By NHI Mgmt Group Editorial TeamPublished 2025-07-31Domain: Breaches & IncidentsSource: Bravura Security

TL;DR: Palo Alto Networks’ $25 billion acquisition of CyberArk confirms that stolen credentials remain the most common initial attack vector, accounting for 22% of breaches and 88% of web application breaches in Verizon’s 2025 DBIR. Identity controls, not perimeter tools alone, are now the main battleground for enterprise security.

At a glance

What this is: This is Bravura Security’s analysis of the Palo Alto CyberArk deal and the broader shift toward identity-centred security platforms.

Why it matters: It matters because IAM, PAM, NHI, and human identity programmes are increasingly being judged as part of one security fabric rather than separate control planes.

By the numbers:

👉 Read Bravura Security’s analysis of the Palo Alto CyberArk deal and identity convergence

Context

Identity security now sits at the centre of enterprise risk because attackers can often succeed with valid credentials rather than noisy exploit chains. The Palo Alto CyberArk deal is a market signal that identity, privilege, and policy are being treated as one problem rather than separate domains.

For practitioners, the key issue is not whether a vendor can bundle more controls, but whether the organisation can govern human accounts, privileged access, and non-human identities through a consistent model. That is where siloed IAM and PAM programmes start to break down, especially when the same credentials are being used across cloud, web, and machine-to-machine access.

The shift is broadly typical of where the market is heading, but many enterprises are still operating with fragmented tooling and inconsistent policy enforcement. That gap makes identity governance a board-level security issue rather than a back-office administration concern.

Key questions

Q: How should security teams respond when identity platforms become more consolidated?

A: Treat consolidation as a governance test, not a procurement win. Check whether authentication, privilege management, and machine identity controls still preserve context end to end. The priority is consistent policy enforcement, shared telemetry, and clear ownership across IAM, PAM, and NHI operations.

Q: Why do stolen credentials remain such an effective attack path?

A: Because many environments still trust a valid login too much. Once a password, token, or session is accepted, attackers can often act like legitimate users unless the organisation applies continuous verification, anomaly detection, and privilege checks after authentication.

Q: What breaks when PAM is treated as separate from IAM?

A: Governance breaks first. Security teams lose the connection between who authenticated, what elevated privilege was granted, and how that access was used. That makes reviews slower, investigations weaker, and privileged abuse harder to detect across the full identity estate.

Q: How do organisations know whether an identity fabric is actually working?

A: Look for shared policy enforcement, consistent entitlement context, and session evidence across users, admins, and machine identities. If teams still need to reconcile multiple consoles or manually stitch logs together, the fabric is a packaging layer, not operational integration.

Technical breakdown

Why credential abuse keeps working

Credential theft is effective because authentication still often functions as a binary trust event. Once an attacker has a valid password, token, or session cookie, many systems grant access with little additional verification, even when the request originates from an unusual device, location, or application path. This is why stolen credentials consistently outperform more complex intrusion methods. The control weakness is not just the leak itself, but the absence of layered checks that can detect reuse, impossible travel, token replay, or privilege escalation after authentication. In identity-heavy environments, compromise frequently looks legitimate at first glance.

Practical implication: move beyond static login trust and add continuous verification, anomaly detection, and privilege checks after authentication.

Why PAM and IAM can no longer stay separate

PAM historically managed high-risk administrative access, while IAM handled workforce authentication and lifecycle controls. That separation made sense when privileged accounts were a smaller, easier-to-isolate subset of identities. Today, privilege is distributed across humans, service accounts, API tokens, and cloud roles, so the boundary between IAM and PAM has blurred. If privileged access is managed outside the main identity fabric, organisations lose correlation between who authenticated, what privilege was granted, and how that access was used. The result is slower detection and weaker accountability across the full identity estate.

Practical implication: connect privileged access telemetry to the main identity programme so governance, review, and response share one control model.

Identity fabric is a control model, not a product label

An identity fabric is only useful if it unifies policy, entitlement data, session monitoring, and remediation across identity types. In practice, that means the security team can see human users, privileged admins, machine identities, and service credentials in a consistent governance layer. Without that, consolidation becomes packaging rather than integration. The core architectural question is whether the platform can enforce policy at the point of access and preserve context across authentication, authorisation, and session activity. If it cannot, the enterprise still has stitched-together controls wearing a single brand.

Practical implication: evaluate whether identity platforms actually share policy and telemetry across use cases before accepting consolidation claims.

Threat narrative

Attacker objective: The attacker aims to turn legitimate-looking access into broad system control without needing a noisy exploit chain.

