Palo Alto’s CyberArk deal shows identity security is now core

At a glance

What this is: This is an analysis of Palo Alto Networks’ planned CyberArk acquisition and the message it sends about identity security becoming a core control plane.

Why it matters: It matters because IAM, PAM, and NHI teams now need to treat privileged identity hygiene, lifecycle control, and least privilege as enterprise-defining priorities, not niche controls.

👉 Read SPHERE Technology Solutions’ analysis of the Palo Alto Networks and CyberArk deal

Context

Identity security is shifting from a supporting control to a primary enterprise control plane. When cloud adoption, AI systems, and privileged access all depend on identity decisions, the quality of that identity layer becomes a direct determinant of security outcomes. This article uses Palo Alto Networks’ planned CyberArk acquisition to argue that the market now treats identity, PAM, and lifecycle governance as central to defence.

The practical issue is not whether organisations have identity tools, but whether those tools are fed clean, current, and governed identity data. Shadow accounts, stale privileges, and unmanaged credentials break least privilege and just-in-time models because the controls depend on accurate inputs. For IAM and NHI teams, the acquisition is a reminder that identity hygiene and privileged access governance now sit at the centre of operational security.

Key questions

Q: How should security teams handle shadow accounts in privileged access programmes?

A: Treat shadow accounts as a governance failure, not just a housekeeping issue. Teams should continuously discover unmanaged identities, confirm ownership, and route stale privileges into remediation before they can be reused. If the identity inventory is incomplete, PAM and least-privilege controls will enforce policy against the wrong reality.

Q: Why do stale identities weaken least privilege and just-in-time access?

A: Least privilege and just-in-time access depend on current identity state, current ownership, and accurate privilege scope. When stale identities remain active, the control can still operate but it no longer reflects the real access landscape. That creates hidden standing privilege and undermines the assurance the programme is supposed to provide.

Q: How can IAM teams bring machine identities into lifecycle governance?

A: Apply the same lifecycle discipline used for human access to service accounts, tokens, cloud services, and AI-connected identities. That means assigning owners, reviewing entitlements, tracking purpose, and revoking access when the identity is no longer needed. Machine identities should be governed as first-class access subjects, not as infrastructure leftovers.

Q: Who is accountable when unmanaged privileged identities remain in the environment?

A: Accountability should sit with the service owner, the identity governance function, and the platform team responsible for privileged access control. If no one owns the account, then no one can certify, remediate, or offboard it. The governance gap is as much organisational as technical.

Technical breakdown

Why identity hygiene determines whether PAM works

Privileged access management depends on the identity layer being accurate enough to make access decisions trustworthy. If orphaned accounts, stale entitlements, and shadow identities remain in the environment, PAM can still issue controls, but those controls govern the wrong picture. Identity hygiene is the process of discovering, classifying, and cleaning identities so the control plane reflects reality. In practice, that means account inventory, privilege validation, and remediation loops must precede policy enforcement, not follow it.

Practical implication: validate identity inventories before trusting PAM enforcement or least-privilege outcomes.

How shadow accounts create blind spots in privileged workflows

Shadow accounts are unmanaged or forgotten identities that continue to exist after ownership or purpose has changed. They are dangerous because they often retain standing access, can bypass standard review cycles, and may not appear in normal governance reporting. In PAM and lifecycle programmes, the failure is usually not policy design but incomplete visibility. Once a shadow account sits outside active administration, remediation becomes harder and privileged workflows begin to operate with hidden risk.

Practical implication: build continuous discovery and remediation for shadow accounts into privileged access operations.

Why AI agents and ephemeral services intensify identity governance demands

The article ties identity security to AI agents, DevOps tokens, and ephemeral cloud services because these actors expand the number of non-human identities that can request, hold, and use privilege. Their access patterns are faster and more dynamic than traditional human workflows, so lifecycle and access review processes must account for machine speed and short-lived credentials. That does not make them autonomous by default, but it does make identity governance harder because the environment changes faster than periodic review models.

Practical implication: extend lifecycle controls and entitlement validation to machine and agent identities, not just human users.

NHI Mgmt Group analysis

Identity security has become a control plane, not a supporting function. The article is right to frame the CyberArk acquisition as a sign that identity now sits alongside perimeter controls in enterprise defence. Once cloud, AI, and privileged access all depend on who or what can authenticate, identity governance becomes a foundational security layer. For practitioners, the implication is that IAM, PAM, and NHI controls can no longer be treated as back-office tooling.

