CyberArk’s Q3 results show identity security shifting to AI-era governance

At a glance

What this is: CyberArk’s third-quarter results show strong recurring revenue growth alongside a clear market shift toward securing human, machine, and agentic AI identities.

Why it matters: For IAM practitioners, this matters because budget, product strategy, and control design are increasingly being shaped by the need to govern identities across humans, workloads, and AI agents together.

By the numbers:

• Total ARR grows 45% year-over-year to reach $1.341 billion.
• Total revenue was $342.8 million in the third quarter of 2025, up 43 percent from $240.1 million in the third quarter of 2024.
• Subscription revenue was $280.1 million in the third quarter of 2025, an increase of 60 percent from $175.6 million in the third quarter of 2024.

👉 Read CyberArk’s Q3 2025 results and identity security market update

Context

CyberArk’s third-quarter update is not just a financial report. It is a signal that identity security buying is being pulled toward a broader governance problem: how to control access for humans, machine identities, and AI agents in the same enterprise.

That shift matters because the old split between workforce IAM, PAM, and machine identity security no longer matches how access is created, delegated, and consumed. Once agentic AI enters the picture, identity governance must account for runtime decisions, privilege boundaries, and lifecycle control across more than one actor type.

Key questions

Q: Should security teams re-evaluate identity architecture after major platform consolidation?

A: Yes. Consolidation often changes where identity controls sit, how data is shared, and which lifecycle processes remain independent. Security teams should verify that human IAM, PAM, and NHI governance still have clear ownership boundaries, explicit offboarding steps, and auditable privilege controls. If those responsibilities blur, the risk is not just vendor lock-in but control drift.

Q: Why do machine identities require different governance from human users?

A: Machine identities do not behave like people. They authenticate at scale, operate continuously, and often carry privileges that outlive the original business context. That makes lifecycle management, rotation, and visibility more important than user-centric experiences such as MFA prompts or password resets. The governance model has to match how the identity is used.

Q: How do AI agents change privilege management in identity programmes?

A: AI agents can select tools and act during runtime, which makes static entitlement planning less reliable. Privilege has to be bounded by what the agent can do in a session, not just by a role assigned at provisioning. Teams should review whether current PAM and NHI controls can describe execution context, action scope, and approval boundaries.

Q: What should organisations measure to know whether identity governance is keeping up?

A: They should measure whether access can be found, explained, and removed across all identity types. Useful indicators include service-account visibility, secret rotation compliance, offboarding latency, and whether agent privileges are reviewed before they are reused. If the programme cannot answer those questions quickly, governance is lagging the real access graph.

Technical breakdown

Why identity security is becoming a platform problem

Identity security has moved beyond isolated controls around passwords or vaults. In modern environments, human identities, service accounts, API keys, certificates, and AI agents all participate in the same access graph, which means weak governance in one layer can expand risk elsewhere. That is why vendors and buyers increasingly frame identity as a platform issue rather than a single product category. For practitioners, the key question is whether the programme can see and govern access consistently across provisioning, privilege, and offboarding, not just authenticate users.

Practical implication: map control ownership across workforce, machine, and agent identities before expanding another point solution.

What AI agent privilege controls actually need to govern

Agentic AI changes the identity problem because the actor can select actions, choose tools, and execute tasks at runtime. That is different from conventional automation, where the execution path is predetermined and human review is still meaningful. Privilege controls therefore have to consider not only what the agent can access, but when it can act, which tools it may chain together, and how quickly it can move from request to action. This is where traditional approval flows start to lose usefulness.

Practical implication: define separate privilege boundaries for AI agents instead of reusing human role models.

Why lifecycle governance matters more as recurring revenue rises

Recurring revenue growth in identity security usually reflects buyers shifting from ad hoc deployment to ongoing governance. That matters because identity controls only hold if lifecycle processes keep pace with change, including joiner-mover-leaver handling, credential rotation, access review, and privilege removal. For NHI and agentic AI programmes, lifecycle discipline is the difference between a control that exists on paper and one that actually reduces exposure over time. The architectural issue is not just access creation, but whether access is reliably retired when context changes.

Practical implication: treat lifecycle governance as a continuous control, not a quarterly compliance activity.

