Key Takeaways
- Built on the Pioneers of PAM (privileged access management): Idira™ is Palo Alto Networks next-generation identity security platform, extending privileged access controls to every human, machine and AI agent identity in the AI enterprise.
- Zero Standing Privilege by Default: Idira replaces static, always-on access with dynamic privilege, granted just-in-time on a single control plane.
- AI-Driven Identity: AI runs natively inside Idira to surface hidden entitlements, unmanaged accounts, recommend least privilege, and remediate to close the gap between attackers who move in 72 minutes and defenders who historically took days.
Since Palo Alto Networks and CyberArk came together in February, customers have been asking me the same question: What does the future of identity security actually look like?
Today at IMPACT, I get to answer it.
I am proud to introduce Idira™, the next-generation identity security platform from Palo Alto Networks. Idira secures every identity in the AI enterprise (human, machine, AI agent) on a single control plane that discovers risk, applies privilege dynamically, and governs the full lifecycle from first access to last session.
Idira begins with a belief shaped by more than 20 years of working on this problem. Privilege is the most challenging aspect of identity security. For a generation, the industry learned how to manage it well for a small population – administrators inside the most security-sensitive organizations in the world. That was necessary. But it is no longer enough.
The moment has come to extend that same rigor to every identity, because every identity today carries the power to move the business, or enable an attacker. That is the journey Idira takes us on. From privilege controls for administrators, to privilege controls for every identity.
Attackers Are Not Breaking In. They Are Logging In.
For most of the last two decades, identity security was built on a comfortable assumption: One can maintain a firm divide between a small number of powerful administrators and a much larger number of ordinary users; that is enough to secure the organization. That assumption no longer holds.
Our Chairman and CEO, Nikesh Arora, calls it the “IAM fallacy,” and the data in the 2026 Identity Security Landscape Report makes clear why it is time to retire this assumption.
Based on responses from 2,930 cybersecurity decision-makers worldwide:
- Machine identities now outnumber humans by 109 to 1. Of those, 79 are AI agents.
- 91% of organizations already run autonomous agents in production.
- 90% of organizations suffered an identity-related breach in the past 12 months. 83% of organizations suffered two or more incidents.
The old model is not failing because identity became less important. It is failing because identity and privilege became universal and ubiquitous.
Every major breach I have studied over the last two years follows the same pattern. An attacker steals a credential. They move laterally using standing access that should have expired. They escalate privilege. They reach the data, the infrastructure or the business systems they came for: Okta, MGM, Microsoft. Different industries. Different scales. The same pattern.
One overprivileged identity unlocks the entire enterprise.
And when defenders have a chance to respond, they are already behind and disadvantaged. 97% of practitioners tell us that fragmented tools add 12 hours to every identity incident response time. All while Unit 42® has observed the fastest attackers move from a first foothold to exfiltration in as little as 72 minutes.
Identity is now the enterprise perimeter. And the perimeter was built for a threat model that no longer exists.
Every Identity Is Privileged — Idira’s First Fundamental Principle
The premise of Idira is simple. Every identity in your organization is privileged.
Every login, every token, every service account, every workload, every AI agent can trigger a workflow, call an API, or reach sensitive data. Some can create and destroy infrastructures, direct organizational spend, or create new identities. Privilege is no longer reserved for a small class of administrators. It is distributed across the enterprise, quietly and continuously, every second of the day.
The controls that protect privilege cannot be reserved for the few, either.
Idira changes three things from day one.
First, We Discover
Idira continuously finds every identity, every entitlement and every access path across your entire environment: humans, machines, workloads, secrets, certificates and AI agents everywhere – on the network, in the cloud, on servers and endpoints, in the browser. If someone or something can authenticate, Idira knows it is there, knows what it can reach, and evaluates how much of that access is actually necessary.
Second, We Control
Idira replaces static, always-on accounts attackers rely on with dynamic privileges that exist only in the moment of use. Zero standing privilege moves from aspiration to default, and it applies equally to the administrator logging into production, the developer deploying code, and the AI agent calling a tool. This is the shift to identity-centric active security.
Third, We Govern
Idira automates the identity lifecycle end-to-end. Governance stops being a quarterly compliance exercise and becomes a continuous enforcement loop. The 12-hour fragmentation tax closes.
This is what I mean when I say we are democratizing privilege controls. We are not loosening them. We are extending the strongest privilege controls the industry has ever built to every identity that now carries the weight of the business, without penalizing these identities for the powers they carry.
Already Better Together
Idira is not launching into an empty runway. We have been executing against this roadmap since the day we joined Palo Alto Networks, and the early results give us real confidence in what comes next.
Earlier this year at the RSA Conference, we launched Next-Generation Trust Security (NGTS), the first network-native platform to automate certificate lifecycle management and accelerate post-quantum readiness. That matters because 71% of organizations have not yet automated certificate renewal. As public TLS lifetimes compress to 47 days and manual workloads multiply, that gap becomes more than an operational burden. It becomes a business continuity risk.
NGTS closes it in the network itself.
As one of the core platforms of Palo Alto Networks along with Strata® and Cortex®, Idira is providing deep identity integrations across the entire portfolio to enhance platform value for customers. Prisma® Browser™ delivers privileged access directly in the place where enterprise users work. Prisma AIRS™ 3.0 natively integrates with Idira to extend deep identity security and privilege controls to AI agents. Cortex will receive first-party identity signals to sharpen detection and take automatic identity- and privilege-driven response actions when indicators of compromise are detected.
Customers are already seeing the impact. Northern Trust improved password compliance by 137 percent. Panasonic Information Systems rebuilt its security operations around identity. Healthfirst grounded its zero trust program in identity-first controls. PDS Health secured clinical access for more than 900 practices. They had different problems with the same answer.
Different challenges. One answer. One platform. Consistent privilege controls applied to every identity that matters.
AI Makes This Urgent. AI Makes This Possible.
AI has changed the speed, scale and economics of identity risk.
Frontier models have crossed a threshold. Anthropic's Claude Mythos Preview has already identified thousands of zero-day vulnerabilities across the operating systems and browsers that businesses rely on every day. Every exposed secret, every standing admin path, every forgotten service account can now be discovered, validated and weaponized faster than most security teams can respond. 55% of the decision-makers in our 2026 survey named AI-enabled threats as their top identity concern.
Our answer is clear: We fight AI with AI.
If frontier models are rewriting the economics of attack, the only credible response is to rewrite the economics of defense with the same technology.
Idira is how we do that in identity. AI is built into the platform to surface hidden entitlements, identify risky access combinations, recommend the least privilege automatically, and drive surgical remediation. That same intelligence lets attackers find the weakest link in 72 minutes and helps defenders close it in seconds.
When code cannot be patched fast enough, identity becomes the control plane that can still adapt at machine speed.
Same Mission, Stronger Together
For more than two decades, the pioneers of privileged access have management-built controls trusted to safeguard the world's most critical environments. That mission created a category and earned the trust that made today possible.
Idira carries that mission forward and expands it to match the scale of the problem we now face.
This is the first wave, not the last. The roadmap extends privilege controls to workforce identity, advances machine and agentic identity security, and unifies a fragmented market into one platform. We are building it in the open, shaped by the customers in the room with us at IMPACT and by the realities they face every day.
The future of identity security will not be defined by access alone. It will be defined by control. See what Idira is built to deliver.
Forward-Looking Statements
This blog contains forward-looking statements that involve risks, uncertainties and assumptions, including, without limitation, statements regarding the benefits, impact, or performance or potential benefits, impact or performance of our products and technologies or future products and technologies. Any unreleased services, integrations or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available.