Identity hygiene is the missing prerequisite for effective least privilege. Least privilege only works when the identity inventory is current, ownership is clear, and stale access is removed before controls are enforced. Shadow accounts and unmanaged identities create a gap between policy intent and operational reality, which is why privileged controls fail even when the platform is technically sound. Practitioners should treat identity hygiene as the upstream condition for governance credibility.

Shadow account drift is the named concept this deal exposes. Abandoned doors persist when identity records outlive ownership, purpose, or review. That drift weakens both PAM and lifecycle governance because access remains active after accountability has disappeared. The practical conclusion is that discovery and cleanup are not maintenance tasks, they are the condition that allows identity controls to function at all.

NHI and human IAM are converging around the same governance problem. The article highlights AI agents, DevOps tokens, and ephemeral cloud services alongside privileged human access because the enterprise now manages multiple actor types through the same trust fabric. That convergence means recertification, offboarding, and privilege validation must be designed as shared lifecycle discipline, not separate programmes. Practitioners should re-evaluate governance models that still assume human identity is the default case.

Platform consolidation is a signal that identity security is becoming harder to bolt on later. Large security vendors are moving toward identity because access decisions now shape every other layer of defence. That shifts procurement, architecture, and operating models toward integrated identity governance rather than isolated point controls. For practitioners, the lesson is to assess whether current IAM and PAM programmes are mature enough to survive that convergence.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• Another finding from our research shows that 97% of NHIs carry excessive privileges, which broadens attack surface and complicates lifecycle governance.
• For a broader view of how identity failures become real incidents, see 52 NHI Breaches Analysis.

What this signals

Shadow account drift is becoming a board-level governance issue because identity platforms only work when the underlying records are complete. With only 5.7% of organisations having full visibility into their service accounts, most programmes are still operating with incomplete inputs, and that makes lifecycle review and privileged remediation structurally unreliable.

The market is moving toward tighter coupling between identity discovery, PAM, and lifecycle management, which means teams should expect more pressure to unify these functions in one operating model. The question is no longer whether you own an IAM toolset, but whether your governance process can keep pace with identities that multiply faster than review cycles.

For teams already running PAM or NHI programmes, the next maturity step is not another point control. It is a defensible operating model that ties discovery, ownership, review, and offboarding together before privilege becomes invisible.

For practitioners

• Audit shadow accounts and orphaned privileges Create a recurring inventory process for abandoned identities, stale privileged roles, and ownership gaps, then route exceptions into remediation workflows before they can be reused.
• Validate identity hygiene before PAM enforcement Check whether your privileged access platform is consuming accurate identity data, current ownership, and up-to-date account status before you trust least-privilege decisions.
• Extend lifecycle governance to machine identities Apply joiner-mover-leaver discipline to service accounts, tokens, cloud services, and AI-connected identities so review and offboarding do not stop at human users.
• Tie cleanup workflows to access certification Use access reviews to trigger removal of unowned or unused identities, and make remediation measurable so certification is linked to actual privilege reduction.

Key takeaways

• The article’s core message is that identity security now functions as foundational infrastructure rather than a supporting IT task.
• The major risk is not simply more identities, but more unmanaged identities that weaken PAM, least privilege, and lifecycle governance.
• Practitioners should focus on discovery, ownership, and remediation so privileged access controls operate on clean identity data.

Key terms

• Identity Hygiene: The practice of keeping identity records accurate, owned, and current so access decisions reflect reality. In security programmes, it means discovering shadow accounts, removing stale privileges, and maintaining clean lifecycle data before PAM or least-privilege controls are trusted.
• Shadow Account: An identity that persists without clear ownership, purpose, or active administration. Shadow accounts often retain privilege after the business need has changed, which makes them a hidden governance risk and a common source of access leakage in mature environments.
• Privileged Access Management: A control discipline for governing elevated access to systems, data, and administrative functions. It is only as effective as the identity data behind it, because stale accounts, false ownership, and unmanaged credentials can bypass the intended security outcome.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by SPHERE Technology Solutions: analysis of Palo Alto Networks’ planned acquisition of CyberArk and its implications for identity security. Read the original.