CSPM set to vanish as machine identities drive risk

Cloud Security Posture Management products will stop operating as a standalone category in 2026 as security leaders reduce the number of tools they use, according to Tenable.

Liat Hayun, Senior Vice President of Product Management and Research at Tenable, said security teams will shift towards platforms that combine multiple views of cloud risk. She said organisations now face overlapping tools for posture, identity, runtime and network risks. She linked that overlap to budget pressure and duplicated spend.

"CSPM will disappear as a standalone category in 2026. Under pressure to cut tool sprawl and duplicated spend, CISOs will consolidate identity risk, posture, runtime, and network context - a shift only unified exposure management platforms can deliver," said Liat Hayun, Senior Vice President of Product Management and Research, Tenable.

Consolidation Push

Many larger organisations run several cloud security tools across infrastructure and application teams. Vendors often group these products under headings such as CNAPP, cloud detection and response, identity security and vulnerability management. Hayun said buyers will focus on consolidation rather than new point tools in 2026.

She said that posture management, identity analysis and runtime monitoring increasingly overlap in the data they collect and the issues they track. She also said separate tools make it harder for teams to link misconfigurations, permissions and active threats into a single view of exposure.

The comments land as CISOs face wider enterprise cost scrutiny and increasing expectations from boards. Cloud adoption has also continued to expand the number of services, identities and workloads in use across large environments. That growth has increased the volume of findings from scanning and monitoring tools.

Machine Identity Risk

Hayun highlighted Non-Human Identities as the emerging focus area for cloud security. These identities include service accounts, workload identities, tokens, keys and other credentials used by applications, containers and automated processes.

She argued that security incidents will increasingly stem from permission sprawl and limited visibility over machine identities. She described machine identity growth as outpacing the controls in many organisations that still focus on user accounts and endpoint access.

"Non-Human Identities (NHIs), now outnumbering humans by 80:1, will decisively become the number one cloud breach vector. The core problem is no longer misconfigs or missing patches; it'll be billions of unseen, over-permissioned machine identities that attackers (or autonomous agentic AI) will leverage for silent, undetectable lateral movement. CISOs will be forced to pivot massive spending toward permissions governance and large-scale cleanup as machine-identity sprawl has rendered cloud environments truly unmanageable," said Hayun.

Identity security has already become a central theme in cyber risk programmes, with many organisations rolling out privileged access management and adopting "least privilege" approaches. Hayun's comments suggest that the centre of gravity in cloud identity risk will shift further towards machine identities in 2026.

She also positioned permissions governance as a key spending priority. That includes reducing standing permissions, reviewing role assignments, and tightening access to cloud resources across multiple accounts and subscriptions.

Runtime Debate

Hayun also took aim at the idea that runtime detection can replace other controls. She said attackers often exploit identity weaknesses and configuration issues before malicious activity appears in runtime telemetry.

Her comments reflect a broader debate in the cloud security market. Some suppliers focus on runtime detection and response, including behaviour monitoring of containers and workloads. Others prioritise posture management and configuration compliance. Many now offer combinations, with varying emphasis and depth.

"The 2025 hype that runtime detection is the only thing that matters and could replace posture or identity analysis will fade in 2026. Runtime-only tools miss most attack paths because identity abuse and misconfigurations occur long before anything reaches runtime. Runtime will remain important, but it won't replace CNAPP or exposure management; it'll be another data source inside a broader prevention-first approach," said Hayun.

Agentic Security

Hayun said organisations will not hand over security decisions to AI systems at scale in 2026. She cited data quality, governance and trust as limiting factors. She also pointed to platform consolidation as a prerequisite for more automated decision-making.

Many security vendors have introduced features described as "agentic" AI. They typically propose automated investigation, prioritisation and response actions. Some enterprises have run pilots in limited environments, though many have also raised questions about explainability, accountability and operational risk.

"Despite the hype, agentic security tools won't see meaningful adoption in 2026. Most organisations won't be ready to hand real security decisions over to AI, given gaps in data quality, platform consolidation, governance, and trust. 2026 will be a year of small pilots and controlled experiments, laying the groundwork for a genuine breakout that will be seen in early 2027," said Hayun.

Her outlook frames 2026 as a year defined by consolidation and governance work rather than widespread automation. It also suggests that buyers will ask for clearer linkage between identity, configuration and runtime signals, with fewer overlapping products across teams.

For cloud security suppliers, the message points to demand for integrated product suites and clearer operational workflows. For CISOs, it signals a focus on permissions governance and inventory of machine identities, alongside continued investment in prevention and monitoring across cloud estates.