Palo Alto’s CyberArk deal makes authorization the identity battleground

At a glance

What this is: This is an argument that the CyberArk acquisition signals a broader shift from identity front-door controls to real-time authorization across humans, machines, and agents.

Why it matters: It matters because IAM, PAM, and NHI teams now have to govern access decisions at runtime, not just authenticate users or manage vaults and roles.

By the numbers:

• 80:1.
• $29B.

👉 Read Opal Security's analysis of the Palo Alto Networks and CyberArk deal

Context

Palo Alto Networks' acquisition of CyberArk is a signal that the identity security market is moving beyond authentication toward continuous authorization. The operational problem is no longer whether an identity can log in, but whether its access should exist, for how long, and under what live conditions. For IAM, PAM, and NHI programmes, that changes the centre of gravity from provisioning to runtime governance.

The article argues that static roles, durable sessions, and ticket-driven approvals do not fit modern workloads, service accounts, or AI agents. That is the right framing for practitioners because identity sprawl now includes machine identities and autonomous workflows, not just human users. The result is a governance problem that cuts across human IAM, NHI controls, and emerging agentic access patterns.

Key questions

Q: How should security teams govern authorization for non-human identities?

A: Treat non-human identities as task-scoped subjects, not durable users. Security teams should define owner, purpose, expiry, and maximum privilege at the point of issue, then enforce continuous evaluation for high-risk access. The goal is to prevent standing access from becoming the default state for service accounts, containers, and agents.

Q: Why do static roles fail for modern cloud and AI workloads?

A: Static roles assume the access need is stable enough to be assigned once and reviewed later. Cloud workloads and AI-driven processes change context too quickly for that model, so over-privilege accumulates and review cycles arrive after the risk has already expanded. Runtime policy and just-in-time access reduce that mismatch.

Q: What breaks when authorization is managed separately from identity lifecycle?

A: Access persists after the business reason for it has changed, which creates identity drift. When lifecycle ownership is split from policy enforcement, teams can authenticate an identity but still fail to remove or narrow what it can do. That is how dormant privilege turns into breach exposure.

Q: Who should own access decisions when humans, machines, and agents all need different controls?

A: Ownership should sit with the identity governance function, but the policy model must cover all actor types consistently. Human users, service accounts, and agents need different lifecycle mechanics, yet the same access logic should evaluate context, privilege, and expiry. That prevents governance gaps between IAM, PAM, and NHI teams.

Technical breakdown

Why static authorization breaks in dynamic environments

Static authorization assumes that privilege can be assigned once, then reviewed later through periodic governance processes. That model works poorly when identities are ephemeral, workloads change context mid-session, and access requests are tied to runtime signals such as device posture or workload state. In practice, the decision point has moved from pre-provisioning to continuous evaluation. That is why policy engines, just-in-time access, and contextual signals matter more than durable entitlements in modern identity architectures.

Practical implication: move high-risk access decisions out of static role assignment and into runtime policy enforcement.

How non-human identities change the authorization problem

Non-human identities behave differently from people because they can request access continuously, execute at machine speed, and consume permissions across hybrid and multi-cloud systems. Service accounts, containers, and agents often need access for a narrow task, not a long-lived relationship. That makes over-privilege and standing access the main failure mode. If the control model still treats them like users with review cadences and persistent permissions, blast radius expands faster than governance can catch up.

Practical implication: classify machine identities separately from human users and govern them with task-scoped access and tighter lifecycle control.

Entity-agnostic authorization as the new control plane

Entity-agnostic authorization means applying the same decision logic across human users, service accounts, containers, and agents instead of fragmenting controls by identity type. That matters because many breaches now exploit the seams between identity systems, where one team owns login, another owns vaulting, and another owns authorization policy. A unified control plane does not mean a single vendor stack; it means a consistent decision model that can evaluate identity, context, and risk across all execution paths.

Practical implication: build one authorization standard that can evaluate humans and non-humans with the same policy logic.

NHI Mgmt Group analysis

Identity acquisition is really authorization consolidation. The market logic in this deal is not just about adding PAM to a broader platform. It is about pulling more of the access decision chain into one vendor perimeter, which may simplify procurement but also increases the strategic weight of runtime authorization. Practitioners should treat this as a sign that identity security is moving from point controls toward category ownership.

