Card type: Cluster — three competitive conversations, one card Last verified: May 26, 2026 Refresh trigger: 90 days, or upon any vendor acquisition / GA announcement
Orientation: Three Separate Fights
Between March and May 2026, the NHI pure-play category fractured into three distinct competitive conversations. Cisco announced its acquisition of Astrix Security for an estimated $250–350M, turning a startup deal into an enterprise portfolio play. Oasis Security raised $120M in a Series B led by Craft Ventures, bringing total funding to $195M and declaring intent to be the standalone NHI platform. Entro Security remains independent on $24M, differentiated by SDLC-native secrets scanning and a Wiz partnership nobody else has matched.
Shared Okta Advantages (State Once, Move On)
Two structural advantages apply against every vendor on this card. Use them early, then pivot to the vendor-specific positioning below.
Lifecycle governance in the same policy engine as human identity
Every NHI pure-play governs machine identities in a silo. Okta governs NHI alongside human identities through the same certification workflows, the same directory, the same policy engine your buyer's CISO already trusts for HR-triggered provisioning and access reviews.
Okta for AI Agents went GA on April 30, 2026. That includes agent discovery via ISPM, an Agent Gateway with ephemeral token issuance, privileged credential vaulting with automated rotation, governance certification workflows for agents, and a universal logout kill switch. Shipped. Not roadmap.
This advantage hits hardest when the buyer is evaluating multiple NHI pure-plays simultaneously. If they're running Oasis and Entro side by side, they're looking at two point solutions that don't talk to each other or to their human identity stack. The platform consolidation argument writes itself.
Workload identity management within Okta Privileged Access is still listed as coming in 2026 on Okta's own site. If the buyer's core pain is deep IaaS workload credential governance at the infrastructure layer, verify current GA status with the product team before you claim it.
FedRAMP posture
None of the four NHI pure-plays hold FedRAMP authorization. Not In Process. Not authorized. Not listed on the FedRAMP Marketplace in any status. Okta for Government High holds FedRAMP High authorization (March 2023), with Identity Governance added to the boundary as of January 2026 and Workflows also at FedRAMP High. In federal deals, this is a procurement gate, full stop.
Whether the specific AI Agents capabilities (Agent Gateway, ISPM agent discovery, Governance for Agents as a Resource) that shipped April 30 are within the FedRAMP High ATO boundary is not publicly confirmed. Check with Okta's federal team before representing these features as FedRAMP-authorized.
For SLED deals, the FedRAMP barrier is lower. State and local buyers may accept SOC 2 and StateRAMP. But the pure-plays' absence from FedRAMP still tells you something about the maturity of their compliance programs.
A note on the NHI stats you'll hear in these deals
Every pure-play will walk in with a slide claiming machine identities outnumber human identities by some dramatic ratio and that NHI is the fastest-growing attack vector. The directional trend is real. OWASP published a dedicated NHI Top 10 risk framework, and Okta's own ISPM maps more than 25 risk detections to it. But the specific ratios and severity claims in vendor pitch decks are often self-reported and unaudited. Do not repeat a competitor's market-size stat in your own pitch unless you can trace it to a credible analyst or standards-body source.
The Claim You Will Hear in Every One of These Deals
Some version of: "We built this from scratch for NHI."
It's true. Don't dismiss it. Oasis was founded in 2022 with NHI as its sole focus. Entro was built from inception around secrets and machine identity. Astrix launched in 2021 for SaaS NHI discovery. Their discovery engines are purpose-built and, in many environments, genuinely deep.
The reframe that holds up:
"Their discovery is strong, and I'm not going to tell you it isn't. So what happens after discovery? You find ten thousand service accounts with excessive privileges. Who governs the lifecycle? Who enforces the policy? Who ties that machine identity back to a human owner through the same certification workflow your auditors already accept? Discovery without lifecycle governance and policy enforcement gives you a visibility tool. Useful, and your auditor will tell you the difference between visibility and a security control."
Concede where they're strong. Redirect to the gap where Okta's platform model is structurally different. Do not try to win the discovery depth argument head-to-head.
Astrix / Cisco
When they show up: The buyer mentions Cisco Identity Intelligence, Astrix, or frames NHI as part of a broader Cisco security consolidation. You may also hear it surfaced by a Cisco account team bundling NHI into an existing Duo or Umbrella renewal. The buyer didn't go looking for an NHI tool. It appeared inside a deal they were already running.
