Palo Alto Networks has introduced Idira, a new identity security platform designed to manage access for humans, machine identities, and AI agents within the enterprise. The launch marks a significant step in integrating CyberArk into the company’s overall strategy, following Palo Alto Networks’ acquisition of the Israeli firm for $25 billion.
The announcement comes at a delicate moment for cybersecurity teams. Identity has become one of the most common attack vectors: attackers no longer always need to “break” through technical defenses; often, they can simply log in with stolen credentials, exposed tokens, or misconfigured permissions. With the expansion of AI agents, cloud workloads, APIs, service accounts, and automation, the traditional model of protecting only privileged administrators is no longer sufficient.
From traditional PAM to broader identity security
Idira positions itself as an identity security platform for the “AI-powered enterprise.” Essentially, it extends the conventional concept of Privileged Access Management (PAM) to cover not only human administrators but also machines, workloads, secrets, certificates, and autonomous agents.
The company argues that the problem is no longer just protecting a vault of passwords or controlling a few critical accounts. Many organizations now distribute privileges across users, applications, cloud services, automation tools, and agents that can access data, perform actions, or initiate processes without constant human oversight. Each of these identities can become a vulnerability if not properly discovered, classified, and governed.
Citing its 2026 Identity Security Landscape report, Palo Alto Networks states that machine and AI identities outnumber human identities by a ratio of 109:1, and nine out of ten surveyed organizations experienced an identity-related breach in the past year. These figures, derived from the company’s own research, reflect a genuine market concern: companies are increasingly managing more machine and AI identities than human users.
Idira addresses this by focusing on three main areas: continuous identity risk discovery, dynamic privilege controls, and automated governance. The goal is to minimize permanent privileges, implement just-in-time access, and control what each identity can do based on context, risk, and actual needs.
| Area | What Idira Proposes |
|---|---|
| Human Identities | Privileged access management, permission governance, and reduction of excessive privileges |
| Machine Identities | Secrets management, workloads, certificates, and non-human credentials |
| AI Agents | Discovery, context awareness, limited permissions, and action traceability |
| Access Model | Less permanent privilege and more just-in-time, on-demand access |
| CyberArk Customers | Continued current usage and gradual access to new Idira capabilities |
The challenge of autonomous agents
The most innovative part of the announcement concerns agent identities. An AI agent isn’t just a chatbot that answers questions. In enterprise environments, it can connect to tools, read data, call APIs, execute workflows, open tickets, query financial systems, or modify information if authorized.
This shift changes the attack surface. A poorly controlled service account was already risky; an agent with broad access, autonomous capabilities, and limited traceability can be even more so. Therefore, security discussions about agents should focus not only on the content they generate but also on the credentials they use and the actions they can perform.
Palo Alto Networks claims that Idira can discover active agents across SaaS, cloud, and development environments, enrich them with context, identify owners and permissions, and enforce controls so they operate only during the necessary timeframe for a specific task. It also promises auditability of actions performed by these agents.
This approach aligns with a broader cybersecurity trend: applying Zero Trust and least privilege principles to any identity capable of authenticating. The challenge lies in executing this effectively. Many companies carry years of accumulated permissions, orphaned accounts, secrets spread across pipelines, integrations, and exceptions made for operational urgencies. AI accelerates this scenario but doesn’t eliminate existing debt.
A strategic acquisition for platform competition
Idira should also be viewed as a component of Palo Alto Networks’ platform strategy. The acquisition of CyberArk strengthened their position in identity management, an area that has become central to consolidating the cybersecurity market. With Idira, the company aims to combine CyberArk’s PAM expertise with its own portfolio covering network, cloud, operations, and incident response security.
For existing CyberArk SaaS customers, Palo Alto Networks plans a gradual transition. Traditional PAM users will receive enhancements in discovery and user experience, with options to add Zero Standing Privilege (ZSP) and protections for machine identities and agents. Modern PAM customers will be able to access discovery, ZSP, and improved user experience at no extra cost, though some advanced features may require new licenses.
The company also notes that customers with Secrets or Workload licenses can add traditional PAM and ZSP capabilities to unify identity management within Idira. Simply put, Palo Alto Networks intends for Idira to be the central platform for protecting both human and non-human identities, replacing separate controls for administrators, DevOps, secrets, endpoints, and AI agents.
From a technological perspective, this approach makes sense, but it raises practical questions for CISOs: platform consolidation only provides value if it reduces actual complexity. Many organizations already have multiple layers of IAM, PAM, IGA, EDR, CNAPP, SIEM, SOAR, CASB, and secrets tools. Adding another platform without streamlining processes risks creating more noise. The success of Idira will depend on how well it integrates, enhances visibility, and simplifies identity governance operations, rather than becoming just another monitoring dashboard.
Palo Alto Networks assures that Idira is generally available from launch, with additional features planned for later this year. As with all enterprise cybersecurity solutions, real adoption will depend on licensing, internal maturity, integration with directories, clouds, DevOps tools, and compliance processes.
The market direction is clear. Identity is no longer just about user passwords. It now encompasses machines, workloads, APIs, secrets, and AI agents operating within critical systems. Securing this entire map will be one of the key challenges for corporate cybersecurity in the coming years.
FAQs
What is Idira?
Idira is Palo Alto Networks’ new identity security platform, designed to discover, control, and govern human, machine, and AI agent identities.
What’s the relationship between Idira and CyberArk?
Idira builds on CyberArk’s experience and technology—acquired by Palo Alto Networks. Existing CyberArk customers will continue using the platform, with a gradual transition to new capabilities under the Idira brand.
What does Zero Standing Privilege mean?
Zero Standing Privilege aims to eliminate permanent privileges. Instead of always-on elevated access, it grants temporary, just-in-time permissions only when needed.
Why do AI agent identities matter?
Because agents can access data, tools, and APIs to perform tasks. If they have excessive permissions or limited traceability, they can become attack vectors or operational risks.