![\"\"](\".\/media_152ec2e4c21bd086ef4f66cf0e55aae345dd1ab42.png?width=750&format=png&optimize=medium\")
<\/p>\nIn an interview with CRN, SailPoint CEO Mark McClain also discusses the implications of AI-powered vulnerability discovery, in the wake of Anthropic\u2019s disclosure about Claude Mythos Preview capabilities.<\/p>\n
<\/p>\n
The rising adoption of AI agents in the workforce is driving a massive boost in demand for identity security as organizations digest the fact that many of their core practices around identity and privileges are falling short for existing human users\u2014issues that will only be exacerbated with the usage of agents, according to SailPoint founder and CEO Mark McClain.<\/p>\n
Identity security powerhouse SailPoint has heard from countless customers that have recognized they are in \u201chuge trouble\u201d if their employees begin using agents, since those agents are typically dependent on existing identities and privileges that are not themselves secured, McClain said in an interview with CRN.<\/p>\n
[Related: The 20 Hottest AI Cybersecurity Companies: The 2026 CRN AI 100<\/a>]<\/p>\n Whether agents will ultimately multiply the number of identities by 10-fold or even 100-fold\u2014the estimates vary\u2014\u201cit\u2019s a lot more than the humans,\u201d he said. \u201cAnd most companies feel today they\u2019re not very good at the humans.\u201d<\/p>\n As a result, \u201cthe demand we\u2019re feeling on this topic is amazing,\u201d McClain said. \u201cIt certainly feels like the tailwind is picking up.\u201d<\/p>\n McClain also discussed the implications of AI-powered vulnerability discovery, in the wake of Anthropic\u2019s disclosure<\/a> earlier this month about the effectiveness of its unreleased Claude Mythos Preview model. The security industry has signaled<\/a> that a potentially unprecedented spike in cyberattacks from the use of similar capabilities by threat actors could be coming in the near future.<\/p>\n \u201cIf an AI system can try a million permutations in seconds and go, \u2018Wow, I found a 19-step path here through to that code,\u2019 that\u2019s what [experts] are saying is so frightening,\u201d McClain said. \u201cIt massively decreases the friction of trying all these things to figure out one of those really complex paths through the code to exploit the code.\u201d<\/p>\n What follows is more of CRN\u2019s interview with McClain.<\/p>\n How is the rise of agentic changing the way that identity and security are managed?<\/p>\n One of the things we\u2019re articulating more and more\u2014and it\u2019s certainly being driven by agentic AI\u2014is the connection or collaboration between the identity core and the traditional security core. Nobody was talking about it a lot. In some ways, these things have sort of been independent islands. You had the SOC [Security Operations Center] and it\u2019s looking for patterns and needles in haystacks and signal from noise. One of the dark secrets was, with a whole lot of that stuff, the root cause ended up being an identity problem. And they had no visibility to identity. They\u2019d have to get up from the desk, proverbially, and walk over to the identity group and go, \u201cHey, I see this thing going on. I don\u2019t know who or what this is.\u201d Then they do the cross-reference to figure out, \u201cOh, that laptop that\u2019s acting funny is Kyle\u2019s laptop. Why does Kyle\u2019s laptop show that it\u2019s in China? I know Kyle was at his desk yesterday.\u201d That\u2019s where you had to get the cross-referencing of the identity with all the security stuff. We now are seeing ourselves more integral to that broader security story. Therefore, working with partners who have that broader security perspective feels really smart. They\u2019re going to come in with a level of understanding of the rest of that security ecosystem that, frankly, our guys haven\u2019t had to deal with as much. So we\u2019re wanting our teams to collaborate with [partner] teams like that\u2014that really deal with the broader security problem in the customer\u2019s mind. Because, now we see we\u2019re going to get pulled more and more\u2014especially in the world of agentic\u2014to say, \u201cYou\u2019ve got to map what you\u2019re seeing in the network or the device or wherever with what you understand about identity.\u201d That\u2019s a super important integration, I think, that is really picking up steam.<\/p>\n What do you see as some of the biggest implications of AI-powered vulnerability discovery, in the wake of the disclosure about Claude Mythos?<\/p>\n [Former CISA director] Jen Easterly was commenting that one of the things she thinks will come out of this noise around Mythos is, to the effect of, we\u2019ll finally do what we said we [would do], which was secure by design. Maybe you just shouldn\u2019t even release software into the world that\u2019s insecure, that has to be patched. Maybe Mythos finally forces people to say, \u201cWait, I can\u2019t even put this software out there if I\u2019m not very confident it doesn\u2019t have a bunch of vulnerability holes that can be exploited.