TL;DR: Sustained demand for privilege controls across human, machine, and agentic AI identities drove $99 million in record net new ARR, $1.440 billion in total ARR, and $1.267 billion in subscription ARR, while also flagging a planned combination with Palo Alto Networks, according to CyberArk. The numbers point to sustained demand for privilege controls across human, machine, and agentic AI identities, while consolidation raises the bar for governance clarity.
At a glance
What this is: CyberArk’s latest results show strong ARR growth alongside a planned acquisition, with identity security demand expanding across human, machine, and agentic AI use cases.
Why it matters: For IAM teams, this matters because platform consolidation and subscription-led growth are reshaping how NHI, agentic AI, and human identity controls get packaged, governed, and operationalised.
By the numbers:
- Record net new ARR reached $99 million, up 20% year-over-year.
- Total ARR grew 23% year-over-year to reach $1.440 billion.
- The Subscription portion of ARR grew 30% year-over-year to reach $1.267 billion.
👉 Read CyberArk’s full 2025 results and identity security market update
Context
CyberArk’s latest results are not just a financial update. They show that identity security is increasingly being bought as a recurring platform problem, not a point capability problem, with privilege controls now expected to span human identity, machine identity, and agentic AI identities.
The broader governance issue is that enterprise identity programmes are being pulled toward consolidation at the same time that the subject matter is fragmenting. A single control plane now has to cope with service accounts, workload identities, developer access, and emerging AI agent behaviour without blurring the differences between them.
Key questions
Q: How should security teams evaluate identity platform consolidation?
A: Security teams should evaluate whether the combined platform preserves distinct control boundaries for human identity, NHI, and agentic AI. The key test is not feature count but whether lifecycle, privilege, and credential governance remain auditable and enforceable when multiple identity types are managed together.
Q: Why do NHIs need different governance than human identities?
A: NHIs depend on secrets, service accounts, certificates, and workload credentials that often operate without interactive login or user-driven review. That means rotation, offboarding, and visibility have to be designed for non-interactive use, not borrowed from human IAM processes that assume a person is behind the access.
Q: When does subscription-led identity spending become a governance signal?
A: It becomes a governance signal when recurring spend reflects ongoing dependency on access control, credential lifecycle, and privilege management. If the organisation keeps renewing identity tooling, the programme should be proving that controls are still aligned to current identity types and runtime behaviour.
Q: What should organisations do when AI agents are added to identity programmes?
A: They should define whether the agent is governed as a machine identity, an autonomous actor, or a constrained workflow component. That classification determines which controls apply, including privilege limits, logging, approval gates, and offboarding when the task or session ends.
Technical breakdown
Why subscription growth matters for identity security platforms
Subscription growth in identity security usually signals that buyers are moving from tactical projects to ongoing control programmes. In practice, that means organisations are paying for persistent coverage of privileges, credentials, and lifecycle events rather than one-time hardening. The market signal matters because identity risk does not end at deployment. It changes as accounts are created, rotated, delegated, and retired across cloud, SaaS, and development environments. When revenue shifts toward recurring models, practitioners should expect vendors to compete on breadth of governance coverage, not just individual controls.
Practical implication: assess whether your identity programme needs durable lifecycle coverage across NHI, human, and workload access rather than isolated tooling.
Privilege controls across human, machine, and agentic AI identities
Privilege control is the common thread across modern identity security, but the identity subject changes the governance model. Human identities are reviewed through authentication, access policy, and lifecycle controls. NHIs rely on secrets, service accounts, and workload identity, where rotation, visibility, and offboarding are central. Agentic AI adds runtime behaviour that can alter tool use and access paths during execution, which pushes governance beyond static entitlement review. The technical challenge is not just who can sign in, but what can act, with which credentials, and under what runtime constraints.
Practical implication: map each identity class to its own control pattern instead of forcing a single access model across all subjects.
Platform consolidation changes the identity governance operating model
When identity security vendors consolidate, the technical question shifts from feature selection to control coherence. Security teams then have to decide whether a combined platform can preserve clear governance boundaries between secrets management, privileged access, machine identity, and AI-related access. The risk is not only integration complexity. It is also policy drift, where controls become broad enough to look unified but too vague to enforce precisely. For practitioners, consolidation should trigger architecture review, especially where the same platform may now span multiple identity types.
Practical implication: re-evaluate control boundaries, policy ownership, and integration dependencies after any major identity security consolidation.
NHI Mgmt Group analysis
Subscription-led identity security growth shows the market is shifting from product purchase to control dependency. CyberArk’s ARR mix suggests buyers are no longer treating identity security as a narrow category. They are funding recurring control coverage across access, privilege, and lifecycle management. That shift matters because identity risk is operational, not episodic, and recurring spend usually follows recurring governance failure modes.
