The identity problem stopped being about humans a while ago. Most positioning in this space hasn't caught up.
There's a specific moment I keep coming back to: the first time an AI agent got handed real operational permissions inside a production system. Not "AI arrives in the enterprise" in the abstract — that's old news by now. The actual shift was narrower and easier to miss. It was the point where companies started granting access to things that don't have a face attached to them. No manager. No offboarding date. No HR record.
Service accounts. Ephemeral workloads. Agents calling other agents. Machine identities sitting inside regulated environments with the same reach as your most senior engineer, and none of the guardrails that come standard with hiring a human.
Most governance infrastructure was built assuming identity meant people. Slow-changing systems, ownership you could track in a spreadsheet without it going stale by Friday. That assumption is aging out faster than most security budgets have noticed.
Everyone's still solving for the wrong question
Ask most security or compliance teams what the hard problem is and you'll get some version of: catching threats, controlling human access. Not wrong. Just increasingly beside the point.
Here's the part that doesn't show up in enough conversations — the fastest-growing identity surface inside a modern enterprise isn't people anymore. It's the pile of AI agents, API keys, service accounts, and cloud resources spinning up faster than any governance team can log them, each one quietly inheriting permissions on its way.
"Who has access" used to be the whole question. It isn't anymore. Now you need to know what has access, what actually created it, who owns the fallout if something goes wrong, and — the part nobody wants to admit — whether any of that is still accurate today. Ask around and most companies can't answer that with a straight face. And the gap between what the tooling reports and what's operationally true widens every single quarter, quietly, in the background.
Calling this a "visibility" problem is the mistake
Security vendors have sold this category on visibility for years, and it's a fine word inside a security meeting. It just dies the moment it leaves the room. Audit doesn't respond to "visibility." Neither does the CFO. Neither does a board risk committee.
The actual cost isn't that security lacks a prettier dashboard. It's bigger than that. Audit prep, compliance validation, AI governance, cloud ops, incident response — every function that leans on accurate operational context is now navigating off a map that's quietly stopped matching the territory. Once that map can't be trusted, everything built on top of it slows down: review cycles stretch, audits turn into manual reconciliation projects run every quarter, and exposure analysis becomes an exercise in cross-checking systems that don't agree with each other.
None of that reads as a security line item on a budget spreadsheet. It reads as drag — spread across four or five teams simultaneously. Which, not coincidentally, is exactly where the real budget for this problem tends to sit.
What actually happened after Storm-0558
Summer of 2023: Microsoft disclosed that a state-sponsored group, tracked as Storm-0558, had gotten hold of a signing key and used it to forge authentication tokens across 25 organizations — several of them federal agencies.
The breach got the headlines. The part worth studying is what came after — the days spent trying to answer one deceptively simple question: what did this key actually touch?
That question took a genuinely long time to answer with confidence. Not because the tooling to figure it out didn't exist somewhere. Because the map connecting one machine credential to its downstream permissions, its runtime reach, and everywhere it had been — that map lived in pieces, spread across control planes that had never been asked to reconcile with each other. One credential. Murky runtime permissions. Ownership scattered across systems that don't talk. It took weeks to bound the actual blast radius, and it eventually pulled congressional oversight into the picture across multiple agencies.
This is the condition worth building a positioning story around — not the breach as an event, but the structural failure sitting underneath it. Companies that can't quickly answer what a piece of non-human infrastructure had access to, because that answer is fragmented across systems that were never designed to agree. That's not some edge case. For most enterprises in 2025, it's closer to the default state.
CAASM undersells what's actually happening here
Cyber Asset Attack Surface Management is a reasonable label, as far as it goes. It just doesn't capture the real size of the problem once non-human identities start acting like first-class operational actors instead of a footnote.
I think about it in three stages instead.
First is inventory — simply knowing what exists. That's the traditional CAASM pitch, and by now it's table stakes; you won't win a competitive deal on inventory alone anymore.
Second is reconciliation — do the systems actually agree with each other about what exists? This is where most companies are genuinely stuck right now: overlapping inventories, conflicting ownership records, identity context that's disconnected across security, IT, and cloud teams that all swear their version is the correct one.
Third — and this is the stage that actually matters — is operational trust continuity. Not just "what exists," but whether the picture of who owns it, what has access, and what's changed is accurate enough, continuously, to make real governance calls on. That third stage is a genuinely different product category from the first one. Companies building for it aren't competing on feature checklists anymore. They're competing on organizational trust — a different buyer, a different sales motion, a wedge that has nothing to do with feature parity.
Three things worth checking before your next enterprise cycle
A few moves worth pressure-testing if you're building anywhere near this space.
Push the buyer conversation higher up the org chart. The CISO isn't the only accountable party anymore — AI oversight and audit defensibility are climbing toward board-level concerns, and the real pressure now sits with people accountable across multiple functions, not just security. Pitching this as a feature-level security tool undersells exactly who needs to say yes.
Put a number on the cross-functional drag, not just the security exposure. Fragmented operational truth doesn't just cost security time — it costs compliance, audit, and AI governance time too, all at once. A single figure that spans several cost centers tends to move through enterprise procurement a lot faster than an ROI case that only makes sense inside one department's budget.
Sell coordination, not detection. The platforms that actually win here won't just be good at flagging problems. They'll become the thing every other function coordinates around by default. That's a platform story — and platform stories support a very different pricing and expansion conversation than a point solution ever will.
Where this is probably going
My guess: enterprise inventories drift from device-centric to identity-centric over the next few years. Non-human entities start getting treated as governance objects in their own right, not an afterthought bolted onto human identity management. Runtime ownership starts mattering more than whatever's written down in a static record somewhere. And the competitive axis for security platforms shifts toward trust reconciliation, away from pure detection.
The companies that end up winning probably won't be the ones with the sharpest detection engine. They'll be whoever quietly became the operational source of truth for enterprises that no longer run on human identity alone.
Nobody's settled on a name for this category yet. Which means the positioning window is still wide open — and the actual economic wedge here, once you surface it properly in a deal conversation, tends to be a lot bigger than what most of these deals currently get closed around.
I work with funded B2B SaaS founders on positioning for security, compliance, and regulated markets — specifically on finding the economic wedge that moves complex deals forward.
If this maps to a deal that's stuck, or a positioning problem you haven't fully cracked — happy to dig into it. First conversation's simple: we find the wedge together.
Connect on LinkedIn · Follow for more on B2B positioning in regulated markets
Top comments (0)