\u201d<\/p>\n With AI technology now, we\u2019re really going to have to get serious about [this issue]. You can\u2019t release stuff out there that\u2019s not fundamentally very secure. There are still going to be attempts to go around it, hack it. All of that\u2019s about vulnerability and code, which really isn\u2019t identity. Identity is, can I get to it? But I think that\u2019s an interesting reaction to Mythos\u2014this may actually force the software development community, across applications and customers, to get way more buttoned up about not releasing code that\u2019s got vulnerabilities in it. And I\u2019m like, that\u2019s all great, but that still doesn\u2019t solve this problem of identity and what we\u2019re doing. But it just keeps pulling the topic of security into the core.<\/p>\n We\u2019ve already been seeing lots of LLM usage by attackers, but it seems like the reaction to Mythos suggests we haven\u2019t seen too much yet in terms of the amount of AI-powered vulnerability exploits out there?<\/p>\n Yes, I think that\u2019s right. What\u2019s been challenging for bad actors is, sometimes to break into a system, it was like this multi-chain, Rube Goldberg [process]. \u201cI knock the ball over here, it falls in the cup, that causes this to roll down three dominoes.\u201d They\u2019re saying, for a human to figure out all those connection points\u2014to wind their way through that\u2014is pretty hard to do. If an AI system can try a million permutations in seconds and go, \u201cWow, I found a 19-step path here through to that code,\u201d that\u2019s what [experts] are saying is so frightening. It massively decreases the friction of trying all these things to figure out one of those really complex paths through the code to exploit the code.<\/p>\n It\u2019s super problematic, and therefore [is] a big exposure that we\u2019re all going to need to get focused on closing as an industry. But I would also say, [that\u2019s] not necessarily solving the set of problems we\u2019ve been focused on. That\u2019s why security has always been so complex. There are so many different aspects to it. This is the aspect of, you\u2019ve got to have secure code so you don\u2019t have problems because you weren\u2019t patched. You can be fully patched and still have an identity problem. These are independent but related concepts.<\/p>\n So with all the increased focus on vulnerabilities and exposure management, you\u2019re saying we shouldn\u2019t be taking the eye of the ball on identity and modernizing our approach there?<\/p>\n Defense in depth is still a very good metaphor. At your home, you have a deadbolt. You probably have a camera. You might have a dog. You might have a safe closet or a safe room. There have always been these layers of defense. Nobody thinks, \u201cI\u2019ve got one solid defense mechanism, I\u2019m good.\u201d Most people think, \u201cNo, I want to stop different types of problems.\u201d That metaphor is all we\u2019re talking about. You want to write good code. You want to make sure identities are well governed. You want to make sure your device isn\u2019t compromised. Nobody should think that we\u2019re saying in the identity security landscape, \u201cYou no longer need network defense or device defense. What we\u2019re saying is, we\u2019ve had that stuff a long time, and it\u2019s not sufficient to stop all the problems. There\u2019s this other dimension we haven\u2019t really been watching, called identity.\u201d<\/p>\n And now agentic is just [increasing] the focus on, \u201cOh wow, I\u2019ve really got to understand that.\u201d That\u2019s what\u2019s happening. People are recognizing, \u201cI was pretty bad at managing my humans. I\u2019m in huge trouble to manage the multiples of humans that are coming\u201d\u2014whether that\u2019s 10X, 100X, whatever the number is. It\u2019s a lot more than the humans. And most companies feel today they\u2019re not very good at the humans.<\/p>\n What have you seen so far in terms of the demand for helping to secure agents?<\/p>\n Agentic is so top of mind for people. [They] are thinking, there\u2019s so much promise, so much opportunity here with this technology-and very, very clear that there are risks, some of which are not even that well understood yet. Everybody is like, \u201cWow, this stuff is powerful. Wow, this stuff is scary.