Identity control is being stretched across three different actor types that cannot be governed the same way. Human identity depends on authentication and access governance, NHI depends on secrets, rotation, and offboarding, and agentic AI introduces runtime decision behaviour that static entitlement models do not capture. A single platform may cover all three, but the governance model must still distinguish them. Practitioners should resist category collapse even when the market encourages it.
Platform consolidation will intensify the need for clearer control boundaries, not fewer of them. As identity security capabilities move into larger suites, the risk is policy dilution across secrets, privileged access, and lifecycle workflows. That creates a governance burden for buyers, who must verify whether the merged stack preserves precise accountability for each identity type. The result is a stronger case for architecture-led procurement and less tolerance for loosely defined identity control claims.
Runtime identity governance is becoming the named concept practitioners should track. The core issue is no longer only entitlement management or secrets rotation in isolation. It is whether access, privilege, and delegation remain governable while identities change state across runtime, lifecycle, and platform boundaries. That is the control problem this market is now monetising, and practitioners should treat it as an operating model question, not a feature checklist.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- For the lifecycle detail behind that failure pattern, read Ultimate Guide to NHIs , Why NHI Security Matters Now.
What this signals
Runtime identity governance: procurement and architecture teams should expect identity security consolidation to pull together secrets, PAM, and lifecycle workflows under one buying motion. The programme risk is that integration depth may outpace control clarity, so buyers need evidence that each identity class still has its own enforcement path.
CyberArk’s reported growth aligns with a broader market reality: recurring investment follows recurring identity failure, not one-off incidents. With 91.6% of secrets still valid five days after notification, lifecycle remediation remains too slow for modern access risk, and consolidation will not fix that by itself.
For teams planning the next platform refresh, the key question is whether identity governance can survive category expansion. If the same stack now spans human access, NHI controls, and agentic AI, your operating model needs explicit ownership and evidence mapping across all three.
For practitioners
- Re-baseline identity architecture by actor type Separate human identity, NHI, and agentic AI governance into distinct control patterns before evaluating platforms. Use different ownership, review cadence, and evidence requirements for each subject class so a combined tool does not hide material control differences.
- Test consolidation against control boundaries Review whether a single platform can preserve clear policy separation between secrets management, privileged access, machine identity, and AI-related delegation. If the answer is unclear, require an architectural control map before renewal or expansion.
- Reassess lifecycle coverage for non-human accounts Check whether offboarding, rotation, and recertification processes for service accounts and workload identities still work after recent platform changes or mergers. Evidence should show who owns each step and how revocation is verified.
- Tie AI governance to identity controls If your organisation is piloting or expanding agentic AI, make sure identity governance teams define what runtime access is allowed, what is logged, and what must be revoked when an agent’s task ends.
Key takeaways
- CyberArk’s financial results indicate that identity security is increasingly being treated as a recurring control programme rather than a project.
- The market is consolidating while identity subjects are diversifying, which makes precise governance boundaries more important, not less.
- Practitioners should validate control separation across human, NHI, and agentic AI identities before letting platform consolidation drive architecture decisions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Recurring ARR growth maps to ongoing NHI lifecycle and credential governance. |
| NIST CSF 2.0 | PR.AC-4 | Privilege and access control is central to the article’s human and machine identity scope. |
| NIST AI RMF | Agentic AI governance becomes relevant when identity controls must cover runtime decisions. |
Assign governance ownership for AI agent behaviour before extending identity controls to autonomous workflows.
Key terms
- Non-Human Identity: A non-human identity is any credentialed entity that acts on systems without being a person, including service accounts, API keys, tokens, certificates, workload identities, bots, and AI agents. Governance has to cover creation, use, rotation, and removal, because these identities often operate faster and more broadly than human accounts.
- Subscription Arr: Subscription ARR is the annualised value of recurring subscription contracts in force at the end of a period. In identity security, it is a useful signal that buyers are funding persistent control coverage rather than isolated projects, which usually means lifecycle and governance concerns are becoming operational rather than optional.
- Agentic AI Identity: An agentic AI identity is an AI system that can act with some runtime decision-making in an enterprise environment and therefore requires identity controls, access boundaries, and governance. The critical issue is not just authentication, but whether the actor can choose actions, use tools, and persist access in ways that must be reviewed and revoked.
- Platform Consolidation: Platform consolidation is the merging of previously separate security capabilities into a broader suite or acquired portfolio. For identity teams, it matters because consolidated tooling can simplify procurement while also obscuring where privilege, lifecycle, and credential controls begin and end.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
This post draws on content published by CyberArk: Achieves record net new ARR and full-year 2025 results. Read the original.
Published by the NHIMG editorial team on 2026-02-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
