GigaOm Radar for Cloud Infrastructure Entitlement Management (CIEM) v3

Cloud infrastructure entitlement management (CIEM) is a specialized security solution that manages and secures identities and their associated permissions (entitlements) across cloud environments. Entitlements represent the effective permissions assigned to users, applications, or services, determining which resources they can access and how they can interact with them.​​

CIEM addresses a critical challenge in modern cloud security: the management of excessive permissions and "cloud identity debt," meaning the accumulation of unused identities and overprivileged access accumulated over time. CIEM solutions enforce the principle of least privilege, ensuring that identities have only the minimum permissions necessary to perform their tasks. This approach significantly reduces the attack surface and minimizes the risk of data breaches and security threats in complex multicloud environments.​​

The importance of CIEM has grown substantially as organizations face increasingly dynamic cloud infrastructures where resources are constantly added, modified, or removed. Traditional identity and access management (IAM) systems struggle to keep pace with these rapid changes, creating security gaps and compliance vulnerabilities. Human error, particularly poorly managed entitlements, accounts for a significant share of cloud security problems, making proactive access management essential.​

Initially defined as an identity-centric software-as-a-service (SaaS) solution that manages cloud access risks using time-limited privileged access restrictions, CIEM has evolved as a logical progression from established IAM and privilege access management (PAM) solutions, adapting these least privilege approaches specifically for cloud environments.​

The technology has rapidly evolved to meet specific security needs for organizations with complex cloud operations. Modern CIEM solutions now incorporate advanced analytics, machine learning (ML), and artificial intelligence (AI) to automatically detect access anomalies and perform autonomous governance. The category has also expanded to include capabilities such as just-in-time (JIT) privileged access. This automatically grants and revokes dynamic permissions to maintain a zero standing privileges (ZSP) security posture.​​

Today, CIEM vendors support multiple cloud platforms, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), providing centralized visibility and control across multicloud environments. The solutions continuously monitor entitlements, automatically identify excessive permissions, and provide remediation recommendations or automated corrections. This continuous compliance automation ensures that cloud environments remain secure and audit-ready while meeting regulatory requirements.

To help prospective customers find the best fit for their use case and business requirements, we assess how well CIEM solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Cloud service provider (CSP): Providers delivering on-demand, pay-per-use services to customers over the internet, including infrastructure as a service (IaaS), platform as a service (PaaS), and SaaS. 

• Network service provider (NSP): Service providers selling network services (network access and bandwidth) provide entry points to backbone infrastructure or network access points (NAPs). In this report, NSPs include data carriers, internet service providers (ISPs), telecommunications companies, and wireless providers.

• Managed service provider/managed security service provider (MSP/MSSP): These are third-party organizations delivering cloud entitlement management capabilities to multiple client organizations through multitenant platforms. This allows them to secure cloud identities and permissions across diverse customer environments while offering continuous monitoring, compliance management, and automated remediation under their own branding.

• Government/public sector: Federal, state, and local government agencies requiring cloud entitlement management capabilities that meet stringent regulatory frameworks, such as the Federal Risk and Authorization Management Program (FedRAMP) and The Federal Information Security Management Act (FISMA). This also includes government-specific security standards with heightened emphasis on compliance reporting and protection of sensitive citizen data across authorized cloud environments.

• Large enterprise: Enterprises of 1,000 or more employees with dedicated IT teams responsible for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-prem data center or a colocation facility.

• Small-to-midsize businesses (SMBs): Small businesses (fewer than 100 employees) to midsize companies (100-1,000 employees) with limited budgets and constrained in-house resources for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-prem data center or a colocation facility.

In addition, we recognize the following deployment models:

• On-prem: The CIEM solution is installed and operated on the organization's infrastructure and data centers. This model provides complete control over the system but requires significant in-house expertise and resources to manage and maintain.

• Public cloud: The CIEM solution is hosted and managed by a third-party cloud provider and is accessible over the internet. This model offers scalability and reduced management overhead but may have data residency or compliance considerations.

• Private cloud: The CIEM solution is hosted on dedicated infrastructure, either on-prem or by a third-party provider, exclusively for one organization. This model combines the benefits of cloud computing with enhanced security and customization options.

• Hybrid cloud: The CIEM solution operates across both on-prem infrastructure and public cloud environments. This model allows organizations to maintain sensitive workloads on-prem while leveraging the scalability and cost-effectiveness of the public cloud for other components.

• Multicloud: The CIEM solution is deployed across multiple public cloud platforms from different providers. This model offers flexibility and avoids vendor lock-in but requires expertise in managing entitlements across diverse cloud environments.

• Software as a service (SaaS): The vendor provides the CIEM solution as a fully managed service accessible via a web browser. This model offers quick deployment and reduced management overhead but may have limitations in customization and integration with on-prem systems.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Multicloud discovery and visualization

• Cross-cloud visibility and correlation

• Real-time monitoring and alerting

• Permissions rightsizing

• Guided remediation

• Reporting and auditing

• Centralized management console

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a CIEM solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below.

