TL;DR: Rising in Cyber 2026, selected by 150 CISOs and senior security executives and backed by more than $6.9 billion in combined fundraising, highlights how AI agents, identity and access management, and application defence are converging in enterprise security, according to Orca Security and Notable Capital. The signal is that identity governance is no longer a narrow IAM issue; it is becoming central to cloud, AI, and operational risk decisions.
At a glance
What this is: This is Orca Security’s announcement about being named to Rising in Cyber 2026, alongside market analysis showing that AI, identity, and security operations are now overlapping priorities for enterprise leaders.
Why it matters: It matters because IAM teams are being pulled into cloud security and AI governance conversations at the same time, which changes how NHI, autonomous systems, and human access programmes are prioritised.
By the numbers:
- The 2026 honorees were named alongside the release of the Rising in Cyber 2026 Report, produced in collaboration with Morgan Stanley.
- The 30 private cybersecurity companies recognized in Rising in Cyber 2026 collectively raised over $6.9 billion, according to PitchBook.
- The list is selected through voting by 150 active CISOs and senior security executives.
👉 Read Orca Security's analysis of Rising in Cyber 2026 and AI security
Context
Rising in Cyber 2026 is a vendor announcement wrapped around a broader market signal: security buyers are now evaluating cloud security, AI security, and identity control together. The primary keyword here is Rising in Cyber 2026, and the practical question is what this says about the direction of identity security investment.
For identity teams, the important shift is not the ranking itself but the categories it highlights. When AI agents, identity and access management, and application defence appear in the same market conversation, programme boundaries start to blur and governance decisions have to follow actual access paths, not organisational chart lines.
Key questions
Q: How should security teams respond to the convergence of AI security and IAM?
A: They should treat AI security, cloud security, and IAM as one governance problem when identities can reach the same workloads. The first step is to map which humans, service accounts, and AI-enabled systems share access paths, then define ownership, review cadence, and expiry for each high-risk entitlement. Without that, the programme can see risk but not govern it.
Q: Why does agentless cloud visibility not fully solve identity governance?
A: Because visibility shows what exists, not who is accountable for it or whether the access should still exist. In cloud and AI environments, the governance gap appears when an organisation can observe assets and activity but cannot tie them to an owned entitlement, an expiry condition, or a recertification path.
Q: What do security teams get wrong about AI-powered security agents?
A: They often assume that security tooling inside the control plane is automatically safe because it is defensive. In practice, any AI-enabled agent that can query data, trigger actions, or influence workflows still needs explicit entitlement boundaries, owner assignment, and reviewable scope. Otherwise the agent becomes another governed identity surface, not a passive tool.
Q: Who should own governance when identity, cloud, and AI security overlap?
A: Accountability should sit with the team that can change the entitlement and explain the business purpose of the access, not only with the team that operates the platform. In many organisations that means IAM, cloud security, and AI owners need a shared model for access review and risk acceptance rather than separate sign-off chains.
Technical breakdown
Why CISO-voted rankings matter for identity security buying
CISO-voted lists are not technical benchmarks, but they do show where decision-makers believe risk and budget are concentrating. In this case, the voting pool is tied to enterprise security leadership rather than analyst-only scoring, which makes the signal useful for understanding where identity, cloud, and AI security are converging. The key point is that identity security is no longer evaluated in isolation from runtime cloud protection or AI workload governance.
Practical implication: use market signals like this to reassess whether IAM, cloud security, and AI governance are being planned as one programme or three disconnected ones.
Agentless cloud security and the machine identity problem
Agentless cloud security reduces deployment friction, but it does not remove the underlying identity problem. If AI activity, workload access, and service interactions are not mapped to accountable identities, visibility alone will not tell you who or what is acting. For non-human identity governance, this matters because cloud posture data without identity context often misses standing privilege, secret exposure, and delegated access paths.
Practical implication: pair cloud visibility with identity inventory and entitlement review so machine access is governed, not just observed.
AI security agents change the IAM control surface
AI-powered security agents sit inside the same control plane that IAM and cloud security teams already manage, but they introduce new questions about delegated authority, action scope, and runtime oversight. Even when the system is not fully autonomous, the security team still has to understand what access the agent can exercise, what telemetry proves that access, and what guardrails limit misuse. That makes identity context a core part of AI security, not an adjacent concern.
Practical implication: define access boundaries for any AI security agent before broad deployment and tie those boundaries to reviewable entitlements.
NHI Mgmt Group analysis
Market recognition is now a proxy for identity convergence. The fact that AI, identity and access management, security operations, and application defence are being judged in the same market cohort shows where enterprise security buying is moving. Those categories used to be separated by operating model and budget owner; now they are increasingly evaluated together because the access paths are shared. Practitioners should treat this as a signal that identity governance is becoming a cross-platform control plane, not a standalone IAM workstream.
