Three months after the CyberArk acquisition closed, Palo Alto Networks has a new platform name, a redrawn category thesis, and a pointed argument from the top of the house. CEO Nikesh Arora calls the old identity security model the "IAM fallacy": the belief that maintaining a firm divide between a small number of powerful administrators and a much larger number of ordinary users is sufficient protection. At the IMPACT conference today, the company launched Idira, its next-generation identity security platform, as the answer to that fallacy.
The argument is structural, not incremental. Every major breach Peretz Regev, Chief Product and Technology Officer for Idira, describes follows the same sequence: stolen credential, lateral movement on standing access that should have expired, privilege escalation, data exfiltration. Okta, MGM, Microsoft. Different industries, different scales, the same pattern. One overprivileged identity unlocks the enterprise. The platform being announced today is built around the claim that the only fix is eliminating standing privilege entirely, for every identity type, not just administrators.
Every Identity Is Privileged Now
The numbers in Palo Alto's 2026 Identity Security Landscape Report, drawn from 2,930 cybersecurity decision-makers worldwide, make the scale concrete. Machine identities now outnumber human identities 109 to 1, and 79 of those 109 are AI agents. Ninety-one percent of organizations are already running autonomous agents in production. Ninety percent experienced an identity-related breach in the past 12 months; 83% were hit twice or more.
The operational drag compounds the breach risk. Fragmented identity tooling adds 12 hours to every incident response cycle, according to 97% of practitioners in the same survey. Meanwhile, the fastest attackers Unit 42 has observed move from initial foothold to data exfiltration in as little as 72 minutes. Defenders are structurally behind before the alert fires.
"Privilege is no longer reserved for a small class of administrators. It is distributed across the enterprise, quietly and continuously, every second of the day."
Peretz Regev, Chief Product & Technology Officer, Idira, Palo Alto Networks — IMPACT 2026
Idira's response to this is built on three operational layers. Discovery runs continuously, finding every identity, entitlement, and access path across the environment: humans, machines, workloads, secrets, certificates, and AI agents on the network, in the cloud, on servers and endpoints, and in the browser. Control replaces static, always-on accounts with dynamic privileges that exist only in the moment of use, applying zero standing privilege equally to the administrator logging into production, the developer deploying code, and the AI agent calling a tool. Governance automates the identity lifecycle end-to-end, turning compliance from a quarterly exercise into a continuous enforcement loop.
The Platform Integration Claim Has Early Evidence
Idira is positioned as the third core platform alongside Strata, the network security portfolio, and Cortex, the security operations platform. The integration points announced today are specific. Prisma Browser delivers privileged access directly inside the browser where enterprise users work. Prisma AIRS 3.0 natively integrates with Idira to extend privilege controls to AI agents. Cortex receives first-party identity signals from Idira to sharpen detection and trigger automatic privilege-driven response when indicators of compromise surface.
Palo Alto also points to earlier groundwork. At RSA Conference this year, the company launched Next-Generation Trust Security, or NGTS, the first network-native platform to automate certificate lifecycle management and accelerate post-quantum readiness. The relevance: 71% of organizations have not yet automated certificate renewal, and public TLS lifetimes are compressing toward 47 days. NGTS was built on the same identity infrastructure now brought forward under the Idira brand, suggesting the integration roadmap was in motion before the CyberArk acquisition officially closed in February.
Customer evidence cited at launch: Northern Trust improved password compliance by 137%. Panasonic Information Systems rebuilt its security operations around identity. Healthfirst grounded its zero trust program in identity. These are regulated-industry deployments, the exact accounts where CyberArk's installed base is strongest and where any platform transition carries real procurement scrutiny.
The CyberArk Installed Base Is the Actual Test
The tiered upgrade path for existing CyberArk SaaS customers is where the commercial execution gets tested. Traditional PAM customers receive discovery and user experience improvements automatically. Modern PAM customers get zero standing privilege and discovery enhancements at no additional cost. Workforce Access customers receive user experience improvements with options to upgrade further.
That graduated structure is sensible migration design. It also reflects the reality that CyberArk's trust inside financial services, healthcare, and critical infrastructure was earned over years of procurement reviews in environments where a breach is a regulatory event, not just a security incident. Renaming the platform and expanding the category thesis does not automatically transfer that trust. The upgrade path has to work without forcing customers to rebuild what they already rely on.
Two weeks ago, Palo Alto acquired Portkey to put a metering and enforcement layer over AI model traffic. Idira extends that logic one layer deeper: before a model call or an agent action happens, something has to decide whether the identity initiating it has the right to do so. The architecture sketch across Portkey, Idira, and Strata is coherent. Whether the integrations hold at depth in production is a separate question from how they look on a diagram at a customer conference.
What the Platform Philosophy Does Not Resolve
The Idira announcement does not address federation with identity governance systems outside the Palo Alto portfolio. Most enterprise identity programs run Microsoft Entra ID, Okta, SailPoint, or ServiceNow Identity alongside whatever privileged access management tool they standardized on. The zero standing privilege model Idira proposes is architecturally sound. Its reach depends entirely on whether it can enforce policy against identities that authenticate through those external systems, or whether it governs only the identities it directly manages.
A platform that governs agentic identities at scale is the right ambition. A platform that does it only within its own perimeter is a consolidation bet, not a control plane.
Idira is generally available today. Before committing to it as your identity control plane, get a documented answer to one question: does zero standing privilege enforcement extend to identities managed in Entra ID, Okta, and SailPoint without requiring those organizations to consolidate onto Palo Alto infrastructure?
If the honest answer is partial coverage, price the remaining standing privilege exposure against your current breach probability. Ninety percent of your peers got hit last year.
Regev, Peretz. "Idira — Our Journey to Democratize Privilege Controls." Palo Alto Networks Blog, 12 May 2026, paloaltonetworks.com.
Palo Alto Networks. "Palo Alto Networks Introduces Idira: the Next-Generation Identity Security Platform Built for the AI Enterprise." PR Newswire, 12 May 2026, prnewswire.com.
Palo Alto Networks. "2026 Identity Security Landscape Report." Idira by Palo Alto Networks, May 2026, paloaltonetworks.com.