Key Features

• Cloud identity threat detection and response: The solution continuously monitors identity systems, user activities, and access patterns to detect, investigate, and automatically respond to identity-based threats. This includes compromised credentials, privilege escalation, lateral movement, and account takeovers in real time. This capability is critical because identity-based attacks have become the primary attack vector in cloud environments, requiring immediate detection and response.

• AI-enabled anomaly detection: The solution employs ML algorithms and behavioral analytics to establish baseline activity patterns for identities. It also automatically detects deviations, unusual access patterns, privilege escalations, and suspicious behaviors that may indicate compromise or insider threats. This capability is essential because it provides proactive, continuous security monitoring that identifies potential breaches before they cause damage, unlike reactive security approaches that respond only after incidents occur.​

• Automated least privilege: The solution continuously analyzes usage patterns and automatically adjusts permissions to grant only the minimum necessary access rights, eliminating excessive entitlements without manual intervention. This is critical because manual management cannot scale across dynamic cloud environments with thousands of identities.

• Just-in-time (JIT) access: JIT access provides temporary time-bound privilege elevation with automated approval workflows and expiration mechanisms. This eliminates standing privileges by granting access only when needed and automatically revoking it after a predetermined period or task completion. This is critical because standing privileges create persistent attack surfaces that adversaries exploit, while JIT dramatically reduces exposure windows and minimizes opportunities for credential misuse.​

• Automated remediation and rightsizing: The solution automatically identifies security issues, over-provisioned permissions, and policy violations. It then implements corrective actions through policy-as-code (PaC) integration, API-driven adjustments, or workflow automation to resolve entitlement risks without manual security team intervention. This capability is essential because manual remediation cannot scale across dynamic cloud environments that require continuous permission adjustments for thousands of identities.​

• Lifecycle entitlements governance: The solution manages the complete lifecycle of identity entitlements from provisioning through access reviews to deprovisioning, automatically detecting identity drift, zombie accounts, and orphaned permissions. It ensures timely access revocation when employees change roles or leave, which is critical, as accumulated unused identities and excessive privileges create persistent security vulnerabilities that adversaries exploit.

• Granular policy visibility and control: The solution provides detailed visibility into access policies at the individual permission level across all cloud platforms. It also enables administrators to define, enforce, and monitor fine-grained security policies that govern who can access specific resources under what conditions. This capability is critical because cloud vendors often provide overly permissive built-in policies. Moreover, organizations need permission-level granularity rather than policy-level views to identify true security risks.​

• Compliance and identity governance: Compliance and identity governance automates compliance assessment, generates audit-ready reports, and maps entitlements to regulatory requirements, including GDPR, HIPAA, PCI DSS, and SOC 2. It also maintains comprehensive audit trails and enforces governance policies to ensure continuous adherence to security standards and regulatory mandates. This capability is essential because manual compliance processes cannot scale to meet continuous audit requirements across dynamic multicloud environments with thousands of identities.​

Table 2. Key Features Comparison

Emerging Features

• Nonhuman identity (NHI) management: Nonhuman identity management governs machine identities, including API keys, service accounts, tokens, and certificates, across cloud and CI/CD environments through automated discovery, lifecycle management, and least privilege enforcement. This is critical because NHIs outnumber humans 40:1 and frequently operate with excessive privileges without centralized oversight, creating massive attack surfaces.​

• Identity threat detection and response (ITDR) integration: ITDR for CIEM correlates entitlement data with threat intelligence, behavioral analytics, and attack indicators to detect credential theft, privilege escalation, and lateral movement. This is critical because identity-based attacks require real-time correlation of permissions with active threats to enable automated responses.​

• Zero trust architecture integration: Zero trust integration implements continuous identity verification, context-aware access decisions, and least privilege controls by serving as the identity layer within zero trust models. This is crucial because zero trust demands strict control over who can access which resources under specific conditions. Additionally, CIEM provides continuous validation to prevent lateral movement even when credentials are compromised.

• Predictive access analytics: Predictive access analytics leverages AI and ML to analyze historical access patterns, forecast future entitlement needs, and proactively identify permission drift before it occurs. This capability is critical because it enables organizations to prevent security risks through behavioral modeling rather than reactive incident response.​

• Self-service access management: Self-service access management empowers users to request temporary cloud resource access through automated portals with workflow-driven approvals, reducing IT ticket backlogs while maintaining policy controls. This is significant, as it balances operational agility with security governance, enabling rapid access provisioning without compromising least privilege principles.​

• Serverless and container security support: Serverless and container security support extends entitlement management to ephemeral workloads, including Lambda functions, Kubernetes pods, and containers. This provides runtime protection and permission analysis for cloud-native architectures. This is important because short-lived workloads often receive overly permissive service account roles, creating security vulnerabilities across distributed microservice environments.​

• AI runtime policy enforcement: AI runtime policy enforcement uses ML to dynamically enforce security policies in real time, automatically adjusting access controls and blocking suspicious activities through contextual analysis. This enables instantaneous threat response at machine speed, preventing security incidents before human intervention is possible.​

• Data privacy and user consent management: The solution manages data access permissions in compliance with privacy regulations by tracking user consent, enforcing data subject rights, and ensuring identity entitlements align with GDPR, CCPA, and other privacy frameworks. This is critical, as organizations must demonstrate continuous compliance with privacy laws while maintaining audit trails that document proper data access controls and consent enforcement.​

Table 3. Emerging Features Comparison

Business Criteria

• Configurability: Configurability offers customizable features, policies, workflows, and remediation actions tailored to specific organizational security requirements, compliance mandates, and operational processes across cloud environments. This flexibility is crucial because organizations have unique security architectures, industry-specific regulations, and existing technology stacks requiring seamless integration rather than one-size-fits-all solutions.