Their strongest claim: "It's Cisco." Distribution, procurement relationship, potential to bundle NHI into an existing enterprise agreement at near-zero incremental cost.
Where they're genuinely strong: Astrix built solid SaaS-layer NHI discovery before the acquisition. OAuth consent grant mapping, API key inventory, third-party integration risk scoring. These were real capabilities that earned real market traction, including 15.3% mindshare in PeerSpot's NHIM category as of March 2026. Cisco's sales motion means this will land in your deals whether or not the buyer went looking for it.
Where Okta wins:
- Integration uncertainty. The acquisition was announced in May 2026. Whether it has closed is not publicly confirmed, and the product integration has not shipped. No public documentation shows a unified Cisco NHI platform combining Astrix discovery with Cisco's identity stack in a single GA offering. The buyer is evaluating a post-acquisition roadmap. Ask them directly: "Has Cisco shown you the integrated product, or the acquisition deck?"
- FedRAMP scope. Cisco Duo holds FedRAMP Moderate for MFA and device trust. That authorization covers Duo. It does not cover Astrix-derived NHI capabilities. No public indication Cisco has initiated a separate authorization for those features. Do not let the buyer assume Cisco's FedRAMP footprint extends here.
- Lifecycle governance today. Okta's AI Agents platform is GA with certification workflows, credential vaulting, and universal logout. Cisco's Astrix integration timeline has not been publicly detailed.
Reframe:
"Cisco made a smart acquisition. But you need NHI governance on your timeline, and their integration roadmap is still their timeline. We can show you what's live right now."
Handoff trigger: If the buyer is deep in a Cisco ELA negotiation and NHI is being bundled at near-zero cost, bring in your SE and your account strategy lead. This is a commercial fight, and you need help structuring the response.
Oasis Security
When they show up: The buyer mentions Oasis by name, references "agentic access management," or describes evaluating a dedicated NHI platform backed by serious venture funding. Oasis's $195M in total funding and Fortune 500 customer base make this the pure-play most likely to appear in large enterprise evaluations.
Their strongest claim: Purpose-built NHI governance with Agentic Access Management that provides intent-based, just-in-time access for AI agents. They position AAM as enforcing policy before the agent acts, not after.
Where they're genuinely strong: Oasis covers NHI discovery across IaaS, SaaS, PaaS, and on-prem. AAM's ephemeral per-session identity issuance and intent-aware access evaluation are real capabilities, not slides. Oasis reports 5x year-over-year ARR growth and majority Fortune 500 penetration. (Source: Oasis's own Series B announcement, March 2026. Vendor-reported fundraising figures, not audited. Weight accordingly.) Their AuthPrint behavioral fingerprinting for authentication-layer threat detection is a differentiator none of the other pure-plays have matched publicly.
Where Okta wins:
- One audit trail or two. Oasis governs machine identities alongside other machine identities. Okta governs machine identities alongside human identities in the same platform. When the CISO asks for a single audit trail covering both, Oasis requires a second tool.
- Secrets scanning depth. Independent analysis from GitGuardian's NHI tools comparison (itself a competitor, so weight accordingly) notes Oasis's exposure detection may not match dedicated secret-scanning tools. If the buyer's pain starts in code and CI/CD pipelines, this gap matters.
- No public sector footprint. No government customer references surfaced for Oasis in any public source. Their go-to-market is commercial enterprise.
Reframe:
"Oasis built strong NHI discovery and agent access controls. They govern machine identities next to other machine identities. They don't connect that governance to your human identity lifecycle. Same certification workflows, same policy engine, same audit trail — you'd need a second tool. We're extending the platform you already run."
Handoff trigger: If the buyer has already completed an Oasis POC and is comparing results, bring in your SE with Okta's ISPM agent discovery and Agent Gateway demo. Match the evaluation on technical ground, then widen to lifecycle governance.
Entro Security
When they show up: The buyer mentions Entro, references secrets scanning in code or CI/CD, asks about NHI owner attribution, or brings up a Wiz integration for NHI. Entro also surfaces when the buyer's primary pain is "we don't know what machine identities we have or who owns them."
Their strongest claim: SDLC-native discovery that finds secrets across code, CI/CD, vaults, and SaaS, maps every NHI back to a human owner, and detects anomalous behavior through their proprietary NHIDR engine. The Wiz partnership (first NHI solution in the Wiz Integration Network) adds data security posture context no other NHI pure-play offers.
