TL;DR: Sustained demand for privilege controls across human, machine, and agentic AI identities drove $99 million in record net new ARR, $1.440 billion in total ARR, and $1.267 billion in subscription ARR, while also flagging a planned combination with Palo Alto Networks, according to CyberArk. The numbers point to sustained demand for privilege controls across human, machine, and agentic AI identities, while consolidation raises the bar for governance clarity.
NHIMG editorial — based on content published by CyberArk: Achieves record net new ARR and full-year 2025 results
By the numbers:
- Total ARR grew 23% year-over-year to reach $1.440 billion.
- The Subscription portion of ARR grew 30% year-over-year to reach $1.267 billion.
Questions worth separating out
Q: How should security teams evaluate identity platform consolidation?
A: Security teams should evaluate whether the combined platform preserves distinct control boundaries for human identity, NHI, and agentic AI.
Q: Why do NHIs need different governance than human identities?
A: NHIs depend on secrets, service accounts, certificates, and workload credentials that often operate without interactive login or user-driven review.
Q: When does subscription-led identity spending become a governance signal?
A: It becomes a governance signal when recurring spend reflects ongoing dependency on access control, credential lifecycle, and privilege management.
Practitioner guidance
- Re-baseline identity architecture by actor type Separate human identity, NHI, and agentic AI governance into distinct control patterns before evaluating platforms.
- Test consolidation against control boundaries Review whether a single platform can preserve clear policy separation between secrets management, privileged access, machine identity, and AI-related delegation.
- Reassess lifecycle coverage for non-human accounts Check whether offboarding, rotation, and recertification processes for service accounts and workload identities still work after recent platform changes or mergers.
What's in the full analysis
CyberArk's full article covers the financial detail this post intentionally leaves for the source:
- Quarterly revenue, subscription mix, and margin figures that finance and security leaders can use for board reporting
- ARR and net new ARR breakdowns that show how the business mix is shifting toward recurring revenue
- The acquisition context around Venafi, Zilla Security, and the planned Palo Alto Networks combination
- Management commentary on the market opportunity and the company’s stated AI-era identity security positioning
👉 Read CyberArk’s full 2025 results and identity security market update →
CyberArk ARR growth and platform consolidation: what does it mean?
Explore further
Subscription-led identity security growth shows the market is shifting from product purchase to control dependency. CyberArk’s ARR mix suggests buyers are no longer treating identity security as a narrow category. They are funding recurring control coverage across access, privilege, and lifecycle management. That shift matters because identity risk is operational, not episodic, and recurring spend usually follows recurring governance failure modes.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: What should organisations do when AI agents are added to identity programmes?
A: They should define whether the agent is governed as a machine identity, an autonomous actor, or a constrained workflow component. That classification determines which controls apply, including privilege limits, logging, approval gates, and offboarding when the task or session ends.
👉 Read our full editorial: CyberArk’s ARR growth signals identity security demand is broadening