• Flexibility: Flexibility enables seamless adaptation to heterogeneous cloud architectures, supporting multiple cloud service providers (AWS, Azure, and GCP), deployment models (public, private, hybrid), and organizational structures while accommodating evolving business needs. This is important because organizations must future-proof their security investments as cloud strategies evolve without being locked into single-vendor ecosystems.

• Interoperability: Interoperability refers to a solution’s ability to integrate natively with existing security stacks, identity providers, SIEM platforms, SOAR tools, cloud-native services, CI/CD pipelines, and communication platforms via APIs and standard protocols, enabling unified security operations. This is critical because isolated security tools create blind spots and operational inefficiencies that prevent effective threat detection and response.

• Manageability: A manageable solution provides intuitive dashboards, centralized administration interfaces, and streamlined operational workflows. This allows security teams to efficiently configure, monitor, and maintain entitlement management across all cloud environments from a single console. It is critical because fragmented management across multiple cloud consoles creates operational inefficiencies, increases administrative overhead, and delays threat response.

• Observability: The solution must provide continuous monitoring and comprehensive visibility into identity behaviors, access patterns, and entitlement changes through real-time telemetry, detailed logging, and visual analytics across multicloud environments. This is pivotal because visibility gaps prevent organizations from detecting suspicious activities, investigating security incidents, and demonstrating compliance with regulatory requirements.

• Performance: The solution should enable efficient operation at enterprise scale, processing large volumes of identities, entitlements, and access events across multicloud environments without latency degradation while maintaining rapid discovery, analysis, and remediation capabilities. This is critical because performance bottlenecks delay threat detection, slow incident response, and prevent organizations from scaling cloud security operations as infrastructure grows.

• Support: Support encompasses the assistance and resources provided by the vendor to help customers implement, configure, maintain, and troubleshoot the system to ensure successful deployment, optimal utilization, and long-term value of the CIEM solution. This enables organizations to effectively address evolving cloud security challenges.

• Cost transparency: Cost transparency provides clear, predictable pricing models with detailed cost breakdowns, consumption-based billing visibility, and budgeting tools. This allows organizations to understand, forecast, and optimize expenses associated with entitlement management across cloud infrastructure. This is key, as hidden costs and complex pricing structures prevent accurate budget planning and can lead to unexpected expenses that undermine security investment ROI.

Table 4. Business Criteria Comparison 

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those positioned closer to the center being judged as having the most complete solution. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s expected evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for CIEM

As shown in the Radar chart in Figure 1, the CIEM market is being driven by several key trends reflecting the evolving needs of organizations in managing cloud entitlements and security: 

• The majority of vendors are positioned in the Platform Play hemisphere as organizations demand integrated cloud-native application protection platform (CNAPP) solutions that correlate identity risks with misconfigurations, vulnerabilities, and runtime threats rather than isolated, standalone CIEM tools.​​

• Vendors in the Innovation hemisphere are distinguishing themselves through agentic AI for autonomous remediation, ITDR capabilities, Kubernetes role-based access control (RBAC) management, and AI workload security.​​

• Leaders in the Maturity hemisphere demonstrate comprehensive multicloud coverage across AWS, Microsoft Azure, GCP, Oracle Cloud, and Kubernetes with enterprise-grade compliance automation.​

These trends highlight the critical role of CIEM solutions in securing modern cloud ecosystems and ensuring compliance with evolving regulatory requirements.

The quadrants balance a focus on Maturity versus Innovation and Platform Play versus Feature Play, enabling organizations to select CIEM solutions aligned with their specific requirements, risk tolerance, and cloud adoption pace. It should be noted that a Maturity designation does not exclude Innovation. Instead, it distinguishes a vendor that enhances existing capabilities from one that innovates by adding new capabilities. Furthermore, with each vendor focusing on different ecosystems, technologies, target markets, or use cases, positioning in each quadrant is determined as follows:

• Maturity/Platform Play: These solutions offer stable, comprehensive CIEM capabilities (including cross-cloud entitlements correlation, ITDR integration, and attack path visualization) across all major cloud environments (AWS, Azure, and GCP) with proven ecosystem support and established features. While these solutions provide reliable, broad platform coverage, they may be slower to adopt cutting-edge technologies such as agentic AI, Kubernetes identity management, or AI workload security.

