Couldn't agree more. Your analysis really highlights the complex implications of this move. It makes me think about my own fascinaton with AI, where a truly robust sistem relies on such deep, unified integration to function securely. This really could be a paradigm shift in how platforms evolve.
One issue that often goes unmentioned with large enterprise PAM deployments is that most organizations only use a fraction of the platform’s capabilities. CyberArk and similar vendors have incredibly deep and broad feature sets, expanded further through years of acquisitions.
In practice, we frequently encounter stalled or underutilized PAM implementations due to the complexity of deployment, configuration, and ongoing management costs. Companies invest in the full suite but often end up using just a small portion of it. This rarely gets discussed until a new CISO comes in, reassesses the sunk cost, and has the air cover to question previous decisions.
This acquisition could be a good moment for CISOs to poll the market. If you haven’t fully deployed or don’t plan to leverage the depth of these complex platforms, it might be time to consider solutions that are simpler to manage, specifically ones that don’t require an army of consultants, certifications, or custom integrations just to get value.
I agree that identity is the new perimeter (full disclose, I work @ StrongDM). I also think that within that perimeter, authorization is the next point of control. Not authentication and access.
As control shifts from the network to identity, the that new perimeter is -Identity Security— it’s not about where a request comes from, but who is making it, what are they trying to do, and the context in which they are trying to perform these actions. The question isn’t “can this user log in?” but "should this request be allowed?” — and that means continuously evaluating both the identity, the action and context under which actions are being performed.
To make that possible, identity security systems have to understand actions in real time — what command is (about to ) being run against a database, what API call is hitting a server,..etc and the context around those actions: e.g. where they originate (geolocation), when they occur (time of day, shift, or rotation), and under what risk conditions (threat intelligence, device posture, or incident state).
Traditional PAM stops after authentication — it unlocks the front-door and assumes everything you do after that is fine. In contrast, an authorization-first model treats every operation as a fresh decision point. Security becomes a continuous loop, not a single checkpoint — one that enforces trust on every action, every time with identity being at the core of that.
Couldn't agree more. Your analysis really highlights the complex implications of this move. It makes me think about my own fascinaton with AI, where a truly robust sistem relies on such deep, unified integration to function securely. This really could be a paradigm shift in how platforms evolve.
Hi Francis! Thanks for your sharing your articles, very interesting your perspectives.
I write about technology, specifically IT Operations. In this season I’m writing articles about Data Centers, the foundation of AI.
Please subscribe to me, I’m subscribed to you.
Great analysis.
One issue that often goes unmentioned with large enterprise PAM deployments is that most organizations only use a fraction of the platform’s capabilities. CyberArk and similar vendors have incredibly deep and broad feature sets, expanded further through years of acquisitions.
In practice, we frequently encounter stalled or underutilized PAM implementations due to the complexity of deployment, configuration, and ongoing management costs. Companies invest in the full suite but often end up using just a small portion of it. This rarely gets discussed until a new CISO comes in, reassesses the sunk cost, and has the air cover to question previous decisions.
This acquisition could be a good moment for CISOs to poll the market. If you haven’t fully deployed or don’t plan to leverage the depth of these complex platforms, it might be time to consider solutions that are simpler to manage, specifically ones that don’t require an army of consultants, certifications, or custom integrations just to get value.
Very nice write-up -thank you for posting.
I agree that identity is the new perimeter (full disclose, I work @ StrongDM). I also think that within that perimeter, authorization is the next point of control. Not authentication and access.
As control shifts from the network to identity, the that new perimeter is -Identity Security— it’s not about where a request comes from, but who is making it, what are they trying to do, and the context in which they are trying to perform these actions. The question isn’t “can this user log in?” but "should this request be allowed?” — and that means continuously evaluating both the identity, the action and context under which actions are being performed.
To make that possible, identity security systems have to understand actions in real time — what command is (about to ) being run against a database, what API call is hitting a server,..etc and the context around those actions: e.g. where they originate (geolocation), when they occur (time of day, shift, or rotation), and under what risk conditions (threat intelligence, device posture, or incident state).
Traditional PAM stops after authentication — it unlocks the front-door and assumes everything you do after that is fine. In contrast, an authorization-first model treats every operation as a fresh decision point. Security becomes a continuous loop, not a single checkpoint — one that enforces trust on every action, every time with identity being at the core of that.
Insightful report, really interesting read!