CyberArk Q3 results: what the AI-era identity shift means for IAM

TL;DR: Demand driven by human, machine, and agentic AI identity risk helped CyberArk report third-quarter 2025 net new ARR of $68 million, total ARR of $1.341 billion, and subscription ARR of $1.158 billion, according to CyberArk, while the numbers reinforce that identity security is moving from point controls to platform governance across the full identity lifecycle.

NHIMG editorial — based on content published by CyberArk: its third-quarter 2025 financial results and identity security market update

By the numbers:

• Total ARR grows 45% year-over-year to reach $1.341 billion.
• Total revenue was $342.8 million in the third quarter of 2025, up 43 percent from $240.1 million in the third quarter of 2024.
• Subscription revenue was $280.1 million in the third quarter of 2025, an increase of 60 percent from $175.6 million in the third quarter of 2024.

Questions worth separating out

Q: Should security teams re-evaluate identity architecture after major platform consolidation?

A: Yes. Consolidation often changes where identity controls sit, how data is shared, and which lifecycle processes remain independent. Security teams should verify that human IAM, PAM, and NHI governance still have clear ownership boundaries, explicit offboarding steps, and auditable privilege controls. If those responsibilities blur, the risk is not just vendor lock-in but control drift.

Q: Why do machine identities require different governance from human users?

A: Machine identities do not behave like people.

Q: How do AI agents change privilege management in identity programmes?

A: AI agents can select tools and act during runtime, which makes static entitlement planning less reliable.

Practitioner guidance

• Re-map identity scope across all actor types Inventory where human identities, service accounts, tokens, certificates, and AI agents are governed today, then identify the control gaps between IAM, PAM, and NHI ownership.
• Separate agent privileges from human roles Define runtime boundaries for AI agents that can choose tools or execute tasks independently, and do not assume human RBAC models are sufficient for those access paths.
• Audit lifecycle controls for machine access Check whether offboarding, rotation, and access review processes cover API keys, service accounts, and certificates with the same discipline as employee access.

What's in the full analysis

CyberArk's full report covers the operational detail this post intentionally leaves for the source:

• Quarterly revenue and ARR tables that show how the business mix changed across subscription and maintenance lines.
• Management commentary on acquisition contributions from Venafi and Zilla, which explains the reported growth pattern.
• The company’s presentation of non-GAAP measures and cash flow calculations, which matter if you are tracking financial performance rather than identity strategy.
• Regulatory and transaction context around the proposed Palo Alto Networks acquisition, which is relevant to market watchers.

👉 Read CyberArk’s Q3 2025 results and identity security market update →

CyberArk Q3 results: what the AI-era identity shift means for IAM?

Explore further

View Full Forum →  |  NHI Foundation Course →