• Innovation/Platform Play: These solutions demonstrate aggressive technical innovation and advanced features such as agentic AI-driven automation, AI workload identity security, self-service JIT portals, and cross-cloud entitlements correlation across major cloud environments (AWS, Microsoft Azure, and GCP) within a comprehensive CNAPP approach. While these solutions offer cutting-edge capabilities and broad coverage, they may have less proven stability or a less mature ecosystem than those of more established vendors.

• Innovation/Feature Play: This solution focuses on innovative, cutting-edge CIEM functionality but with a narrower feature set and/or limited support for major cloud environments (AWS, Microsoft Azure, and GCP). While solutions in this quadrant may excel in specific innovative capabilities, their limited platform support and narrow focus may not meet broader enterprise requirements.

• Maturity/Feature Play: This solution offers stable, proven CIEM capabilities but with specialized feature sets and/or limited support for major cloud environments (AWS, Microsoft Azure, and GCP). While solutions that appear in this quadrant deliver reliable performance in their focused areas, they lack comprehensive platform coverage and innovative features, such as agentic AI, Kubernetes infrastructure entitlement management (KIEM), or continuous authorization needed for complex enterprise environments.

In addition, the arrow color (Forward Mover, Fast Mover, or Outperformer) is based on execution against roadmap and vision (according to vendor input from the previous report and in comparison to industry innovation in general). 

When reviewing solutions, it’s important to remember that there are no universal “best” or “worst” offerings. Indeed, every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

BeyondTrust: Pathfinder

Solution Overview
Founded in 2003, BeyondTrust specializes in PAM, identity security, and CIEM. In April 2024, BeyondTrust acquired Entitle (CIEM and JIT access). Additionally, in February 2025, it launched Pathfinder, a unified platform integrating PAM, ITDR, and CIEM capabilities under a single interface with AI-driven analysis.

Pathfinder provides a unified interface that integrates CIEM with ITDR and PAM capabilities. Core components include Entitle for cloud permissions automation and Identity Security Insights for cross-domain privilege analysis. Key features include AI-driven anomaly detection; automated least privilege recommendations; continuous discovery across AWS, Microsoft Azure, and GCP; JIT access with more than 100 integrations; lifecycle entitlements governance; ML-enhanced behavioral analytics; permissions rightsizing; real-time monitoring; and risk-scored remediation workflows. Key differentiators include AI Agent Insights for agentic AI governance; cross-domain privilege correlation spanning cloud, on-prem, and SaaS environments; Secrets Insights for nonhuman identities; and True Privilege Graph visualizing privilege escalation paths.

BeyondTrust takes a general approach to CIEM, innovating to add emerging features such as AI agent governance, ML-enhanced behavioral analytics, NHI management, and secrets management capabilities.

BeyondTrust is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the CIEM Radar chart.

Strengths
Pathfinder scored well on a number of decision criteria, including:

• JIT access: Pathfinder implements intelligent automation by leveraging access request patterns to enable policy-based auto-approval for low-risk scenarios while routing high-risk requests through multistage workflows with configurable approval paths. It integrates with identity providers, human resources (HR) systems, ticketing systems, and more than 100 applications, providing dynamic expiration policies and comprehensive risk-based analytics optimizing access patterns.

• Lifecycle entitlements governance: The solution continuously synchronizes with authoritative sources to automatically provision accounts with role-based entitlements, which orchestrate immediate deprovisioning when employees leave and adjust permissions during role changes. It provides automated access review campaigns with various scopes, continuously monitors for dormant accounts and orphaned permissions, detects identity drift against baselines, and maintains detailed audit trails linking lifecycle events, approvals, and justifications to standing permissions.

• Compliance and identity governance: Pathfinder implements continuous monitoring, evaluating entitlements and policies against detailed control mappings for GDPR, HIPAA, PCI DSS, and SOC 2. This generates audit-ready reports with evidence packages linking configurations to regulatory requirements. It maintains immutable audit trails with complete lineage tracking, shows entitlement decision history, provides dashboards with risk-scored findings prioritized by regulatory impact, and supports semiautomated policy enforcement.

BeyondTrust is classified as an Outperformer due to industry-first AI agent governance, monthly major capability releases (including ML-enhanced analytics and secrets management), and the architectural unification of CIEM with ITDR and PAM.

Opportunities
Pathfinder has room for improvement in a few decision criteria, including:

• AI-enabled anomaly detection: Pathfinder employs ensemble ML models that analyze behavioral patterns across multiple dimensions to establish dynamic baselines that adapt to role changes. It implements user and entity behavior analytics (UEBA) to detect coordinated compromise, privilege creep, and insider threats, while reducing false positives through contextual enrichment. However, it lacks comprehensive analysis integrating hundreds of behavioral attributes simultaneously, predictive profiling forecasting security incidents based on pattern evolution, and fully explainable AI outputs articulating detailed evidence chains for anomalous behaviors.

• Automated remediation and rightsizing: The solution implements continuous security posture monitoring and generates contextualized recommendations that account for dependencies. It also automates workflows for access revocation, credential rotation, configuration hardening, privilege elimination, infrastructure-as-code (IaC) integration, comprehensive audit trails, and rollback capabilities. Nevertheless, it lacks fully automated, immediate critical-vulnerability correction without approval thresholds, CI/CD pipeline integration to prevent deployment time overprovisioning, ML to optimize remediation timing, and automated sandbox validation testing.

