CyberArk Expands Machine Identity Security with Automated Discovery and Context Capabilities

CyberArk has introduced discovery and context capabilities across its Machine Identity Security portfolio to help organizations regain control over this expanding attack surface by automating how machine identities are discovered, assessed, and governed. The announcement marks a major step in CyberArk’s post-Venafi roadmap that brings certificate management, secrets governance, and SSH control into a single operational view.

Moving from Manual Cleanup to Automated Discovery

Most teams still manage machine identities by cleaning up expired certificates, rotating keys, and patching issues after something breaks. That kind of “inventory and fix” approach just doesn’t hold up anymore - not when identities are being created and destroyed every second across cloud, AI, and DevOps environments.

Kurt Sand, GM of Machine Identity Security at CyberArk, told MSSP Alert that this old way of working can’t keep pace with the speed and scale of modern systems:

“The manual, reactive ‘cleanup’ approach has become obsolete as machine identities now outnumber human identities by 82 to 1 - and that ratio is steadily increasing. As enterprises lean into AI agents and ephemeral workloads in modern and multi-cloud environments, the challenge will be scaling machine identity security practices to meet the demand.”

Sand said CyberArk’s latest enhancements take a different route - treating machine identity security as something continuous, not a once-a-year audit.

“The new capabilities will move beyond manual processes by first tackling discovery at scale, then cataloging and understanding all machine identities across all environments, ending the manual inventory scramble,” he said. “Context and analytics will empower security teams to pivot from blind cleanup to intelligent policy enforcement that prioritizes remediation based on actual risk. Ultimately, this approach ensures consistent controls are applied across every fragmented environment, turning security into a scalable, repeatable and automated function.”

In practice, this means CyberArk isn’t just helping teams find identities - it’s helping them understand them. By building context into every step, security teams can see what each identity does, what it touches, and how it’s connected. That shift turns firefighting into foresight, making machine identity management part of daily security operations instead of an afterthought.

Bringing Certificates, Keys, and Secrets into One Unified View

A year after acquiring Venafi, CyberArk is starting to bring its vision of unified machine identity security to life. Until now, teams managing certificates, secrets, and workloads have worked in silos, each with their own tools, dashboards, and processes. That fragmentation makes it hard to see how one weak link, like a compromised key or expired certificate, can ripple across systems.

Sand said the company’s new capabilities are designed to bridge those gaps:

“On October 7, we’ll preview a new service that will deliver a unified security view across certificates, secrets, keys and workloads. Today, the variety of machine identities and the diversity of environments they exist in makes machine identity discovery, prioritization and remediation extremely complex and time-consuming. Our discovery and context service will bring rich discovery and context for all identity types, risk-level guidance, and in-line remediation. This eliminates the need to pivot between different tools to assess and manage threat exposure.”

This unified view gives security teams one place to see and act on everything - no more stitching together data from separate systems. It brings identity insights from development, infrastructure, and operations into one context, making it easier to enforce policies and stay compliant.

Sand also previewed CyberArk’s Secure Workload Access Solution, which builds on integrations from the Venafi and Conjur portfolios to make SPIFFE (Secure Production Identity Framework for Everyone) practical for enterprise use.

“We’ll also preview our Secure Workload Access Solution, where we have developed new technology on top of integrations from our former Venafi and Conjur portfolios to make SPIFFE accessible for every enterprise. This will be a truly scalable approach to address the explosion we’re seeing in ephemeral workloads in hybrid, multi-cloud architectures.”

The goal is to make modern identity frameworks easier to adopt - not just for advanced cloud teams, but for any organization managing dynamic workloads across hybrid environments. By bringing Venafi’s certificate expertise and Conjur’s secrets management together, CyberArk is building a foundation where every machine identity can be verified, governed, and renewed without manual effort.

The company is also addressing one of the biggest operational risks in identity management, shrinking certificate lifespans. As renewal cycles shorten to just 47 days by 2029, outages caused by missed renewals will only become more common.

“Our new Certificate Manager capabilities proactively address the crippling challenge of certificate outages by providing real-time expiration visibility, allowing security teams to prevent downtime and manage compliance seamlessly as certificate lifespans continue to shrink,” Sand said. “Ultimately, the goal is to ensure consistent policy, governance and audit compliance across every machine identity type, regardless of its form or location.”

By embedding expiration awareness and automation into its platform, CyberArk helps organizations avoid one of the most common and costly pitfalls in identity management, unexpected downtime triggered by missed renewals.

Simplifying Operations for Service Providers

Machine identity sprawl isn’t just an enterprise problem - it grows even faster for managed service providers (MSPs) and managed security service providers (MSSPs). Every new client adds another layer of complexity: more vaults to track, more certificates to renew, more secrets to secure. Those environments often span different regions, regulations, and technology stacks, making it even harder to apply consistent policies or maintain visibility across all tenants.

Sand said CyberArk’s strategy is designed with that complexity in mind:

“CyberArk is committed to both ‘self-hosted’ solutions and SaaS offerings for our Machine Identity Security portfolio. We’ve continued to invest in our entire portfolio to ensure that our customers have great flexibility in tackling machine identity security challenges, including managing machine identities that must be contained to on-premises environments or certain geographies for compliance purposes. This gives our MSP partners the ability to position the best-suited solution to meet customer requirements.”

By offering both deployment models, CyberArk gives service providers the ability to design identity programs that respect client boundaries while maintaining a common operational backbone. Sand added that CyberArk’s multi-tenant capabilities are helping MSSPs scale their services efficiently:

“Our MSP program provides MSPs with a centralized view of their managed CyberArk environments, enabling unified control across all instances. Our MSP Hub offers a SaaS-based management console that provides a one-stop-shop entry point for MSPs to offer the CyberArk Identity Security Platform to their customer base. It streamlines cloud operations and connects seamlessly to all managed CyberArk instances, allowing MSPs to build differentiated, profitable identity security services that manage and secure all identities – human and machine.”

In practice, this means MSPs can deliver consistent identity governance across multiple tenants without duplicating effort, a core capability as more SMBs turn to managed providers for expertise in machine identity security.

CyberArk’s approach combines automated discovery with context, giving security teams the clarity to move from reacting to predicting. It’s not just about inventory - it’s about knowing which identities matter most, where they live, and how to keep them under control. For both enterprises and service providers, that insight goes beyond efficiency. It builds resilience. In a world where machines now drive access and trust, understanding them is no longer optional but essential.