Static entitlement governance was designed for durable access, not runtime-chosen access paths. That assumption fails when service accounts, containers, and agents request permission only when a task is underway and context is changing. The implication is not simply that teams need more tooling, but that review-based governance alone no longer describes the problem space accurately.

Identity drift is the named failure mode here: entitlements, privileges, and machine accounts accumulate faster than governance can rebaseline them. The article is right to connect this to blast-radius growth, because the security issue is not just excess access but unmanaged access persistence across systems. For practitioners, the lesson is to measure how far access can spread before a control ever sees it.

Authorization-first thinking is the correct lens for human IAM, NHI governance, and emerging agentic access patterns. Authentication still matters, but it is no longer the decisive boundary in modern infrastructure. The field should now ask which access decisions must be continuous, which can remain pre-approved, and which identities should never be granted standing privilege in the first place.

Identity blast radius: The article's most useful concept is that the blast radius is now defined less by initial compromise and more by how much privilege remains active after context changes. That reframes the governance challenge for security leaders: the issue is not only who can enter, but how far they can move once inside. Practitioners should use that lens when redesigning controls for machines and agents.

From our research:

• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
• That same report finds that 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge.
• For a broader view of lifecycle and access-control failure patterns, see Ultimate Guide to NHIs , Key Challenges and Risks.

What this signals

Identity drift is becoming the operational term that matters most here. When access accumulates across humans, service accounts, and emerging agent workflows, governance needs a shared policy model rather than a series of disconnected reviews. Teams that still separate PAM, IAM, and NHI oversight will miss how quickly privilege can expand between control points.

The data gap is already visible. Only 19.6% of security professionals say they are strongly confident in securely managing non-human workload identities, which is why runtime authorization is moving from architecture discussion to programme priority.

The forward signal is simple: access governance is shifting toward continuous decision-making, task-scoped entitlements, and lifecycle ownership across all identity types. Security teams should prepare for a world where the decisive control is not who can authenticate, but what they are allowed to do in real time.

For practitioners

• Separate authorization from authentication governance Map which controls currently stop at login, then identify where access decisions still rely on static roles, durable sessions, or ticket approvals. Those areas should be treated as authorization gaps, not authentication gaps.
• Inventory standing access across human and non-human identities Build a single view of persistent entitlements across service accounts, containers, and human users so you can see where privilege outlives the task that justified it. Include dormant access and nested group paths.
• Adopt runtime policy for high-risk access Use live signals such as workload context, device posture, and risk score to decide whether access should be granted, continued, or removed during execution. This is especially important for ephemeral workloads and agent-driven processes.
• Define a task-scoped governance model for machine identities Treat machine identities as execution-specific subjects with narrow purpose, clear owner, and explicit expiry. That means revisiting provisioning, rotation, and offboarding as lifecycle controls, not one-time setup steps.

Key takeaways

• The deal shows identity security is consolidating around authorization, not just authentication or vaulting.
• Machine identities and dynamic workloads expose the limits of static roles, persistent sessions, and periodic reviews.
• Security teams should treat runtime policy, lifecycle ownership, and standing-privilege reduction as core governance priorities now.

Key terms

• Identity drift: Identity drift is the slow expansion of entitlements, privileges, and machine accounts beyond what was originally intended. It occurs when access is granted, copied, or left in place faster than governance can re-baseline it, creating hidden blast radius across systems and teams.
• Runtime authorization: Runtime authorization is the practice of deciding whether access should continue while a session or workload is actively executing. It uses live context such as risk, posture, and task state instead of relying only on pre-assigned roles or periodic review cycles.
• Standing privilege: Standing privilege is access that remains available without needing a fresh business justification at the moment of use. For non-human identities, standing privilege is especially risky because machine execution can exploit it continuously and at scale, often outside human review windows.
• Task-scoped identity: A task-scoped identity is a human, machine, or agent identity whose access is limited to a specific purpose, time, and context. This approach helps reduce over-privilege by ensuring the identity cannot reuse access beyond the work it was created to perform.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Opal Security covering the Palo Alto Networks and CyberArk acquisition and its identity security implications. Read the original.