• NHI management: Pathfinder continuously discovers and inventories machine identities across cloud, on-prem, PAM, and SaaS environments. It analyzes usage patterns to identify dormant credentials and zombie accounts while implementing semiautomated lifecycle management with rotation workflows and comprehensive audit trails. However, it lacks ML for establishing normal behavior patterns, automated intelligent lifecycle management with risk-based rotation, JIT credential provisioning for temporary workloads, and dependency mapping showing application relationships.

Purchase Considerations
BeyondTrust employs a contact-based pricing model without publicly available pricing tiers or consumption metrics. Pathfinder offers modular licensing, enabling organizations to purchase CIEM capabilities independently or bundled with broader platform components. The flexible architecture allows incremental adoption, starting with specific capabilities and expanding as requirements evolve. Pricing varies based on deployment scope, feature selection, and organizational size.

Pathfinder supports SaaS and an optional, complementary on-prem deployment agent model, with SaaS components receiving continuous updates and on-prem following major and minor release cycles. Entitle can be deployed and configured within hours using Terraform and Helm Charts, significantly reducing time to value compared to legacy systems. The platform integrates with existing infrastructure through more than 100 connectors. However, migration complexity depends on current identity management maturity and cloud footprint. Organizations should evaluate integration requirements with HR systems, identity providers, and existing PAM solutions during proof-of-concept (PoC) phases.

Use Cases
Pathfinder addresses a broad range of use cases, including cloud identity threat detection and response, compliance reporting and audit readiness, cross-domain privilege correlation, developer and DevOps access governance, excessive privilege detection, JIT access provisioning, least privilege enforcement, lifecycle entitlement governance, multicloud entitlement visibility, permissions rightsizing, privilege escalation path detection with risk scoring, and SaaS entitlement governance across AWS, Microsoft Azure, Google Cloud, identity providers, on-prem Active Directory, and privileged access management systems.

Britive: Britive

Solution Overview
Founded in 2018, Britive provides a cloud-native security solution offering privileged access management and identity security for multicloud, private, hybrid, and on-prem networks. Released in 2019, Britive integrates CIEM capabilities into its unified PAM platform rather than offering them as a standalone solution. The company's portfolio includes multicloud privileged access management, NHI governance, and agentic AI identity security.

Britive's CIEM capabilities leverage patented cloud-native architecture with API-first, agentless design, enabling runtime authorization across AWS, Microsoft Azure, and GCP. Core components include Access Builder for self-service workflows, Access Map for cross-cloud visualization, Advanced Data Analytics for behavioral baselines and risk scoring, and Query Engine for entitlement analysis. Key features include automated least privilege rightsizing, continuous discovery and monitoring, JIT access with dynamic expiration, policy-based access management, real-time anomaly detection, and semiautomated remediation workflows. Key differentiators include agentic AI identity security for autonomous agents, ephemeral credential provisioning to eliminate standing privileges, federated workload identities for secretless architectures, human-in-the-loop oversight for high-risk actions, and unified governance that manages human, nonhuman, and AI agent identities through ZSP principles.

Britive takes a general approach to CIEM, aggressively innovating with category-defining features, including agentic AI runtime controls, behavioral analytics, federated workload identities, and a patented ZSP architecture.

Britive is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the CIEM Radar chart.

Strengths
Britive scored well on a number of decision criteria, including:

• JIT access: Britive implements a patented architecture with intelligent, policy-based auto-approval routing for low-risk requests, while high-risk scenarios require enhanced review processes via configurable approval workflows. It provides dynamic expiration mechanisms that adjust access duration based on task requirements, with session monitoring enabling automated extension or early revocation. This supports just enough access (JEA) by granting specific, granular permissions rather than broad role assignments across all identity types.

• Granular policy visibility and control: The solution calculates effective permissions across all connected cloud platforms by resolving inheritance hierarchies and permission boundaries, displaying exact API-level actions each identity can perform with resource-level granularity. It correlates policies with actual usage patterns through Advanced Data Analytics, identifying dormant permissions and over-provisioned access. Access Map provides visualization of relationships between identities, policies, and resources, enabling investigation from summary views to individual permission details.

• NHI management: Britive orchestrates predictive lifecycle management with risk-based automated credential rotation and by adjusting schedules based on usage patterns. It implements JIT provisioning that generates ephemeral credentials milliseconds before execution, with immediate post-use revocation, and provides secretless architectures through federated workload identities, eliminating static credentials. It includes self-healing capabilities that automatically remediate issues, including rotating compromised credentials, comprehensive audit trails that capture complete lifecycle events, and unified governance extending to AI agents with runtime authorization controls.

Opportunities
Britive has room for improvement in a few decision criteria, including:

• Cloud identity threat detection and response: Britive implements behavioral analytics to establish baselines and risk scores to identify overprivileged access. It  integrates with SIEM tools for event forwarding and supports semiautomated session termination when anomalies are detected. However, it lacks ML detecting sophisticated attacks (like credential stuffing) and provides limited threat intelligence integration. It cannot automatically initiate account isolation and does not offer complete attack narrative assembly with root cause analysis.

