What The Palo Alto–CyberArk Deal Reveals About Identity’s Future
As cyber perimeters vanish and AI agents gain access, identity has become the true foundation of security.
getty
When Palo Alto Networks announced its acquisition of CyberArk, many in the cybersecurity world took notice. Not just because it was a high-profile deal between two major players, but because of what it implied: identity is no longer a feature of cybersecurity. It has become the foundation.
This acquisition underscores a shift that’s been building for years — one where identity is not just another layer in the stack, but the connective tissue holding everything else together.
“Much like the way the TCP/IP network layer matured into the application layer a decade ago, identity has evolved into its own logic tier – the fabric that everything else in cybersecurity now relies on,” explains Orchid CEO and co-founder Roy Katmor.
Beyond Perimeter Defense
Traditionally, cybersecurity has focused on keeping bad actors out — building higher walls and more sophisticated detection systems. Firewalls, antivirus tools, and intrusion prevention systems all operate on the assumption that threats are coming outside the gates. The model assumes the keys are safely in the hands of authorized people, and the real danger lies beyond the perimeter. But today, the most damaging breaches often stem from within: compromised credentials, stale access rights, and unauthorized use of systems by insiders — or those impersonating them.
Credential misuse continues to be the most common entry point in major breaches. It’s easier, quieter, and more scalable than traditional exploits. And as companies adopt more cloud services and remote work structures, the idea of a clear perimeter has all but disappeared.
As I talk with cybersecurity executives, there is increasing consensus for the notion that identity is the perimeter now.
Marc Maiffret, CTO at BeyondTrust, emphasized, “Identity security must be at the core of every modern security strategy.”
The Rise of Identity “Dark Matter”
The problem is, identity ecosystems are sprawling. Most organizations struggle to maintain visibility, especially in large, distributed environments. Shadow IT, legacy applications, outdated documentation, lack of standardization and absence of continuous application inventory all compound the challenge. The results: local accounts, orphaned accounts, over-permissioned users, and service accounts that escape normal governance controls. Together, these form what we call “identity dark matter” — the unseen parts of the access landscape that present real risk but remain unmanaged.
“The more an enterprise evolves, the more this dark matter grows. Every application patch, every regulatory change, every IAM adjustment from an M&A or software refresh only multiplies the blind spots. Complexity doesn’t shrink with scale – it compounds,” added Katmor.
Orchid Security’s State of Identity Security 2025 report shows that in nearly half of enterprise environments, at least one application authentication flow bypasses standard identity providers. In some cases, credentials were stored in plain text or hardcoded in scripts—practices long considered dangerous but still alarmingly common.
Their research also found that basic identity controls — such as login rate limits, password complexity, and account lockout policies — were missing as much as 40% of the time. These gaps aren’t due to negligence so much as complexity. Identity, once managed primarily through a few centralized systems, now stretches across cloud services, legacy applications, and emerging AI systems.
It’s hard to see, harder to manage, and nearly impossible to govern with outdated tools.
The AI Factor
Artificial intelligence is adding even more complexity. Organizations are deploying AI agents to handle everything from software development to customer support to business operations. These agents often require system-level access, API keys, or database credentials to function. But they don’t behave like human users. They don’t clock in, don’t quit and don’t follow geographic or role-based norms.
This shift raises thorny questions about accountability and control: Who is ultimately responsible for an AI agent’s actions? How narrowly should its permissions be defined and what does “responsible scoping” look like in practice? Can its access remain dynamically aligned with that of its human-operator, and, just as critically, can it be revoked the moment the agent becomes a liability?
As AI continues to integrate into core business workflows, these are no longer academic concerns. They’re emerging compliance and security risks. And they demand governance frameworks designed for the speed and scale of machine-based identity. “IAM can’t just evolve, it must be rebuilt as a foundational infrastructure, one that embraces the past, the present and the future,” asserts Katmor.
Identity as Infrastructure
The bottom line is this: we’re in a new era. Identity isn’t a box to check during onboarding or a backend system owned by IT. It’s infrastructure. And like all infrastructure, it requires constant visibility, policy enforcement, and resilience.
Forward-thinking security models now prioritize continuous discovery of identities — both human and machine — across all environments. They map access flows dynamically, monitor for signs of drift or misuse, and enforce policy in real-time.
Identity controls must evolve from static to adaptive, and from reactive to proactive. Reflecting where the market — and the risk— is headed Identity experts suggest that organizations should focus on building a control plane across the full identity estate.
“If you look at the big picture, your network has a control plane, your endpoints have a control plane,” Katmor reminds us, “it’s time for identity to have its control plane as well.”
The Boardroom Is Paying Attention
It’s not just security teams waking up to this shift. Boards, investors, and regulators are also paying attention. New frameworks like NIS2 and PCI DSS 4.0 require detailed audit trails for identity-related activity, including access by AI systems or in unmanaged environments. The SEC’s updated cyber rules also highlight the importance of material risk disclosure, which increasingly includes identity exposure.
In this context, the Palo Alto–CyberArk deal is more than a business strategy. It’s a signpost. Identity is a board-level issue now. And the vendors that enable clarity and control — without adding complexity — will shape the next generation of cybersecurity.
Looking Ahead
Identity-first security isn’t a buzzword. It’s a necessity.
Whether your organization is looking at AI adoption, zero trust frameworks, or compliance readiness, one principle holds true: if you can’t see it, you can’t secure it. Identity is the new infrastructure. And our ability to understand and manage it will define how safe your digital future really is.