The Agentic Identity Era Just Got a Price Tag

The most important thing that happened in identity security this week wasn't a breach. It wasn't a new regulation. It was a hiring announcement and an M&A filing. Pay attention to what the market is telling you. Let’s get into it!

Don’t forget to check out the Identity Jedi Store. Digital product

It’s been an interesting couple of weeks

Two things happened in the identity and security space that individually would be significant. Together, they represent a signal that I don’t think we can afford to miss.

The big one: Cisco announced its intent to acquire Astrix Security in a deal valued at up to $350 million. But the second: Dor Fledel ,co-founder of Spera, which became Okta ISPM , announced he's joined Anthropic to lead Enterprise Security Product Management.

One move says AI agent security is now a platform-level problem that major infrastructure vendors are buying their way into. The other says the company building some of the most capable AI in the world just decided enterprise security needs its own product leadership.

Let's talk about what it means.

What Cisco Is Actually Buying

On paper, Cisco is acquiring a non-human identity security startup. But that framing undersells what's actually happening.

Astrix's core capabilities are discovery, lifecycle management, and real-time threat detection for non-human identities, API keys, OAuth tokens, service accounts, and, increasingly, AI agents. Cisco's stated integration path runs directly into Cisco Identity Intelligence and Duo IAM. Platforms your program already touches.

Worth noting: Astrix's Series B was led by Menlo Ventures — a firm that has been closely tracking the NHI and agentic identity space. That's conviction money from people who understand the enterprise security landscape deeply. A $250–350M acquisition off an $85M raise is the market saying the thesis was right.

But here's the framing I'd push back on: this acquisition is less about NHI and more about the AI agent problem that NHI is a symptom of.

NHI governance matters because of the 1-to-N ratio. One AI agent doesn't have a single identity; it spins up multiple service accounts, OAuth tokens, and API keys across multiple systems, often dynamically and without a human in the loop. The governance problem isn't the agent. It's the credential sprawl the agent creates in real time. Cisco's move on Astrix is Cisco acknowledging that the agentic workforce is happening now, and that the identity layer beneath it is currently ungoverned.

And Cisco isn't the only one who figured this out. The NHI space has been quietly building for a few years — Oasis Security, Veza, and Astrix each approached the problem from slightly different angles. Oasis focused on secrets and the service account lifecycle. Veza is built around access intelligence and the data layer. Astrix went after the AI agent and the OAuth attack surface specifically. The standalone NHI vendor era is likely short. ( Veza got scooped by ServiceNow) The question now is which platform absorbs which capability and whether the resulting integrations actually work for practitioners or just look good on a slide.

An integrated platform to manage and secure the NHI layer doesn't just make sense; it's the only architecture that scales. The question for your program isn't whether you need NHI governance. It's whether you'll have it before your next audit or after your next incident.

The Anthropic Hire Nobody in Enterprise Security Is Talking About Yet

Dor Fledel didn't just join a hot AI company. He co-founded Spera, a company purpose-built around identity security posture management, saw it acquired by Okta, where it became Okta ISPM, and then left to lead enterprise security product at Anthropic.

That background matters. ISPM as a category exists because organizations realized they had no systemic way to measure their identity security posture — not just individual vulnerabilities, but the aggregate risk state of the entire identity infrastructure. Dor built a company around solving that. Now he's at Anthropic. Someone who deeply understands how identity risk compounds at scale is going to work for the company that makes the AI your enterprise is about to run everywhere.

So the question I'm sitting with — and I think every practitioner and every vendor in this space should be sitting with — is this: what is Anthropic actually building?

There are two paths. Two very different outcomes.

Path 1 — Anthropic builds enterprise security products. If Claude gets pointed at enterprise security use cases with purpose-built product leadership behind it, the incumbents have a problem. The speed at which Anthropic can iterate and deploy is not comparable to a traditional security vendor. If they go this route, the competitive dynamic in cybersecurity breaks.

Path 2 — Anthropic builds the platform layer. They make the AI consumable by existing security vendors, accelerating what Cisco, CrowdStrike, Okta, SailPoint, and others can build on top of it. This is the rising-tide outcome, Anthropic as infrastructure, not a competitor.

One path disrupts the industry. One path accelerates it. Anthropic hasn't told us which pill they're taking. But hiring an identity security founder with a specific posture management background to lead the product function is not a neutral signal.

Watch this space.

What This Means For Your Program Right Now

If you're an IAM leader, here's the practical read on both moves.

The Cisco announcement just handed you a budget conversation. When a major infrastructure vendor commits up to $350 million for a capability, your leadership team stops asking "do we need this?" and starts asking "why don't we have it?" Use that. Agentic identity governance is no longer a future-state problem; it's a current-state gap with a market-validated price tag. If you've been trying to get NHI on the roadmap, this week's news is your business case.

The Anthropic hire is a longer play, but it points in the same direction: the AI companies are paying serious attention to enterprise security. Either as partners or as competitors. Your organization's ability to govern identity at the speed of AI, not the speed of your legacy IGA platform, is the variable that determines the outcome you experience.

Here's the gap most programs have right now: the access model that worked for human identities wasn't built for agents. Lifecycle processes designed for employees don't account for credentials that spin up and expire in seconds. Audit trails that satisfied your last review don't capture what an AI agent did on behalf of a user across three service accounts at 2am. You're not going to solve that with your current IGA configuration. You need to rethink the governance layer: who owns it, what it monitors, and how it integrates with the platforms your AI agents already run on.

Nobody is shipping you out of this one. You have to build your way through it. And this week, the market put $350 million and a founder-executive on notice that it's time to solve it.

Silverfort acquired Fabrix Security to build what it's calling the first autonomous runtime identity security platform — combining Silverfort's Runtime Access Protection with Fabrix's AI decisioning engine to govern human, machine, and agentic identities in real time. The thesis: static rules can't keep pace with agentic access. Worth watching how this integrates

Google Cloud introduced Agent Identity, a new capability providing agents unique identities with specific authentication flows and scoped human delegation, alongside Agent Gateway, which enforces policy for all agent-to-agent and agent-to-tool connections, including MCP and Agent2Agent protocols. The hyperscalers are building their own agentic identity layer. Your IGA vendor's roadmap just got more complicated —- yeaaah..I’m coming back to this!

A new CSA report found that most AI agents don't operate as distinct identities; instead, they exist in an "identity gray area" where organizations don't fully treat them as human users but don't manage them as first-class machine identities either. Only 18% of respondents base an agent's access on agent-specific permissions. The governance gap isn't theoretical anymore

We launched our upgrade to our paid tiers this week, and I’m really excited about it! Mostly because I finally decided to just build the universe I would have wanted when I was coming up in identity. I’m not going to claim to have it all figured out, we are going to make mistakes, we are going to underdeliver at times, that’s just life. BUT what I can promise you is my team, and I are going to put everything we have into it. So whatever tier you are on THANK YOU! It’s not lost on us. And get ready for some cool shit dropping this year!