  1. Entry occurs when attackers obtain valid credentials, which lets them bypass perimeter-style defences and present as legitimate users.
  2. Escalation follows when those credentials include privileged or over-broad access, allowing the attacker to move from routine account use into administrative actions or sensitive systems.
  3. Impact lands when credential abuse enables data exposure, account takeover, or operational disruption across applications that trust the authenticated identity.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity convergence is becoming the default security architecture. The Palo Alto CyberArk deal reflects a broader market correction: identity, privilege, and control are no longer treated as isolated disciplines. Security teams are being pushed toward a single governance model that spans IAM, PAM, and machine identities because attackers already move across those boundaries. The practical conclusion is that fragmented control ownership now creates more risk than it removes.

Credential-centric security assumptions are still the weakest part of enterprise identity design. The article’s Verizon data reinforces a pattern NHIMG sees repeatedly: once credentials are stolen, many environments still trust them too much. That is not just a control gap, it is a programme assumption that authentication itself is sufficient proof of safety. Practitioners should treat that assumption as broken and redesign for post-authentication risk.

Identity fabric is a useful concept only when it unifies governance, not just dashboards. Consolidation can reduce alert sprawl, but it can also hide whether policy is actually consistent across human, privileged, and non-human identities. A fabric that does not preserve entitlement context and session evidence simply repackages the same governance fragmentation. Teams should judge platforms by enforcement continuity, not by product breadth.

Non-human identity governance becomes more urgent when platform strategies expand. As vendors bundle identity into broader security stacks, machine credentials, service accounts, and API keys become more likely to sit inside the same operational blind spots as human access. NHIMG’s position is that NHI cannot remain an afterthought inside convergence projects. The implication is that lifecycle, rotation, and offboarding controls must be designed into the platform model from the start.

From our research:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which helps explain why stale access persists.
  • For the lifecycle angle, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the control model that closes offboarding gaps.

What this signals

Identity fabric will become a board-level architecture question, not just a vendor category. As consolidation continues, teams should expect more pressure to prove that policy, telemetry, and response operate across IAM, PAM, and NHI in one chain of control. The organisations that can demonstrate that continuity will have a clearer story for risk reduction and audit readiness.

Consolidation also raises the bar for NHI governance inside broader identity programmes. With 92% of organisations exposing NHIs to third parties, per the Ultimate Guide to NHIs, any platform strategy that ignores service accounts, API keys, and tokens will leave the highest-risk credentials outside the governance model.

The practical signal is that identity teams should prepare for more cross-domain decision-making in architecture reviews. The question will not be whether a platform covers more surface area, but whether it can prove control continuity across human, privileged, and machine access without adding reconciliation work.

For practitioners

  • Map identity controls to one governance model Inventory where IAM, PAM, and NHI controls are split across different teams, consoles, or policy engines. Identify where those splits prevent a full view of authentication, privilege, and session behaviour.
  • Harden post-authentication trust decisions Add step-up checks, token reuse detection, and session-level monitoring so a valid login does not automatically equal trusted access.
  • Review privileged access as part of the main identity programme Tie administrative entitlements, approval workflows, and session evidence back to the central identity inventory so reviewers see the same context used for routine access.
  • Assess whether consolidation is real integration Test whether the platform preserves policy and telemetry across human, privileged, and machine identities, rather than simply bundling separate tools under one interface.

Key takeaways

  • The Palo Alto CyberArk deal reinforces that identity is now the main security perimeter, especially where stolen credentials drive most breaches.
  • Consolidating IAM and PAM only helps if the enterprise can preserve governance context across humans, privileged admins, and machine identities.
  • Practitioners should measure identity platforms by enforcement continuity, not by how many security domains a single vendor can package together.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Credential abuse shows why identity proofing and access control must be continuously validated.
NIST Zero Trust (SP 800-207)The article directly supports a zero-trust view of identity as the new perimeter.
OWASP Non-Human Identity Top 10NHI-03Machine credentials and service accounts are part of the same identity risk surface.

Reassess authentication trust and add stronger checks for reused credentials and abnormal sessions.

Key terms

  • Identity fabric: An identity fabric is a unified control model that connects authentication, privilege, policy, and monitoring across identity types. The aim is to keep governance context intact as access moves through users, admins, service accounts, and other non-human identities.
  • Credential abuse: Credential abuse is the use of valid login material by someone who should not have it, or the use of legitimate access for malicious purposes. It succeeds when systems trust authentication too much and do not apply enough post-login validation.
  • Privilege convergence: Privilege convergence is the collapse of old boundaries between IAM and PAM, where elevated access is governed as part of the broader identity programme. It matters because privilege now exists across human and machine accounts, not only traditional administrators.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Bravura Security: the Palo Alto CyberArk deal and its implications for identity security. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-07-31.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org