Cybersecurity has been repeating a concept for years that, by 2026, is starting to sound like a diagnosis: attackers don’t “break in,” they log in. And if the entry point is identity, the expansion of Artificial Intelligence agents and non-human identities (NHI) turns this issue into a challenge of a different scale. Against this backdrop, CrowdStrike (NASDAQ: CRWD) has announced a definitive agreement to acquire SGNL, a company specializing in Continuous Identity, with the goal of evolving privilege and access management into a dynamic model: granting and revoking access in real-time based on risk.
According to Reuters, the deal is valued at $740 million and will be primarily financed in cash, with a portion in stock subject to customary closing conditions. The close is expected in the first quarter of CrowdStrike’s fiscal year 2027, pending regulatory approvals.
Why identity has become the perimeter of the agentic era
The core message behind the announcement is clear: An autonomous, “superhuman” AI agent behaves in practice like a privileged identity. If it’s granted permanent permissions — the classic standing privileges — the risk skyrockets: a misconfiguration, an exposed token, or a compromised account can open the door to data, applications, cloud infrastructure, and even other agents.
CrowdStrike argues that traditional access control models, based on static policies, are unable to reassess risk halfway through a session or revoke permissions when circumstances change (for example, if the device becomes untrusted or attack indicators appear). The conceptual leap is clear: shift from “who you are” to “what is happening right now” and act accordingly.
What SGNL offers: the real-time decision-making enforcement layer
In their statement, SGNL defines itself as a runtime access enforcement layer situated between identity providers and the resources accessed via SaaS and hyper-scale cloud environments. Its approach involves continuously evaluating signals related to identity, device, and behavior and, based on that information, granting, denying, or revoking access as circumstances change.
The integration with CrowdStrike aims to feed this dynamic decision-making with risk signals and intelligence already managed by the Falcon platform. In other words: not just detection, but also enforcing “just-in-time” access and removing privileges when the context is no longer secure.
Among the capabilities highlighted by CrowdStrike are:
- Eliminating permanent privileges for human identities, NHIs, and AI agents, with dynamic risk-based authorization.
- Extending Just-in-Time access beyond Active Directory and Microsoft Entra ID toward systems like AWS IAM, Okta, and other cloud and SaaS identity environments.
- Using the Continuous Access Evaluation Protocol (CAEP) to apply “downstream” revocations, integrated with Falcon Fusion SOAR, reducing misconfigurations and breaches.
- Unifying identity security across the attack surface—from initial access to privilege escalation and lateral movement in on-prem, SaaS, and cloud environments.
The company also notes that this move underscores the significance of the phenomenon. CrowdStrike cites an IDC forecast: the identity security market is expected to grow from roughly $29 billion in 2025 to $56 billion in 2029, highlighting that this perimeter battle is not marginal but strategic.
The missing piece in CrowdStrike’s strategy
CrowdStrike has been building its identity offerings for some time. Reuters recalls that the company entered this space with the acquisition of Preempt Security in 2020, and that its identity business had exceeded $435 million in annual recurring revenue by the end of Q2 of fiscal year 2026. In this context, SGNL appears as an accelerant: bringing access decisions to the “exact moment” and “exact risk”, especially in environments where identities are created and destroyed dynamically (workloads, service accounts, automation, and agents).
Operationally, CrowdStrike also notes that the SGNL team will be fully integrated, with no plans for layoffs, and that integration into Falcon should be relatively straightforward for existing customers—fitting with its platform strategy dominating cybersecurity markets.
What it means for companies: from “office-style” access control to “moving” access control
Practically, this deal advances a trend already underway: governing identities as if they were living sessions, not static permissions. For security leaders, the conversation shifts from “what role does this account have” to questions like:
- What signals from endpoint, network, and cloud confirm that this session remains trustworthy?
- What happens if risk increases mid-automated operation?
- How are non-human identities—appearing in pipelines and data environments—managed?
- How is access revoked downstream, beyond the identity provider?
The acquisition of SGNL suggests that CrowdStrike aims to compete at this enforcement layer, where identity is no longer a directory but a nervous system that decides in milliseconds whether an action is legitimate.
Frequently Asked Questions (FAQ)
What is “continuous identity,” and how does it differ from traditional access control?
Continuous identity assesses session risk permanently (via signals from user, device, behavior) and allows real-time granting or revoking of access, unlike fixed permissions and periodic reviews.
What are non-human identities (NHI), and why have they become critical with agentic AI?
They include service accounts, automation, workloads, and agents operating without human intervention. In cloud and SaaS environments, they are created dynamically and often have broad permissions, making them valuable targets if compromised.
How does Just-in-Time access reduce the risk of stolen credentials?
By minimizing exposure window: permissions exist only when needed and expire afterward. If an attacker obtains credentials, it’s less likely they will find persistent privileges ready for exploitation.
What should companies review before deploying dynamic access controls for AI agents?
An inventory of NHIs and agents, reduction of permanent privileges, definition of risk signals (endpoint, cloud, identity), and the ability to revoke “downstream” in SaaS applications and cloud services.
via: crowdstrike