• AI-enabled anomaly detection: The solution establishes individual behavioral baselines across access patterns and temporal dimensions, detects deviations (including privilege escalations), incorporates peer-group analysis to identify outliers, and provides risk scoring to prioritize anomalies. Nevertheless, it lacks ensemble ML models and omits UEBA for detecting gradual privilege creep. It also provides no automated baseline recalibration to distinguish drift from threats and lacks HR data enrichment to reduce false positives.

• Automated remediation and rightsizing: Britive continuously monitors entitlements generating contextualized rightsizing recommendations with risk scoring, provides semiautomated workflows where administrators approve corrections executed through APIs, and maintains a comprehensive Terraform provider enabling IaC management. However, it requires manual approval for all actions rather than executing automated low-risk reductions, operates on scheduled cycles instead of continuous real-time enforcement, lacks application dependency correlation preventing disruption, and misses ML optimization for timing. 

Purchase Considerations
Britive employs custom pricing based on the number of identities (human, nonhuman, and AI) and protected environments. All tiers require contacting sales for specific rates rather than transparent published pricing. The subscription-based model enables partners to build recurring revenue practices. However, detailed consumption metrics, volume discounts, and commitment-based options remain undisclosed without direct vendor engagement.

Britive deploys exclusively as cloud-native SaaS on AWS infrastructure with optional dedicated instances and Bring Your Own Key capabilities. The API-first, agentless architecture enables rapid deployment within hours or days without requiring network rearchitecture, significantly reducing migration complexity. Lightweight connectors extend access management to on-prem resources while maintaining centralized SaaS control. Customers should evaluate PoC feasibility given the simple deployment model and assess multiregion failover requirements. Customers should also consider that no on-prem or customer-managed private cloud deployment options exist.

Use Cases
Britive addresses a broad range of use cases, including agentic AI identity governance, cloud privileged access management across multicloud environments, and containerized and Kubernetes workload security. It also covers DevOps automation workflows, hybrid cloud access unification, JIT access provisioning eliminating standing privileges, lifecycle entitlement governance, NHI management for service accounts and credentials, policy-based access control, and SaaS application privileged access, along with secretless architecture implementation through workload federation and serverless function security.

CloudDefense.AI: CloudDefense.AI CIEM*

Solution Overview
Founded in 2021, CloudDefense.AI provides cloud-native application protection (CNAP) through its unified CNAPP platform, specializing in AI-powered security across AWS, Microsoft Azure, and GCP. CloudDefense.AI CIEM is integrated into the broader CloudDefense.AI ACS (Application Cloud Security) platform alongside CSPM, CWPP, KSPM, and data security posture management (DSPM) modules, accessible through a common interface and backplane.

CloudDefense.AI CIEM delivers entitlement management through a multitenant platform architecture with quarterly major releases and monthly updates supporting more than 45 enterprise deployments across regulated industries. Core components comprise centralized dashboard management, permission usage analytics, policy enforcement workflows, and RBAC for administrative delegation. Key features include customizable reporting frameworks, entitlement discovery with graphical relationship mapping, guided remediation workflows, orphaned permission detection, peer group analysis for role comparison, and scheduled access review campaigns. 

Primary differentiators include comprehensive DevSecOps tool integration, encompassing API scanning, container security, dynamic application security testing (DAST), static application security testing (SAST), and SCA capabilities. In addition, it offers strategic partnerships with global service providers, such as Wipro for enterprise delivery, as well as flexible pay-as-you-go pricing models that eliminate long-term commitments.

CloudDefense.AI takes a focused approach to CIEM, with a mature platform that incrementally improves compliance reporting, dashboard analytics, and permissions monitoring, while developing cross-cloud entitlements correlation capabilities.

CloudDefense.AI is positioned as a Challenger and Forward Mover alone in the Maturity/Feature Play quadrant of the CIEM Radar chart.

Strengths
CloudDefense.AI CIEM scored well on a number of decision criteria, including:

• Automated least privilege: CloudDefense.AI implements continuous usage pattern analysis, tracking actual API calls and resource actions across AWS, Microsoft Azure, and GCP environments with granular permission-level monitoring. The AWS Zero Trust Policy Tool provides unique percentage-based utilization metrics that show which granted permissions remain unused. This enables data-driven rightsizing decisions, supported by JavaScript Object Notation (JSON)-formatted recommendations and Terraform automation scripts for semiautomated deployment.

• Granular policy visibility and control: The solution delivers real-time, permission-level visibility across cloud platforms, with effective permission calculation that resolves inheritance chains, permission boundaries, and resource-based policies. It provides graphical access-pathway visualization, enabling administrators to understand permission structures, and AI-driven analytics that continuously identify excessive entitlements and generate contextualized recommendations for policy optimization.

