The Identity Vendors Are Coming for the Agent Security Layer

Enterprise security teams are discovering something their users may not have announced: AI agents are already inside corporate systems, authenticated through the same identity providers that manage employees, making data access decisions with permissions nobody reviewed. A customer service agent with read access to a CRM can export contact records without a human triggering it. A development agent with repository permissions can push code changes or pull sensitive data files in seconds. Nobody caught it because the activity logs were not watching for software acting on behalf of a user. That governance vacuum is the reason Palo Alto Networks has spent roughly $25 billion in the past four months trying to own it.

The company completed its $25 billion acquisition of identity security vendor CyberArk in February and closed its purchase of agentic endpoint startup Koi in April. It is working toward closing its acquisition of Portkey, an AI gateway startup whose claimed scale — two trillion tokens per day across roughly 24,000 organizations, per Shashi.co — reflects Portkey's primary use case: cost tracking, prompt management, and API key oversight for AI operations. The deal is expected to close in Palo Alto's fiscal fourth quarter, ending July 31. Palo Alto Networks press release Shashi.co

Palo Alto Networks published a blog post this week positioning SaaS Agent Security — more than 10 specialized detectors targeting four categories of risk in AI agent workflows: gaps in identity and access management, data security exposures, operational hygiene failures, and offline threat detection. The product documentation was first published in January 2026 and updated as recently as April 24. The coverage list names Microsoft Copilot Studio, ServiceNow AI Platform, and Salesforce Agentforce specifically. The detectors span both configuration review and runtime monitoring. The blog describes the runtime layer as analyzing user prompts and agent responses for malicious intent — blocking prompt injection attempts and flagging data exfiltration in real time, not just auditing configuration state after the fact. Configuration checks cover authentication gaps, overly-broad data access, dormant agents retaining permissions, and missing audit logging. Each detected agent gets a weighted risk score and a risk level classification so SOC teams can triage. Palo Alto Networks blog Palo Alto Networks docs

The pitch is coherent: if you already own the identity layer that agents authenticate through, you are the natural owner of the security layer that monitors what they do after. Whether that pitch wins depends on a competitive race that accelerated visibly at RSAC 2026 in late March. At that conference, CrowdStrike, SentinelOne, Proofpoint, and Arctic Wolf all launched or expanded agentic AI security products alongside Palo Alto Networks — a simultaneous industry-wide bet that the gateway layer where agents access enterprise systems is worth owning. Each vendor has a different entry point: CrowdStrike through endpoint telemetry, Microsoft through its productivity stack, SentinelOne through autonomous security operations, Cloudflare through network-layer visibility. Palo Alto Networks' angle is that identity is the chokepoint nobody else already owns at enterprise scale.

Gartner predicted that 40 percent of enterprise applications will include task-specific AI agents by 2026, up from less than 5 percent in 2025. Gartner press release The trajectory is both the opportunity and the pressure point. As agent deployments accelerate, the question of who controls the gateway layer becomes a major infrastructure decision. Enterprises face a narrow window: act now to own that layer through their existing identity and security vendors, or accept whatever defaults their engineering teams — or their SaaS providers — lock in first.

The integration risk is where the argument gets harder. CyberArk, Koi, and Portkey each solve different problems. CyberArk is an identity infrastructure platform with its own massive customer base. Koi provides endpoint visibility into agent behavior. Portkey's core product is an AI gateway built for cost observability and prompt management — its customer testimonials emphasize tracking spend per use case and keeping API keys honest, not detecting agentic threat vectors. Pulling those three into a coherent agent security stack requires engineering that Palo Alto Networks has not yet demonstrated in a published customer deployment. The SaaS Agent Security blog post names four risk categories and three covered platforms; it does not publish detection benchmarks, customer case studies, or comparative data against standalone agent security vendors.

Portkey's architecture adds a complication Palo Alto Networks has not fully addressed publicly. The AI gateway is open-source and supports self-hosting, which means customers can run it outside Palo Alto Networks' managed cloud. If the acquisition closes, Palo Alto Networks would own the commercial relationship but not necessarily the architectural lock-in. Customers who want out have an engineering path. That escape hatch is visible in Portkey's own marketing, which still positions the product as a cost and observability tool first and a security layer second — a framing that may not automatically align with Palo Alto Networks' identity-security-as-agent-security thesis.

Security teams who want to shape this layer before it solidifies have a narrowing window. The identity vendors are moving fast, the independent agentic security startups are still in the market, and the open-source version of the gateway problem is already deployable today. Whether Palo Alto Networks closes the integration gap — and whether its identity depth translates into detection coverage that actually outperforms what Portkey's open-source core provides — is the material question.