\u201d And I think everybody is scrambling to try to match the sense of momentum coming from the business to use this stuff, and [their ability to] counterbalance that. We\u2019re back to the old metaphor of brakes and race cars. I\u2019ve got to have good brakes. People want to go really fast right now. I better have some good brakes. The demand we\u2019re feeling on this topic is amazing. I don\u2019t even know how fast some of this shows up in revenue. I think it\u2019s going to help us over time, for sure. We can\u2019t predict the slope of that curve. But it\u2019s very clear this has become the topic du jour, and people think SailPoint has a voice on this. And we\u2019re getting pulled into a lot of conversations about it. So certainly there\u2019s a sense that with the tailwind we\u2019ve been describing, it feels like it\u2019s showing up. This is going to drive a lot of possible demand. It\u2019s our job to turn it into actual demand and then go capitalize on it. But it certainly feels like the tailwind is picking up.<\/p>\n Once a company starts looking into doing this with you, is it often the case that they\u2019re going to find a lot of the foundational identity work needs to be taken care of?<\/p>\n I think that\u2019s one of the really interesting things that\u2019s evolving right now. There is this sense that people want to go \u201cstraight to agentic security.\u201d There\u2019s this concept that there are agents that are attached very clearly to [a user], and there are other agents that will be more autonomous. Today, that\u2019s got some of the most interesting promise\u2014the autonomous idea. [It will be] very slow and careful adoption, because people understand that\u2019s a risk. This is where people are the most cautious. Therefore, we think some of the early wave is going to be more [around] agentic technologies tied to humans. So to your point, we\u2019re telling customers, \u201cLook, we can go straight to agents\u2014but the early agents you use are likely going to be tied to the humans. So you need to understand the human\u2019s access privileges to map that onto the agents acting on their behalf.\u201d Not that that will be the only thing happening in agents. And I think over time we\u2019ll see more of the scary, ephemeral, autonomous \u201cagents of agents\u201d and all the stuff people are talking about. But in the near term, most of the agents are going to be [in the realm of] Cursor and Copilot and ServiceNow and Salesforce agents\u2014which are very clearly adding to my work as an individual person. I\u2019m doing my work, and this agent is supplementing and augmenting my work. That\u2019s why you\u2019re going to have to be able to map that to the human to get the protection of that agent, because it\u2019s going to be tied to that person. It won\u2019t be the only agentic thing we\u2019re doing security for\u2014but in the near term, I think it\u2019s going to be the predominant one.<\/p>\n What would be your message to partners about the challenges and opportunities here?<\/p>\n In the world we\u2019re living in, customers are confused. There\u2019s a lot of noise. There are a lot of claims. So I think partners have the potential to show up as that trusted advisor, to say, \u201cI\u2019ve done the work to understand this part of the landscape. Let me guide you to what I think is needed here and now.\u201d It\u2019s a time when customers, with so much change and confusion, are looking for guides. I think it\u2019s an opportunity for the partner community to figure out who are the vendors they want to get aligned with\u2014that they think are good technology providers and good companies to work with. That\u2019s always important in the world of partnering. These are trusted partners. You want people you can trust in a partnering world. I think that\u2019s the opportunity, for those partners and the vendors they work with coming to customers with guidance\u2014\u201cLet me help you navigate this very confusing, rapidly evolving landscape.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"In an interview with CRN, SailPoint CEO Mark McClain also discusses the implications of AI-powered vulnerability discovery, in…\n","protected":false},"author":2,"featured_media":22073,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[24,405,408,399,25,7537,402,313,223,415,400,401,404,318],"class_list":{"0":"post-22072","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-agentic-ai","8":"tag-ai","9":"tag-ai-agents","10":"tag-ai-applications","11":"tag-application-and-platform-security","12":"tag-artificial-intelligence","13":"tag-artificial-intelligence-agents","14":"tag-cloud-platforms","15":"tag-cybersecurity","16":"tag-generative-ai","17":"tag-llm","18":"tag-managed-security","19":"tag-managed-service-providers","20":"tag-saas","21":"tag-vulnerabilities"},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/22072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/comments?post=22072"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/22072\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media\/22073"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media?parent=22072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/categories?post=22072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/tags?post=22072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}