In cybersecurity, we’ve always talked about identity. But in the age of AI agents, that conversation is being completely rewritten. In my conversation with Avihay Nathan, SVP and Head of AI, Data & Research at CyberArk, it became clear: the challenge ahead isn’t just about identity—it’s about agency.
Avihay brings a unique vantage point. He’s been building in AI for nearly 15 years—from PayPal fraud detection systems powered by 30 features to CyberArk’s new AI-driven architecture for identity security. And yet, even with all that experience, the current moment feels unprecedented. “We’ve created agents that behave like humans but scale like machines,” he told me. “And they’re spawning in real time.”
That shift has massive implications. The traditional tools of identity management—user directories, group policies, role-based access—simply weren’t built for a world where ten autonomous agents can be created on the fly, granted permissions, take action, and disappear before a human even notices. These agents aren’t just running scripts. They’re making decisions. “They have reasoning,” Avihay said. “They choose their next-best action—like a user would. But they move at machine speed.”
CyberArk is approaching this challenge with a three-part framework: Secure from AI, Secure with AI, and Secure of AI.
“Secure from AI” is about defending against new threat vectors—identities that look human, act like code, and behave unpredictably. “Secure with AI” focuses on augmenting the defender: building copilots that help analysts cut through alert fatigue and reduce time-to-value. And “Secure of AI” is the hardest challenge of all: protecting organizations from the very systems and agents they themselves are deploying.
Avihay pointed out that many customers come to CyberArk not with a plan—but with panic. “They’re overwhelmed,” he said. “They don’t know what they don’t know. They’re seeing agent demos everywhere—one to schedule meetings, another to read your face—but they have no idea what these agents actually access.” The result? A trust crisis. And a growing expectation that their security vendor will have the answer.
What impressed me most was the clarity with which CyberArk is mapping the new agent lifecycle. From discovery (“how many new agents spun up in the last 24 hours?”) to observability, access control, behavior monitoring, and compliance—all the way to sunset and governance. “It’s not enough to know what an agent does,” Avihay said. “You have to know why, when, and how it acts. You need context.”
And that’s the real insight. Identity without context is meaningless. In the AI-native world, agents can spawn and act without history. Zero-shot behavior is the new normal. So the only way to secure these systems is to anchor them in business context—what data they touch, what task they perform, and what role they play.
Building toward that vision hasn’t been simple. As Avihay shared, CyberArk had to go through its own transformation: from a highly successful public company to one that must now think like an AI-native startup. That meant shifting from innovation teams dabbling in prototypes to building a centralized AI and data group with full ownership—from research to production. It also meant driving cultural change. “We had to educate the entire organization,” he said. “From the CPO to the engineers—to help them see why data matters, and what’s at stake.”
The result? Dozens of hires in AI across Israel. A new internal methodology for designing data-driven security products. And a mindset shift across the company—one that sees identity not as a static attribute but as a dynamic narrative unfolding in real time.
Avihay’s view is that the agent explosion will continue—because business demands it. “CISOs can only hold back for so long,” he said. “Eventually, the pressure for productivity wins. And when it does, we need to be there to help them do it securely.”
That, in many ways, is the new security promise: not just to block threats, but to enable innovation. Not just to say “no,” but to help organizations move forward—confidently, and safely.
Michael Matias is the CEO and Co-Founder of Clarity, an AI-powered cybersecurity startup backed by Bessemer Venture Partners and Walden Catalyst. Clarity develops advanced AI technologies protecting organizations from phishing, deepfakes, and AI-generated social engineering attacks. Michael studied Computer Science with a specialization in AI at Stanford University, led cyber teams in Unit 8200, was named to Forbes 18Under18 and 30Under30, authored the book Age is Only an Int, and hosts the podcast 20MinuteLeaders.
