Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

CyberArk Q3 results: what the AI-era identity shift means for IAM


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Demand driven by human, machine, and agentic AI identity risk helped CyberArk report third-quarter 2025 net new ARR of $68 million, total ARR of $1.341 billion, and subscription ARR of $1.158 billion, according to CyberArk, while the numbers reinforce that identity security is moving from point controls to platform governance across the full identity lifecycle.

NHIMG editorial — based on content published by CyberArk: its third-quarter 2025 financial results and identity security market update

By the numbers:

Questions worth separating out

Q: Should security teams re-evaluate identity architecture after major platform consolidation?

A: Yes. Consolidation often changes where identity controls sit, how data is shared, and which lifecycle processes remain independent. Security teams should verify that human IAM, PAM, and NHI governance still have clear ownership boundaries, explicit offboarding steps, and auditable privilege controls. If those responsibilities blur, the risk is not just vendor lock-in but control drift.

Q: Why do machine identities require different governance from human users?

A: Machine identities do not behave like people.

Q: How do AI agents change privilege management in identity programmes?

A: AI agents can select tools and act during runtime, which makes static entitlement planning less reliable.

Practitioner guidance

  • Re-map identity scope across all actor types Inventory where human identities, service accounts, tokens, certificates, and AI agents are governed today, then identify the control gaps between IAM, PAM, and NHI ownership.
  • Separate agent privileges from human roles Define runtime boundaries for AI agents that can choose tools or execute tasks independently, and do not assume human RBAC models are sufficient for those access paths.
  • Audit lifecycle controls for machine access Check whether offboarding, rotation, and access review processes cover API keys, service accounts, and certificates with the same discipline as employee access.

What's in the full analysis

CyberArk's full report covers the operational detail this post intentionally leaves for the source:

  • Quarterly revenue and ARR tables that show how the business mix changed across subscription and maintenance lines.
  • Management commentary on acquisition contributions from Venafi and Zilla, which explains the reported growth pattern.
  • The company’s presentation of non-GAAP measures and cash flow calculations, which matter if you are tracking financial performance rather than identity strategy.
  • Regulatory and transaction context around the proposed Palo Alto Networks acquisition, which is relevant to market watchers.

👉 Read CyberArk’s Q3 2025 results and identity security market update →

CyberArk Q3 results: what the AI-era identity shift means for IAM?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Identity security growth now reflects governance pressure, not just product demand. CyberArk’s revenue and ARR trajectory shows that identity security is increasingly being bought as a control plane for the whole enterprise access graph. That includes human privilege, machine identities, and emerging agentic AI use cases. The market is moving toward unified identity governance because point controls no longer match the way access is actually distributed. Practitioners should read this as a sign that identity programmes are being forced to consolidate around lifecycle, privilege, and visibility.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most teams are still governing machine identities with partial knowledge.

A question worth separating out:

Q: What should organisations measure to know whether identity governance is keeping up?

A: They should measure whether access can be found, explained, and removed across all identity types. Useful indicators include service-account visibility, secret rotation compliance, offboarding latency, and whether agent privileges are reviewed before they are reused. If the programme cannot answer those questions quickly, governance is lagging the real access graph.

👉 Read our full editorial: CyberArk’s Q3 results show identity security shifting to AI-era governance



   
ReplyQuote
Share: