Author: Balázs Boros

Palo Alto Networks has unveiled Idira, a next-generation identity security platform built specifically for the AI enterprise. From a single platform, Idira discovers, controls, and governs every identity in an organization, whether human users, machine accounts, or autonomous AI agents. The product builds on the privileged access management (PAM) technology of CyberArk, which Palo Alto Networks acquired last year in a roughly 25 billion dollar deal, and extends those controls to the rapidly multiplying population of non-human identities. General availability began on 12 May 2026, with further capabilities arriving throughout the year. In this article we take a detailed look at what Idira offers, the problem it answers, and why Hungarian organizations should pay attention to it as well.

What is Idira, and why now?

Idira is Palo Alto Networks' response to a simple realization: identity has become the primary attack surface of the modern enterprise. Traditional identity tools were designed for a world in which elevated access belonged to a narrow, well-defined group of administrators. That model has collapsed. With the spread of generative AI, a flood of autonomous identities has emerged, all of which need access to sensitive systems, and they need it at scale.

Against a market crowded with fragmented point tools, the platform emphasizes unification. Enterprises typically run separate products for privileged access, secrets storage, workforce access, and machine identities. These silos leave gaps that attackers slip through easily. Idira aims to dismantle those silos and bring every identity type under one shared set of policies and controls.

Identity is the new battleground

Research by Palo Alto Networks, based on input from 2,930 cybersecurity decision-makers, paints a stark picture of the current state of affairs. The numbers speak for themselves and show why modernizing identity security can no longer be postponed:

  • Identity is the main entry point: nine in ten organizations experienced an identity-related breach over the past year.
  • Machines now dominate: machine and AI identities already outnumber human identities by 109 to 1, and on average 79 of those are AI agents themselves.
  • Standing privilege everywhere: 61 percent of privileged access requests are still fulfilled with permanent, always-on access rather than on-demand provisioning.
  • Attackers log in, they do not break in: the fastest attackers move from an initial foothold to data exfiltration in as little as 72 minutes, while defenders, hampered by fragmented tools, often respond only hours or days later.

According to Peretz Regev, Chief Product and Technology Officer at Palo Alto Networks, identity has become the new battleground of the AI enterprise, and today every single identity has become a target. The old logic, in which privilege management was a checkpoint at one stage of the process, no longer holds: identity has to move from a checkpoint to an operating model.

The problem with standing privilege

At the heart of Idira's design lies a simple but weighty observation: privilege is the most challenging part of identity security. In the classic approach, elevated permissions exist permanently, sitting on standby waiting for someone to use them. That constant availability is precisely what makes them an attractive target.

Most attacks today follow a familiar pattern: an attacker steals a credential, uses standing privilege to move laterally across the network, gradually escalates their rights, and then reaches their objective. Every step in that chain is enabled by permissions that are always available and ready to be abused. If there is nothing to steal, because the privilege exists only at the moment of use, the attack chain breaks.

Zero standing privilege and just-in-time access

Idira's key innovation is zero standing privilege (ZSP). The idea is that the system removes persistent, always-available elevated rights and replaces them with dynamic privileges that exist only in the moment of use. Access is therefore just-in-time: it is created exactly when it is needed and automatically revoked once the task is complete.

What truly sets Idira's approach apart is equal treatment. ZSP does not apply to administrators alone; it governs developers and AI agents by the same principle. There is no longer a privileged identity that enjoys permanent access while others are restricted. This approach enforces least privilege uniformly, regardless of the identity type.

Behind the scenes sits a centralized control plane that continuously evaluates risk and adjusts the privileges of users, workloads, and AI agents in real time. Access is no longer a static setting but a live decision that constantly adapts to context and risk.

The three pillars: discover, control, govern

Idira is organized around three interlocking functions. Together they form the closed loop that runs from discovery all the way to continuous compliance.

Discover: the platform uses artificial intelligence to continuously surface every identity, entitlement, and access path across the hybrid environment. This includes human users, machines, workloads, secrets, certificates, and AI agents. The goal is to leave no hidden entitlement or unmanaged account anywhere in the organization.

Control: static, permanent accounts give way to dynamic privileges that the system grants only when needed. In practice this means enforcing zero standing privilege and just-in-time access across every identity type.

Govern: Idira automates the full identity lifecycle with AI-driven policy. What used to be a quarterly, manual compliance exercise becomes a continuous, automated enforcement loop that keeps access in order in real time.

Machine and agentic identities: securing non-human users

One of Idira's most important contributions is that it extends privileged access controls to non-human identities. Enterprises now operate far more machine and AI identities than human ones, and these access sensitive systems just as real users do. A compromised service account or a hijacked AI agent can cause as much damage as a stolen administrator password.