Where they're genuinely strong: Entro's owner attribution model solves a real operational pain. When you discover a compromised service account at 2 AM, who do you call? Entro answers that. Their SDLC-native scanning goes deeper into the development lifecycle than either Oasis or Astrix. The Wiz integration adds a data classification layer that enriches NHI risk context in ways the other pure-plays haven't replicated. Entro discovers and inventories over 1,000 types of NHIs, per their Gartner Peer Insights listing.
Where Okta wins:
- Discovery vs. governance. Entro's strength is finding NHIs and attributing ownership. Their lifecycle governance and policy enforcement capabilities are less mature. Automated certification campaigns, credential rotation at scale, policy-driven deprovisioning: Okta's platform is further along.
- Scale and longevity. Entro has raised $24M total (Series A, June 2024). In a market where Oasis just raised $195M and Astrix sold to Cisco, buyers evaluating a multi-year NHI strategy should consider vendor viability. The funding gap is public information. You don't need to raise it unprompted, but if the buyer asks, you can point to it.
- Multi-tenancy constraints. G2 user reviews note limitations in multi-tenancy support and customization. For large enterprises with complex org structures, this matters.
Reframe:
"Entro does excellent secrets discovery and owner attribution. If your biggest problem today is 'we don't know what NHIs we have,' they're a credible answer for that. But a discovery tool sitting alongside your identity platform and lifecycle governance built into it are two very different investments with two very different outcomes."
Handoff trigger: If the buyer is a Wiz customer and the Entro conversation is anchored in that integration, bring in your SE to discuss how Okta's ISPM discovery feeds directly into OIG certification workflows. Move the conversation to governance — what happens after you find the problem.
Token Security
Token Security is real and funded, but no product announcements or funding news dated after January 2026 surfaced in research. Do not build a competitive narrative around a vendor whose current product state you cannot verify.
Token Security has raised $28M total (Series A, January 2025). They launched an MCP Server for agentic AI and NHI security in 2025 and were named to The Information's "50 Most Promising Startups." Customers include Bloomreach, HiBob, and Dayforce. No FedRAMP listing. No enterprise analyst coverage.
If a buyer mentions Token Security, acknowledge them as a legitimate player. Ask what specific capabilities the buyer evaluated. Bring in your SE before positioning against them.
Claim Boundaries — What You Can and Cannot Say
| ✅ What you can say | 🚫 What you cannot say (yet) |
|---|---|
| Okta for AI Agents is GA (April 30, 2026) | That all AI Agents features are within FedRAMP High boundary |
| No NHI pure-play holds FedRAMP authorization | That Cisco can never extend FedRAMP to Astrix capabilities |
| Okta governs NHI and human identity in one platform | That Okta's NHI discovery is deeper than purpose-built pure-plays |
| OIG and Workflows are FedRAMP High authorized | That workload identity management in OPA is GA today |
| Oasis reports 5x YoY ARR growth (vendor-reported) | That Oasis's growth numbers are audited or verified |
| Entro's last public round was $24M Series A (June 2024) | That Entro is at risk of acquisition (unverified signal) |
When you hit the edge of what you know, stop talking. Say: "Great question. Let me get my SE on the next call to walk through the technical details." That sentence has saved more deals than any battlecard ever written.
Things to follow up on...
- Cisco-Astrix integration timeline: Watch for Cisco's first public documentation showing Astrix NHI capabilities integrated into Cisco Identity Intelligence, which will signal when this shifts from an acquisition deck to a shippable product.
- Entro's independence clock: With only $24M in total funding and an unverified M&A signal from April 2025, Entro's standalone status may not survive a market where CrowdStrike spent $628M on SGNL and Cisco is absorbing Astrix.
- Okta AI Agents FedRAMP boundary: The April 30 GA shipped on commercial infrastructure, but whether Agent Gateway, ISPM agent discovery, and Governance for Agents as a Resource fall within the Okta for Government High ATO remains unconfirmed and is the single most important verification for federal-facing AEs.
- Oasis public sector moves: Oasis's $195M war chest and Fortune 500 traction make a FedRAMP push plausible within the next 12 months, which would eliminate one of Okta's strongest structural advantages against them in government accounts.