Notifications
Clear all
Topic starter
06/06/2026 2:01 am
TL;DR: CrowdStrike’s acquisitions of SGNL and Seraphic Security, combined with Oasis Security’s partnership messaging, point to a market shift toward unified identity protection across enforcement, browser control, and lifecycle governance, according to Oasis Security. The practical issue is not platform branding, but whether identity teams can govern non-human identities, MCPs, and agents as one continuously managed attack surface.
NHIMG editorial — based on content published by Oasis Security: Why the Future of Identity Belongs to the Bold and the Agile
Questions worth separating out
Q: How should security teams govern non-human identities in a unified identity platform?
A: Teams should treat non-human identities as continuously governed assets, not static records.
Q: Why do browser controls matter in identity governance?
A: Browser controls matter because many modern access paths are session-based and mediated through the web, not just through login events.
Q: What breaks when lifecycle context is missing for service identities?
A: When lifecycle context is missing, teams lose track of which credentials still belong to an active business process and which are effectively orphaned.
Practitioner guidance
- Map identity control boundaries Document where discovery, governance, and enforcement live today for human identities, NHI, MCPs, and agents.
- Inventory lifecycle gaps for non-human identities Identify service accounts, API keys, tokens, certificates, and agent credentials whose provisioning, rotation, and retirement states are not visible in one place.
- Test session-time enforcement Validate whether browser telemetry, identity posture, and policy controls can influence access before the session completes.
What's in the full article
Oasis Security's full blog post covers the strategic positioning and partnership detail this analysis intentionally leaves for the source:
- How Oasis describes its role in extending CrowdStrike's identity coverage across non-human identities, MCPs, and agents
- The specific language the vendor uses to frame lifecycle and governance as part of a unified identity model
- The partnership and marketplace context behind the integration, including how the vendor positions additive identity resilience
- The way Oasis links browser, enforcement, and identity hygiene in its own platform narrative
👉 Read Oasis Security's analysis of the CrowdStrike identity platform shift →
Identity platform consolidation: what it means for IAM teams?
Explore further
06/06/2026 3:26 am
Identity has become the policy surface, not just the login surface. The article reflects a broader market move in which identity is treated as the place where discovery, governance, and enforcement converge. That framing is correct for modern enterprises because static perimeter thinking no longer matches how access is created and consumed across humans, workloads, and agents. The practitioner conclusion is that identity architecture now has to be evaluated as an operating model, not as a directory project.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: Who is accountable when identity governance and enforcement are split across tools?
A: Accountability usually becomes blurred at the boundary between the tool that knows the identity state and the tool that enforces policy. Teams should assign a clear owner for lifecycle truth, policy decisions, and runtime enforcement. Without that split, incidents become harder to investigate and harder to contain.
👉 Read our full editorial: CrowdStrike, SGNL and Seraphic sharpen the identity platform shift