Traditional PAM solutions were built for a narrow group of administrators, so they do not scale to the magnitude of machine identities. Idira, by contrast, places AI agents and machine accounts under the same dynamic privilege management as people. Autonomous systems therefore receive only the temporary access their task requires, not permanent, broad permissions.

The solution also integrates closely with Palo Alto Networks' AI security portfolio. Prisma AIRS 3.0 works natively with Idira to bring deep identity security and privilege controls down to the level of AI agents. This matters especially in an era when agentic AI makes decisions and carries out operations on production systems on its own.

AI at the core of the platform

Idira does not just protect AI identities; it is itself built on artificial intelligence. AI runs natively in the platform and automates several tasks: it surfaces hidden entitlements, identifies risky access combinations, automatically recommends least privilege, and closes gaps with targeted, surgical remediation.

That speed carries real stakes. Defenders have typically operated at a deficit of many hours, even days, compared with attackers, partly because of fragmented tooling. Idira aims to close that gap so that remediation happens in seconds rather than days, allowing defense to keep pace with the fastest attackers who move within 72 minutes.

The CyberArk acquisition behind it

Idira did not appear out of nowhere. In February 2026, Palo Alto Networks closed its roughly 25 billion dollar acquisition of CyberArk, one of the leading players in the privileged access management market. Idira is the first major integrated product of that strategic move: it takes CyberArk's proven privileged access technology as its foundation and extends it to machine and agentic identities.

The market reads the move as Palo Alto Networks essentially bringing the former CyberArk portfolio under a unified brand and platform and folding it into its own platform-based security strategy. The goal is a single identity security operating model that works in hybrid and AI-driven enterprise environments alike.

What does this mean for existing CyberArk customers?

Palo Alto Networks positions Idira as a significant upgrade for existing CyberArk SaaS customers, with tiered benefits that depend on the plan in use:

  • Traditional PAM (IT Standard): comes with automatic discovery and a modernized user experience, while zero standing privilege and protection for agentic and machine identities can be added through additional licenses.
  • Modern PAM (IT Enterprise/Dev): immediate discovery, zero standing privilege, and user experience improvements at no extra cost; agentic and machine identity security is available as an optional purchase.
  • Workforce Access: immediate user experience improvements, with the option to enable full zero standing privilege and traditional PAM capabilities.
  • Machine and AI identity security: holders of Secrets or Workload licenses can add traditional PAM and zero standing privilege through new licenses.

The takeaway is that existing customers do not have to start from scratch: building on familiar CyberArk foundations, they can move toward modern, dynamic privilege management step by step.

Why this matters for Hungarian organizations

Although Idira is a global product, the problem it addresses is sharpening on the Hungarian market too. Local organizations are adopting cloud services, automation, and AI-based tools at an accelerating pace, and with them the number of machine and service accounts is multiplying as well. These non-human identities are often unmapped, over-privileged, and rarely the focus of security reviews.

The regulatory environment is also pointing toward stricter identity management. The NIS2 directive and the related national legislation explicitly demand a high standard of access management, regular review of entitlements, and robust logging. The principles of zero standing privilege and just-in-time access answer exactly these requirements: they shrink the pool of exploitable permissions and make it transparent who accessed what, and when.

You do not need to switch to the very latest platform overnight to begin preparing. The first step is almost always to establish visibility: assess how many human and non-human identities exist in the organization, what permissions they hold, and where unnecessary, standing access accumulates. That can be followed by tightening permissions on critical systems and establishing continuous monitoring.

What is Idira in brief?

Idira is Palo Alto Networks' next-generation identity security platform that discovers, controls, and governs every human, machine, and agentic identity in an organization from a single system. It builds on CyberArk's privileged access management technology and extends it to non-human identities as well.

How is it different from traditional PAM?

Traditional privileged access management tools were designed for a narrow group of administrators and typically work with static, permanent permissions. Idira, by contrast, follows the principle of zero standing privilege, grants dynamic just-in-time permissions, and brings machine and AI identities under the same policy framework alongside human users.

When is it available?

Idira reached general availability on 12 May 2026, with further capabilities becoming available gradually throughout the year. Existing CyberArk SaaS customers receive upgrades and expansion options depending on their plan.

We help you prepare for identity-centric defense

If you want to assess how many human and non-human identities can access your systems, or if you are interested in the possibilities of zero standing privilege and modern privileged access management, get in touch. With network audits, IT security operations, and advisory services, we help uncover hidden entitlements and strengthen your access management.