NHI Mgmt Group analysis

Identity security growth now reflects governance pressure, not just product demand. CyberArk’s revenue and ARR trajectory shows that identity security is increasingly being bought as a control plane for the whole enterprise access graph. That includes human privilege, machine identities, and emerging agentic AI use cases. The market is moving toward unified identity governance because point controls no longer match the way access is actually distributed. Practitioners should read this as a sign that identity programmes are being forced to consolidate around lifecycle, privilege, and visibility.

Agentic AI turns privilege into a runtime governance problem. The vendor’s framing around AI agents is material because the actor can take decisions inside the session, not just consume a fixed workflow. That means static entitlement models no longer describe the real risk surface. The implication is that identity teams will need to rethink how privilege is defined when execution timing, tool selection, and action sequence can change at runtime.

Lifecycle control is becoming the deciding factor in identity security credibility. The article points to a broader truth: recurring revenue grows when buyers need ongoing governance, not one-time deployment. In practice, the gap is usually not authentication alone but rotation, offboarding, and entitlement cleanup across humans and non-human identities. The practitioner conclusion is that identity security programmes will increasingly be judged on whether they can retire access as reliably as they can issue it.

Platform consolidation is likely to accelerate, but governance scope must stay explicit. The proposed combination with Palo Alto Networks signals that identity security is being pulled into larger platform strategies. That may improve reach, but it also risks obscuring the specific governance problems practitioners are trying to solve. The field should resist letting platform breadth substitute for control clarity. Buyers still need to know which identities are governed, which privileges are dynamic, and which lifecycle steps remain manual or fragmented.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most teams are still governing machine identities with partial knowledge.
• 52 NHI Breaches Analysis shows how weak lifecycle control repeatedly turns identity exposure into breach persistence.

What this signals

Ephemeral access is not the same as governed access: when a programme cannot prove when credentials are issued, reused, and retired, the control story is incomplete. With only 5.7% of organisations reporting full visibility into their service accounts, the gap is not theoretical. Teams should expect machine identity sprawl to keep outpacing manual review cycles unless ownership is explicit.

The rise of AI agents will push identity teams to formalise which privileges are static, which are session-bound, and which should never be delegated to autonomous execution. That governance line will become a design decision, not a tooling detail. Practitioners should watch for product consolidation that widens coverage without clarifying accountability.

As identity platforms expand, the programme-level challenge is preserving control clarity across IAM, PAM, and NHI rather than collapsing them into one broad operating model. The organisations that stay ahead will be the ones that can tie every privileged identity back to a lifecycle owner and a revocation path.

For practitioners

• Re-map identity scope across all actor types Inventory where human identities, service accounts, tokens, certificates, and AI agents are governed today, then identify the control gaps between IAM, PAM, and NHI ownership.
• Separate agent privileges from human roles Define runtime boundaries for AI agents that can choose tools or execute tasks independently, and do not assume human RBAC models are sufficient for those access paths.
• Audit lifecycle controls for machine access Check whether offboarding, rotation, and access review processes cover API keys, service accounts, and certificates with the same discipline as employee access.
• Treat consolidation as a governance review trigger If a vendor strategy shifts toward broader platform coverage, reassess whether your programme still has explicit ownership for NHI, PAM, and agentic AI controls.

Key takeaways

• CyberArk’s results show that identity security demand is being driven by broader governance needs across human, machine, and AI-driven identities.
• The market signal is not just revenue growth, but a shift toward platform-based control of privilege, lifecycle, and access visibility.
• Practitioners should use this moment to test whether their current identity model can still govern runtime access, machine sprawl, and offboarding consistently.

Key terms

• Non-human identity: A non-human identity is any digital identity used by software, services, or machines rather than people. It includes service accounts, API keys, tokens, certificates, workload identities, and AI agents. Governance focuses on issuance, scope, rotation, and retirement, not user experience.
• Agentic AI identity: An agentic AI identity is an identity used by an AI system that can make runtime decisions about actions, tools, and timing. The governance challenge is that privilege is no longer just access to data or APIs. It must also control what the agent can decide to do with that access.
• Identity lifecycle: Identity lifecycle is the end-to-end governance of an identity from creation to offboarding. For non-human and autonomous actors, it covers provisioning, review, rotation, revocation, and retirement. The control question is whether access is removed as reliably as it is granted.
• Privilege boundary: A privilege boundary is the limit that defines what an identity can do, when it can do it, and under what conditions. In human programmes it often maps to roles, but for machines and AI agents it must also account for session context, tool use, and delegation.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by CyberArk: its third-quarter 2025 financial results and identity security market update. Read the original.