The identity market spent last month doing something it rarely does: agreeing with itself. Every breach report, every funding deck, every earnings call landed on the same note — the attacker's easiest way in is no longer a vulnerability, it's a login. Transport for London's £39M intrusion started at a help desk. Two-thirds of Unit 42's incident-response cases now begin with stolen or abused credentials. The perimeter didn't just move to identity; identity is the incident now.
Which makes this a fitting week to put the category's founder on the table. SailPoint is public again, past $1B in revenue, growing ARR 30%. But the interesting story isn't the ticker — it's that the incumbent just went after its own most-cited weakness. Agentic Acceleration, Virtual Architect, Harbor Pilot at 60% adoption: the "SailPoint is powerful but brutal to deploy" review corpus is describing a product that no longer quite exists. This issue: a month of market movers, then a spotlight on what happens when the leader fixes the thing everyone complained about. Let's get into it.
the last month, distilled — & why it lands on your desk
Two British defendants tied to Scattered Spider pleaded guilty in connection with the 2024 Transport for London attack, which now carries a confirmed £39M cost. The entry point wasn't a zero-day; it was social engineering against identity recovery — a support agent trusting a caller.
Founded by Dome9's Zohar Alon and ex-Unit 8200 talent, NewCore launched to build identity infrastructure from the ground up for a workforce of humans, machines, and agents — with a "split-key" architecture and an integration pack for coding assistants like Claude Code and Cursor. The pitch: bolting agent support onto 15-year-old human-identity platforms will break them.
Okta closed its acquisition of Axiom Security, adding SaaS security-posture management and real-time session monitoring to a stack that already pushed into governance (OIG) and privileged access (OPA). Translation: the company that owns your front-door login wants the whole identity lifecycle — the exact territory SailPoint and CyberArk have owned for years.
Microsoft Threat Intelligence flagged a wave of campaigns spoofing ChatGPT, Copilot, and Claude via lookalike download sites; one access broker (Storm-3075) delivered a new backdoor to tens of thousands of endpoints within hours. Employee-driven AI adoption is now a live attack surface.
World Leaks published 200k+ files including component designs, manufacturing specs, and trade secrets exfiltrated from a key Apple/Tesla manufacturer. Operations were unaffected after rapid response, but the IP was already gone — a classic supply-chain vector.
Recent federal executive orders converted post-quantum cryptography from a distant concern into leadership accountability with hard 2030–2031 deadlines. "Harvest now, decrypt later" means data you're protecting today is already being collected against Q-Day — and the migration is a multi-year program, not a patch.
the pitch vs. the reality, synthesized from the people who run it
SailPoint launched Agentic Acceleration, an AI-powered modernization method built on the SailPoint Virtual Architect — trained on 20 years of deployments — which translates legacy configs, workflows, and policies into a deployment-ready cloud foundation. Crucially, it lets customers watch their own apps and provisioning processes running in ISC before committing to the upgrade, replacing lift-and-shift guesswork with validated fit. SailPoint says it compresses timelines "that once took months into a matter of days," and it's provided at no additional cost to anyone migrating off IdentityIQ or a competing legacy system, delivered via forward-deployed engineers.
SailPoint's AI agent suite (documentation, admin search, workflow, and now access-request agents) is enabled by 60% of Identity Security Cloud customers, with 80% of users returning and 67% using it multiple times in 30 days. Workflows that took hours are built in minutes from natural language. SailPoint reports it "reduces the technical skills needed for Identity Security Cloud implementations," saving some customers months of aggregated time. One customer's two-week support-ticket cycle became instant answers.
SailPoint acquired Entro Security to bolster discovery and governance of non-human identities — reportedly 1,200+ NHI types — folding credential/secrets management into the Atlas platform. Combined with Agentic Fabric, it's the backbone of the pitch that agentic AI and machine identities are the next governance frontier, with AI ARR targeted to top $100M by year-end and 40% of 2029 revenue projected as AI/agentic.
Two years after Thoma Bravo took it private in a $6.9B deal, SailPoint re-listed on Nasdaq (SAIL) and crossed $1B in FY2026 revenue with ARR growth around 30% and SaaS ARR up ~39%. Goldman, Morgan Stanley, JPMorgan and Jefferies all raised targets; median around $52.
Trajectory: the leader consolidating its lead. SailPoint has spent two decades as the depth benchmark in identity governance — and carrying one persistent knock: that all that capability came with a punishing implementation. That knock is now substantially out of date, and it's worth being precise about why. Harbor Pilot put natural-language workflow building in front of 60% of the ISC base. Agentic Acceleration and the Virtual Architect automate the legacy migration itself, compressing timelines the company says once ran months into days — and SailPoint is giving it away free, to competitors' customers too. Add the sustained investment in application onboarding, and the specific bottlenecks that produced those old one-star reviews have been engineered at, deliberately and expensively.
The rest of the picture reinforces it. Financially this is the lowest-risk vendor in the category: public, $1B+, ARR up 30%, ~23% share. The employee signal is an outright outlier — 4.8 on Glassdoor, 98% would recommend — which matters more than it looks, because engineering morale is a leading indicator of product quality, and SailPoint's points the right way. The Entro acquisition and Agentic Fabric give it a credible answer to the startups claiming incumbents can't govern agents.
The one thing we'd still push on: pricing transparency. It's the gripe that survives every product improvement, and no AI agent fixes a confusing SKU sheet. Get the full quote — every module, every add-on, at your real identity volume — in writing. Do that, and the case for the leader is stronger than it has been at any point in the last five years.
a category, tool, or idea worth knowing this week
Last week Rubrik/Strata made it a product; the TfL and Scattered Spider cases make it urgent. When your primary IdP is the thing compromised or down mid-incident, do you have an authenticated path to keep people working? "Break-glass for identity" is moving onto BCP/DR checklists this year.
The £39M TfL intrusion and two-thirds of Unit 42's IR cases trace back to identity recovery abuse. Phishing-resistant proof for privileged password resets — not knowledge-based questions a caller can social-engineer — is the highest-ROI control most teams still haven't hardened.
Review aggregates are a lagging indicator, and in a market moving this fast, that's dangerous. A vendor can ship AI tooling that guts its own biggest weakness and still carry two years of one-star reviews describing the old product. Before you disqualify anyone on G2 sentiment, sort by date and ask what shipped since. The reverse is also true — a shiny 4.8 can be coasting on a version nobody runs anymore.
one line to sound three moves ahead in your next exec meeting
When the board asks why you're choosing the pricier incumbent — or why you're not — don't litigate features. Frame it as how much platform risk the business wants to hold. The leader costs more and takes longer to stand up; the challenger is faster and cheaper but less proven. That's a risk-appetite decision, and it belongs to the board, not the RFP scoring sheet.
a spicy anonymized take from the community this week