SailPoint CEO Mark McClain: We Need ‘Real-Time, Dynamic Protection’ In Identity

The surging growth of AI agents is only exacerbating the need for finding a better way to secure identities and access privileges, McClain tells CRN.

While the importance of identity security has been rising for years, the emergence of AI agents is only exacerbating the industry’s need for finding a better way to secure identities and access privileges, according to SailPoint founder and CEO Mark McClain.

In an interview with CRN, McClain said the identity security vendor is looking to get more vocal about why existing approaches to identity will not be sufficient in the agentic era.

The necessary transition, he said, is ultimately a “move to real-time, dynamic protection and security. Administration and governance aren’t going away, but they’re not going to be where the action is.”

As part of helping to enable that shift for partners and customers, SailPoint unveiled an array of updates to its product portfolio Tuesday, including the introduction of Agent Identity Security. The offering is aimed at providing discovery, governance and security for AI agents—with the ability to even secure agentic entitlements, according to the company.

Given the surging interest in agents and the massive security challenges posed by them, SailPoint is “anticipating a lot of interest in this agentic security product,” McClain said.

Other product updates unveiled Tuesday include the launch of a non-employee risk management tool, new enhancements to machine identity security and the introduction of adaptive approvals for the vendor’s Atlas Workflows offering.

The updates came in connection with SailPoint’s Navigate 2025 event, taking place this week in Austin, Texas. Earlier this year, SailPoint returned for a second time as a public company with an initial public offering in February that saw major investor demand.

What follows is more of CRN’s interview with McClain.

What are the big themes of Navigate this year?

What we’re talking about is a significant shift in how we want people to be thinking about our space. Historically, there have been three core areas of identity. There’s real-time access/SSO/multifactor. Then [second is] the privileged access management world. And then our space, identity governance and administration—how do you set things up correctly, change them when necessary, and then audit/comply on a semi-periodic, occasional basis? That world of governance and admin is a critical foundation for what we all need to move toward. What we’re going to shift pretty heavily into now is much more real-time authorization and governance and security of all of these types of identities. And of course, the notable one there is agentic. There’s nonhuman, which certainly encapsulates all the stuff we’ve been doing for a while—bots and service accounts and robotic process automation, IoT devices. And then there’s agentic. But we’re saying, ‘Those things are different, and you’re going to need different approaches for the two of them.’ There’s some things in common, for sure. But agentic, I think, is going to feel kind of hybrid. It’s going to have humanish aspects because some of these things can learn and adapt and change. But they’re still not people.

What are the implications of this shift specifically for an area like privileged access management?

Privilege is going to apply to everything. And to their credit, when [Palo Alto Networks CEO] Nikesh [Arora] talked about the CyberArk acquisition, he talked about that same thing. Yes—it does need to be privilege applied dynamically, escalating and de-escalating based on context. But we’re not sure any of those guys have the technology to do that, and we think we do. You have to have this comprehensive view of the [entire] identity landscape and what’s happening in real time. Without a tool like SailPoint, you can’t relate all those disparate identities. So it’s this move to real-time, dynamic protection and security. Administration and governance aren’t going away, but they’re not going to be where the action is. We’re coining a term we’re calling ‘adaptive identity.’ That seems to us to capture the fact that everything is going to be adapting in real time. That also means, ‘How can you allow what you want to allow in real time?’ It’s enablement and security. You want to rapidly make sure things that need to get done can get done without a lot of hurdles. On the other side, you’ve got to make sure you have the controls to shut things down or restrict them when you see signs of anomaly or potentially breach. You’ve got to rethink how you think about this category. You have to think of it as real time and dynamic, particularly in the nonhuman realm.

What would be one or two announcements that you think especially exemplify these themes?

We are announcing the availability of an agentic identity security product. We announced machine identity security last fall, so it’s been on the market about a year. We’ve noted in our earnings that it’s our fastest-growing new module ever. And we are anticipating a lot of interest in this agentic security product. We’ve got to do discovery, classification, [assigning] ownership for all the nonhuman identities, but particularly in agentic. Then we’ve got to be able to validate that this is a valid agent, and that we want it to do what it’s doing—and [whether] it’s still useful or no longer useful. This is gen one of agentic that we’re announcing. Gen two, which is coming very shortly, is the ability to deal with these ‘super agents.’ How do you manage an agent that can spin up another agent and has the capability to create new work? That’s just unprecedented. Real-time spawning of new agents and identities, that’s a new thing. One of the things that’ll be notable in this realm of agentic is that we are going to be standing on stage with some very important partners—Nvidia, Amazon. The people that are leading the charge around LLMs and agentic, we have been partnering up with them. Because they came to us and said, ‘We don’t know who else can solve this problem.’ So it’s going to be notable that we didn’t do this on our own.

What can you say about privilege posture management and other areas you are looking to move into?

[With] privilege posture management, that’s where we’re saying we’re not really going to get into traditional PAM. It’s not like you don’t need traditional PAM—all those core technologies of PAM, that’s not going away. But what’s going to be much more valuable over time is the dynamic privilege across every identity. What if you [don’t just protect] your 2,000 important identities—how about all 200,000 of your identities might be privileged at any point in time? How do you dynamically escalate and de-escalate that privilege, and at any point in time, understand what it is—that’s where the posture management comes in. [With] real-time authorization and real-time threat detection, those are the things where we’re going to allow for very real-time access, or lack of it, partly based on the signals from that security environment. It’s going to take a level of collaboration across the landscape that we just haven’t been seeing before.

What’s most important for partners to know about these announcements and your vision overall going forward?

[Partners are] excited about this vision. They’ve been separately pitching CrowdStrike, Palo Alto [Networks], SailPoint. They like the idea that we’re going to help them with an integrated and better story for that CISO. We’re going to do some of the heavy lifting now by saying, ‘We’ll work on some of these fundamental connections with our technology partners.’ Then our [systems integrator] partners will be the ones that come in and help this work for you in your environment. In these mid to large enterprises, it will always involve unique, customized approaches. And that’s where those partnerships that we’ve been building now will be enhanced by what we’re doing to tie in the technology more tightly together.