AI Identity Security
All research in AI Identity Security — 2 reports.
Okta is the largest independent identity-security vendor, selling workforce and customer identity (SSO, MFA, governance, privileged access, and emerging AI-agent controls) as recurring subscriptions; FY2026 subscription revenue was $2.855 billion of $2.919 billion total. Growth has cooled to about 11% with FY2027 guidance of just 9–10%, but free cash flow is now substantial, with $884 million of operating cash flow in FY2026, so the real debate is whether Okta is a sturdier compounder or a maturing core squeezed by Microsoft's bundle and a still-healing trust scar. Rating Hold: a credible business at fair-to-moderate value with limited margin of safety, with a genuine moat and real cash but slower growth and bundling pressure that cap the rerating upside.
As AI agents go mainstream, identity security is being elevated into a unified "identity control plane" that governs humans, workloads, service accounts, API keys, OAuth apps, certificates, tokens, CI/CD, bots, and agents alike. Non-Human Identity (NHI) is becoming a new budget entry point—the MCP spec already mandates the resource parameter and token audience validation while prohibiting token passthrough. The first budget pools to land are PAM, machine identity, secrets, and IGA-CIEM extensions, because they already exist and are strongly compliance-driven. Direct beneficiaries: SailPoint (FY26 ARR $1.125 billion, SaaS ARR +38%), CyberArk, Okta (FY26 Q4 RPO +15%), Microsoft Entra, IBM/HashiCorp Vault, and JFrog (Security Core already 10% of ARR); CrowdStrike's acquisition of SGNL and Cisco's planned acquisition of Astrix confirm that the NHI control plane is the next-generation entry point. Cloud providers' built-in IAM will keep commoditizing basic secrets and CIEM, while cross-cloud, cross-SaaS ownership, least-privilege, and runtime enforcement remain the profit pool. Rating Watch: identity security is on track to become the control plane of the AI agent era, but budgets land first in mature control points before spreading to the pure agent-identity layer.