• Compliance and identity governance: CloudDefense.AI maintains comprehensive automated assessment capabilities with real-time monitoring, evaluating entitlements against GDPR, HIPAA, and PCI-DSS control mappings. It generates audit-ready reports with evidence packages linking technical configurations to regulatory requirements. It also maintains immutable audit trails with complete lineage tracking and implements semiautomated enforcement workflows reviewing configuration changes before deployment.

Opportunities
CloudDefense.AI CIEM has room for improvement in a few decision criteria, including:

• Cloud identity threat detection and response: CloudDefense.AI provides continuous monitoring with real-time risk-based scoring, identity-centric threat modeling, and event correlation across AWS, Microsoft Azure, and GCP via investigation dashboards that detect privilege escalation and unusual access. However, it lacks behavioral ML-based anomaly detection, bidirectional SIEM integration, automated investigation workflows assembling attack narratives, external threat intelligence feeds, and ML for detecting advanced attack patterns.

• AI-enabled anomaly detection: The solution uses basic ML for pattern recognition, with risk-based scoring, to identify deviations from normal access patterns and flag excessive privileges across cloud environments. Nevertheless, it lacks individual user behavioral baselines across multiple dimensions, supervised or unsupervised ML models that establish continuous baselines, automated recalibration to distinguish drift from threats, and peer group analysis with statistical significance.

• Automated remediation and rightsizing: CloudDefense.AI delivers continuous monitoring with AI-generated JSON recommendations, Terraform automation, risk-scored prioritization, comprehensive audit trails, and rollback capabilities, analyzing actual versus granted permissions. However, it requires manual approval for all actions rather than autonomous, low-risk execution, and lacks immediate remediation for critical violations, application dependency correlation, and ML-based timing optimization.

CloudDefense.AI is classified as a Forward Mover due to missing production implementations of behavioral ML, cross-cloud correlation, and JIT access. All these remain on the company’s roadmap, while competitors are deploying such capabilities.

Purchase Considerations
CloudDefense.AI CIEM operates on a consumption-based pricing model, with multiyear contracts offering volume discounts for extended commitments. The solution cannot be purchased standalone and requires the full CloudDefense.AI ACS platform, including CSPM, CWPP, DSPM, and KSPM modules. Pricing structures utilize billable workload metrics with contracts typically noncancelable and nonrefundable. AWS Marketplace availability enables integrated billing, while flexible pay-as-you-go options eliminate long-term lock-ins for specific offerings.

CloudDefense.AI deploys exclusively as a cloud-based SaaS, with no on-prem or private cloud options, limiting it to organizations that require air-gapped or sovereign deployments. Migration complexity remains moderate, given an agentless architecture that enables API-based integration without agent installation across AWS, Microsoft Azure, and GCP environments. The platform advertises rapid deployment with "get started in minutes" implementation timelines. Prospective customers should evaluate the bundled platform requirement, the SaaS-only deployment model, and the quarterly release cadence for feature updates. Customers should also consider roadmap timelines for advanced capabilities, including behavioral anomaly detection and cross-cloud correlation, currently under development.

Use Cases
CloudDefense.AI CIEM addresses a broad range of use cases, including automated least privilege enforcement through continuous permission monitoring and compliance governance for GDPR, HIPAA, and PCI-DSS frameworks. It also supports identity lifecycle management with provisioning and deprovisioning workflows and multi-cloud entitlement visibility across AWS, Azure, and GCP environments. Additional use cases include orphaned permission detection and remediation, permissions rightsizing based on usage analysis, policy violation detection with risk-based alerting, role-based access certification campaigns, and Terraform-automated remediation within DevSecOps pipelines.

CrowdStrike: CrowdStrike

Solution Overview
Founded in 2011, CrowdStrike provides cloud-native cybersecurity solutions protecting critical areas of enterprise risk: endpoints and cloud workloads, identity and data. The company acquired Pangea (AI application security) in September 2025, followed by announcements in January 2026 to acquire SGNL (dynamic authorization and ZSP) and Seraphic (enterprise browser security and DLP). 

CrowdStrike delivers cloud-native CIEM as part of its unified CNAPP platform, leveraging a real-time streaming architecture that processes cloud logs in real time rather than batch processing. Core components include AI Security Posture Management (AI-SPM), CDR, CIEM, Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), DSPM, and SaaS Security Posture Management (SSPM) integrated into a single console. Key features include automated least privilege enforcement, behavioral analytics, cross-cloud correlation, identity threat detection, JIT access, NHI management, one-click remediation testing, and permissions rightsizing. Key differentiators include real-time cloud detection and response, versus competitors’ more than 15-minute batch processing via streaming telemetry. Other key differentiators are unified visibility across AWS, Microsoft Azure, GCP, and hybrid environments, as well as the use of Charlotte AI for automated response workflows.

CrowdStrike takes a general approach to CIEM, innovating to add emerging features such as AI-SPM for AI model security, agentic security operations center (SOC) workflows, FalconID passwordless authentication, a real-time streaming detection architecture, and SaaS governance.

CrowdStrike is positioned as a Challenger and Outperformer in the Innovation/Platform Play quadrant of the CIEM Radar chart.