Agentless visibility does not solve identity accountability. The market often rewards tools that improve discovery and context, but discovery is only the starting point. If a platform can see cloud resources and AI activity without establishing who owns the identity, who approved the access, and when the entitlement should end, then governance remains partial. The practical conclusion is that visibility should be measured against lifecycle control, not against dashboard coverage alone.
AI activity is pushing security teams toward runtime identity governance. The article’s emphasis on AI-powered security agents and real-time AI activity detection reflects a broader shift: access now changes during execution, not only at provisioning time. That puts pressure on access review, entitlement recertification, and privileged workflow oversight, because the control point has moved closer to runtime behaviour. Practitioners should expect identity programmes to be judged by how well they govern action, not just account creation.
Rising in Cyber is also telling us where the budget conversation is going. The combination of substantial private funding, CISO voting, and market analysis suggests that buyers are prioritising tools that link identity, AI, and cloud risk into one operating model. That does not mean every platform claim will translate into governance value. It does mean security leaders should re-evaluate whether their current stack can support cross-domain identity decisions without forcing manual correlation.
Identity blast radius is becoming the right lens for cloud and AI security together. As AI agents, cloud workloads, and security tooling share more of the same infrastructure, the question is no longer only whether access exists. The more important question is how far that access can propagate if an identity is mis-scoped or misused. That is the control boundary practitioners should be using when they assess their next platform decision.
From our research:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
- That confidence gap is why the Ultimate Guide to NHIs , Why NHI Security Matters Now is the right next step for teams reassessing machine identity governance.
What this signals
Identity governance is moving from account administration to control-plane design. As AI agents and cloud security tools share more of the same operational surface, teams need a governance model that can explain ownership, scope, and expiry across human and non-human access. The practical test is whether your programme can answer who can act, on what, and for how long without manual reconciliation.
With 88.5% of organisations saying their non-human IAM practices lag behind or merely match human IAM, according to The 2024 Non-Human Identity Security Report, the gap is no longer hidden by visibility dashboards. The next stage is proving accountability for AI-enabled and workload identities before those identities become operational dependencies.
That is where the Top 10 NHI Issues becomes useful: it helps programme leaders separate routine platform noise from the governance failures that actually widen identity blast radius. Teams should watch for shared-access patterns, weak entitlement ownership, and review cycles that still assume identities are static.
For practitioners
- Map shared identity paths across cloud and AI tooling Inventory where human admins, service accounts, AI features, and security agents touch the same cloud resources. Use that map to identify where a single entitlement can affect both operational workloads and AI activity.
- Tie AI security controls to entitlement ownership For every AI-enabled workflow, assign a human owner for the underlying access, the expected action scope, and the review cadence. If the entitlement cannot be owned, it should not be broadly deployed.
- Use market signals to re-sequence IAM priorities If your programme still treats IAM, cloud security, and AI governance as separate roadmaps, collapse the planning view into one cross-functional backlog. Start with the identities that can reach production data and AI workloads.
- Reassess visibility against control outcomes Do not stop at discovering assets or agents. Check whether you can prove accountable ownership, access expiry, and reviewability for the identities that matter most.
Key takeaways
- Rising in Cyber 2026 is less about rankings than about the market convergence of cloud, AI, and identity governance.
- The governance gap is not discovery alone but accountability, because visibility without entitlement ownership does not reduce identity risk.
- Security teams should re-plan IAM, cloud, and AI controls around shared access paths, reviewable scope, and explicit ownership.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Shared AI and cloud access needs least-privilege governance. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Machine identities and secrets remain central to cloud and AI access control. |
| NIST Zero Trust (SP 800-207) | AC-4 | Continuous verification matters when AI and cloud tools share runtime access paths. |
Apply zero-trust segmentation and limit access paths so AI-enabled systems cannot expand privilege unchecked.
Key terms
- Identity blast radius: The amount of systems, data, and workflows that can be affected if one identity is mis-scoped, over-permissioned, or abused. In cloud and AI environments, blast radius is a practical measure of how quickly a single entitlement can become an enterprise incident.
- Machine identity: A non-human identity used by software, services, workloads, or agents to authenticate and act. It includes service accounts, API keys, tokens, and certificates. The governance challenge is not just issuance, but ownership, lifecycle control, and the ability to prove why the identity still needs access.
- Entitlement ownership: The assignment of clear accountability for a permission or access path, including who approves it, who reviews it, and when it should end. Without ownership, access can be visible but still unmanaged, especially where cloud tools and AI systems reuse the same operational privileges.
- Runtime identity governance: The practice of controlling and reviewing access as systems operate, not only when accounts are created. It matters when cloud services, security tools, and AI-enabled workflows make decisions or trigger actions during execution, because static provisioning records may no longer describe actual access.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
This post draws on content published by Orca Security: Orca Security named to Rising in Cyber 2026 for the third consecutive year. Read the original.
Published by the NHIMG editorial team on 2026-05-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
