connects and secures enterprise IT infrastructure and data.Every action in this environment, whether it’s a human accessing a SaaS dashboard, a containerized service calling an API, or an AI agent executing a task, flows through identity. This makes identity the ultimate control plane.The challenge for security teams: legacy tools were built for slower-moving, human-centric environments and cannot keep pace with the identity fragmentation, privilege sprawl, and dynamic access needs that define today’s infrastructure. Today, enterprises need a platform capable of governing access for all identities, human, machine, and AI, across every environment.Three forces accelerating the shift
Several converging forces make this modernization imperative:- The rise of AI agents: Autonomous or semi-autonomous systems behave like digital employees. They can make decisions, execute actions, and access data without human oversight. While this unlocks incredible efficiency, it also creates governance challenges as agents access resources in potentially unpredictable ways. Aragon Research, a leading authority on AI research, released a major report defining a new category, Agentic Identity and Security Platforms (AISP), designed to secure the rapidly growing presence of AI agents in the enterprise. Their report predicts that there will be more than 1M AI agents per enterprise.
- Ephemeral infrastructure: In cloud-native environments, resources, identities, and credentials can appear and disappear in seconds. Static, point-in-time controls can’t keep up with that level of dynamism.
- Constantly changing access requirements: Context shifts continuously based on a user’s location, the sensitivity of a workload, or time of day, and governance must adjust in real-time to match risk.
Close the access-trust gap
In most organizations, outdated identity approaches have created an access-trust gap: the misalignment between the access that’s granted and the actual trustworthiness of the identity holding it.Most organizations over-permission identities, it’s common. Machine accounts often outnumber human identities by a magnitude of 50-to-1 or more, with many retaining standing privileges indefinitely. Shadow AI agents can generate their own credentials, touch sensitive systems, and disappear without a clear audit trail.Legacy tools weren’t designed to dynamically evaluate context or risk in real time. They rely on static permissions, fragmented policies, and periodic reviews, a model that doesn’t work when identities and privileges are constantly in flux.Why the Palo Alto–CyberArk deal matters
The Palo Alto–CyberArk acquisition signals a market shift away from stitching together multiple legacy point products for separate use cases toward unified platforms that can manage and govern all identities and privileges centrally. Security leaders are tired of piecing together multiple tools. Today’s teams need unified access control, dynamic least privilege, and real-time governance at enterprise scale.A unified platform approach promises exactly that:- Visibility across all identity types and environments.
- Dynamic enforcement of just-in-time, least privilege access.
- Centralized governance that can operate at AI speed.
