Last verified: May 26, 2026 | Confidence: High on FedRAMP status and current integration state. Medium on pace of PANW-Idira integration delivery.
Deal-Entry Recognition Cue
The buyer says: "We're looking at consolidating on Palo Alto" or "PANW is offering us identity as part of the platform deal."
Stop. Recalibrate. CyberArk is no longer a standalone PAM vendor. Palo Alto Networks closed the acquisition on February 11, 2026. On May 12, the product was rebranded as Idira and positioned as PANW's third core platform alongside Strata (network) and Cortex (SOC). If you walk into this meeting preparing for a PAM-only competitor, you are preparing for a conversation that no longer exists. Every CyberArk deal is now a PANW platform deal. Adjust accordingly.
Their Strongest Buyer-Facing Claim
"You already run our firewalls. You already have Cortex. Why manage a separate identity vendor when you can get identity security on the same platform, same support contract, same procurement vehicle?"
PANW's federal SVP frames this explicitly: agencies running 50-60 security tools need consolidation, and the federal attack surface is the largest on the planet. The CEO calls legacy identity tools an "IAM fallacy" built for a small number of admins, not for the full population of human, machine, and agentic identities. Expect the PANW team to position Idira as the answer, bundled into a deal the buyer's procurement office already wants to approve.
Where They Are Genuinely Strong
Do not dismiss the consolidation argument. It solves a problem the buyer actually has.
If an agency already runs PANW network security and Cortex XSIAM, adding Idira means zero new vendor onboarding, potentially simplified contract vehicles, and one throat to choke. For a federal CISO who spent the last two years defending a multi-vendor budget to their CFO, that pitch solves a political problem as much as a technical one. Respect that.
CyberArk's PAM heritage is real. They were the original privileged access vendor. Their vault architecture is deeply embedded in federal environments, and the Idira rebrand does not erase that installed base or the operational muscle memory agencies have built around it.
Their Secure AI Agents capability (GA November 2025) is a real product. It discovers AI agents across AWS Bedrock, AWS AgentCore, and Microsoft Copilot Studio, plus any OAuth 2.1-capable agent. The Identity Broker (marketed as "AI Agent Gateway") is a proxy-based enforcement layer between AI agents and MCP servers that captures session activity and enforces zero standing privileges. A legitimate early-mover position in agentic identity governance.
The buyer has probably already heard this pitch and found parts of it compelling. Do not make them feel foolish for that.
Where Okta Wins
Shipped versus announced. The "one platform" story depends on integration between Idira and the rest of PANW's portfolio. What is actually live today: a unidirectional risk score feed from Cortex into CyberArk's Threat Detection and Response module. That feed only processes users who already exist in the CyberArk Identity system. Users appearing in Cortex alerts who aren't in Identity are silently ignored.
That is the extent of shipped integration.
Full integration with Strata, native XSIAM ingestion of Idira identity telemetry, and the Prisma AIRS AI Gateway identity enforcement layer are all future-state. Oppenheimer's May 15 analyst note uses "will integrate". Future tense. PANW's own AI Gateway blog says the gateway "will reinforce" agent identity security via CyberArk. The Idira FAQ tells existing customers they can leverage cross-platform capabilities "over time."
Over time. Not today.
Ask the buyer: "Has the PANW team shown you the identity-to-network integration running in a live environment, or are they showing you the architecture diagram of where it's headed?" That question does real work. Let it.
Identity across the whole environment, not tethered to one vendor's stack. The buyer's environment almost certainly includes infrastructure from vendors who are not Palo Alto Networks. AWS, Azure, Cisco, on-prem legacy systems. Idira's current integration value is tethered to the PANW ecosystem. Outside that ecosystem, it is the same standalone identity product it was before the acquisition, minus the independence. Okta federates identity across every vendor in the buyer's environment today, including PANW's own infrastructure. When the buyer's zero trust architecture has to span multiple network vendors and multiple clouds, the identity layer cannot belong to one of them.
Secure AI Agents scope constraints. CyberArk's scope documentation lists explicit limitations: enforcement through the Identity Broker works only for MCP-capable agents. Non-MCP agents can be discovered but not governed through the gateway. Database support is limited to PostgreSQL only. CyberArk does not issue OAuth client credentials for MCP server access; the agency must create and manage those credentials through their own identity provider.
Ask: "Are your AI agents all running on MCP, or do you have agents on other protocols that would need governance too?" If the answer is mixed, the Secure AI Agents enforcement story has a gap the buyer needs to understand before they procure.
The FedRAMP Gap
Handle this with precision. Your credibility depends on it.
CyberArk holds FedRAMP High ATO for two products: Endpoint Privilege Manager and CyberArk Identity for Government. Both listed on the FedRAMP Marketplace under CyberArk Software LTD.
CyberArk's own FedRAMP compliance documentation lists the ISPSS services supported in FedRAMP environments: Identity Administration, Administration space, Privilege Cloud, Secure Infrastructure Access, and Audit service. Secure AI Agents does not appear on that list.
Do not claim Secure AI Agents lacks FedRAMP authorization. Authorization boundaries can be updated through continuous monitoring without generating public announcements. You cannot assert the negative from public sources alone.
Instead, ask this: "For the AI agent governance capabilities — the Identity Broker, MCP enforcement, agent discovery — can you confirm those fall within the existing FedRAMP High authorization boundary, or would those require a separate ATO process for your environment?"
The hardest question the PANW team will face in a federal deal. This is buyer advisory. You are asking the buyer to get an answer they need before they can procure. Let the question do the work. Do not editorialize after you ask it.
Do not tell the buyer that PANW "can't do identity." They acquired the original PAM company. Dismissing that insults the buyer's intelligence and your own credibility.
The argument is that a three-month-old acquisition with one unidirectional integration does not yet deliver the platform story being pitched, and identity is too critical to be the module you hope gets integrated well over time.
One more thing: the buyer's PANW rep is saying "Idira." If you keep saying "CyberArk," you sound behind. Use their current terminology.
Reframing Sentence
"We think identity is too important to be the feature that rides on top of a network security platform. You need your identity layer to work with every vendor in your environment. That's what purpose-built means."
Say it out loud before the call. Make sure it sounds like you.
Proof Point
CyberArk's own FedRAMP compliance documentation lists exactly five ISPSS services covered in the FedRAMP environment. Secure AI Agents is not among them. The buyer can verify this independently. For a federal agency evaluating agentic AI governance under mandate pressure, the distance between what is authorized today and what might be authorized later is real. That distance is the gap between a deployment plan and a hope. Ask the question. Let the documentation speak.
Date stamp: May 26, 2026. Verify FedRAMP Marketplace listings and Idira integration status before use. This landscape is moving fast.
Things to follow up on...
- Idira GSA contract vehicle: PANW made Prisma AIRS available through GSA OneGov, but whether Idira identity capabilities are on the same procurement vehicle is unconfirmed from public sources and matters for federal deal mechanics.
- Cisco absorbs Astrix Security: Cisco's pending acquisition of NHI startup Astrix Security for an estimated $250–350 million reshapes the NHI competitive map and may give PANW's team a new "we do it natively" argument against standalone NHI point solutions.
- Ping Identity's federal AI play: Ping launched Identity for AI at GA on March 24, 2026, with FedRAMP High and DoD IL5 posture on its core platform, making it the competitor most likely to appear alongside PANW in federal agentic identity evaluations.
- FedRAMP post-rebrand listings: With CyberArk now branded as Idira, watch for whether the FedRAMP Marketplace listings update to reflect the new PANW-owned product names or whether the authorization boundary itself gets revisited during the transition.