At CyberArk IMPACT 2026 in Austin, Palo Alto Networks' $25 billion acquisition of CyberArk underscored a clear shift: in the age of Agentic AI, Identity Security is becoming the control plane for Zero Trust. As agencies adopt AI at scale, identities increasingly provide the first line of defense and the earliest signals of compromise.
The Increasing Need for Identity Security
CyberArk IMPACT highlighted that machine identities now outnumber human identities 109:1, with 79 of those being agents. This gap will widen as agencies continue multi-cloud modernization and AI adoption, while identity-based compromise remains tied to more than 60% of initial access incidents.
Non-human identity growth compounds familiar challenges: identity sprawl, hardcoded secrets, ephemeral workloads, and standing, over-privileged credentials. Agencies now need consistent identity security discipline across humans, machines, and AI agents.
The Imperative for Faster Detection and Response
Adversaries are using AI to identify vulnerabilities, exploit exposures, and automate attacks with greater speed and scale. To keep pace with adversaries, agencies must reduce identity attack surfaces and improve detection and response across distributed environments.
Recent advances such as Anthropic's Claude Mythos and OpenAI's GPT-5.5-Cyber suggest that adversary-accessible models with similar capabilities are inevitable. Defenders should expect more complex vulnerabilities, larger patch management backlogs, and greater need for risk-based prioritization.
Agentic AI: Securing Autonomous Identities
Agentic AI introduces new identity risk because agents often behave like human users, leveraging user credentials, but operate with machine speed and autonomy. Traditional security tools may struggle to distinguish human activity from agent activity, leaving mission-critical applications and data exposed.
Agencies need automated agent identity discovery, attribution, governance, and visibility into task execution to reduce unmanaged agentic identity proliferation.
Supply Chain Risks in the AI Era
The software supply chain remains a prime target for attackers seeking to bypass perimeter defenses and infiltrate at scale. Open-source libraries embedded in code create attack surfaces that AI models can rapidly probe for vulnerabilities, while autonomous agents can discover, chain, and exploit vulnerabilities at machine speed for network access.
Post-Quantum Cryptography: Preparing for the Inevitable
Cryptographically relevant quantum computers (CRQC) capable of breaking current encryption pose an emerging risk to data confidentiality. While the timeline seems distant, OMB and NIST guidance target PQC readiness by 2030.
To counter "harvest now, decrypt later" threats, agencies must inventory cryptographic objects, remediate weak or deprecated ciphers, and plan for cryptographic agility as quantum and AI capabilities converge.
Zero Trust and the Need to Evolve Identity Security
Agencies that have embraced zero trust are better positioned to defend against AI-driven threats, but zero-standing privilege, just-in-time access, and continuous monitoring can no longer apply only to humans. These principles must also extend to machine and agentic identities.
A unified identity security platform can connect access management, privileged identity management, governance, and lifecycle management. With attribute-based access control, zero-standing privilege, and just-enough access, agencies can limit exposure while improving detection, response, and remediation across the identity lifecycle.
Looking Forward
As AI agents and AI-enabled systems become woven into enterprise infrastructure, agencies must evolve cybersecurity capabilities with Identity Security at the center. A dynamic trust model, enforced through unified identity controls, analytics, automation, governance, and runtime monitoring, can secure every identity, human and machine alike.
To learn more about how Merlin Cyber can translate Identity Security strategy into operational reality and help your agency discover, govern, and secure the human and agentic mission contact us at federal@merlincyber.com.