Strengths
CrowdStrike scored well on a number of decision criteria, including:

• Cloud identity threat detection and response: The solution implements ML algorithms trained on trillions of daily security events to establish behavioral baselines and detect sophisticated attack patterns in real time. This includes credential stuffing, lateral movement, and privilege escalation across Active Directory and cloud identity providers. The solution executes automated containment actions, including account isolation, dynamic MFA enforcement based on risk levels, and instant session termination when user or device risk changes during active sessions.

• JIT access: CrowdStrike provides automated, time-bound privileged access with continuous risk assessment, using real-time signals from the platform, instantly revoking privileges when user or device risk levels change during active sessions. It implements predefined approval workflows for high-stakes access requests, automatic deprovisioning when tasks complete or time limits expire, and audit trails capturing every access request for compliance.

• ITDR integration: The solution architecture maintains bidirectional integration with SIEM and XDR platforms through robust API frameworks that automatically correlate CIEM entitlement data with active security events in real time to identify credential theft and privilege abuse. It consolidates identity detections into cases with complete attack context, enabling semiautomated response workflows executing coordinated actions across endpoint, cloud, and identity domains while enriching alerts. 

CrowdStrike is classified as an Outperformer due to its real-time streaming architecture, category-redefining features (including AI-SPM, agentic SOC workflows, and SaaS governance), and a quarterly innovation cadence of delivering transformative capabilities.

Opportunities
CrowdStrike has room for improvement in a few decision criteria, including:

• Automated least privilege: CrowdStrike continuously monitors access patterns and permission usage across cloud environments, analyzing specific API calls and resource actions to identify unused permissions and excessive privileges. It generates contextualized recommendations with usage frequency data and offers one-click remediation testing. However, it lacks fully automated rightsizing without approval, ML predicting future access needs, cross-service dependency analysis, and CI/CD pipeline integration.

• Automated remediation and rightsizing: The solution continuously identifies security issues, excessive permissions, and policy violations, generating prioritized risk-scored recommendations and enabling one-click remediation testing to simulate tactics before deployment. It provides semiautomated workflows in which administrators approve corrections implemented via cloud provider APIs. Nevertheless, it lacks fully automated remediation that corrects critical violations immediately without approval, application dependency correlation to prevent disruption, CI/CD integration to prevent over-provisioning at deployment, and ML to optimize remediation timing.

• Lifecycle entitlements governance: CrowdStrike provides continuous monitoring of identity configurations and entitlements. This includes detecting dormant accounts that have been inactive for defined periods and identifying orphaned permissions when accounts are deleted but resources remain accessible. It maintains comprehensive audit trails capturing lifecycle events and modifications. However, it lacks automated HR system integration for real-time provisioning synchronization, automated access review campaigns with intelligent recommendations, automatic role-change permission adjustments, and systematic identity drift detection.

Purchase Considerations
CrowdStrike pricing follows both reserved and on-demand pricing models based on the number of sensors in use per hour. The solution is available on AWS Marketplace, with pay-as-you-go options that enable unified billing and procurement. Organizations can access free trials before committing. Multiple support tiers are available, including Standard (bundled free), Express, Essential, and Elite, with technical account managers, though premium support levels entail additional costs.

CrowdStrike deploys as a cloud-native SaaS, eliminating on-prem infrastructure requirements but requiring cloud connectivity. The lightweight agent architecture enables rapid deployment, measured in minutes, for AWS workloads with automated multi-account setup through guided wizards. Migration complexity remains low due to both agentless and agent-based scanning options, which provide deployment flexibility. However, customers should evaluate integration requirements with existing SIEM platforms, identity providers, and security tools, as custom development may be needed for advanced integration scenarios. 

Use Cases
CrowdStrike addresses a broad range of use cases, including automated least privilege enforcement, cloud detection and response with real-time streaming, container and Kubernetes security, cross-cloud entitlement correlation across AWS, Microsoft Azure, and GCP. It also addresses identity threat detection for human and nonhuman identities, JIT privileged access, lateral movement prevention, NHI lifecycle management, privilege escalation detection, SaaS security posture management, and serverless function security, which are all unified within a comprehensive CNAPP platform.

CyberArk: Secure Cloud Access

Solution Overview
Founded in 1999, CyberArk provides identity security solutions, specializing in human, machine, and agentic identity security. In February 2025, the company acquired Zilla Security (identity governance). Palo Alto Networks is in the process of acquiring CyberArk, with deal closing expected early to mid-2026.

Secure Cloud Access operates as a SaaS-native solution that provides multicloud identity and entitlement management across AWS, Microsoft Azure, GCP, and Kubernetes. Core components include automated discovery engines, AI-powered exposure analysis, and semiautomated remediation workflows integrated with the broader Identity Security Platform. Key features include continuous permission monitoring, JIT access provisioning, least privilege policy generation, and real-time exposure scoring. Key differentiators include CORA AI integration for behavioral analytics, native Wiz partnership for automated remediation, a ZSP architecture, and unified identity security combining CIEM with privileged access management and threat detection capabilities.

CyberArk takes a general approach to CIEM, innovating to add emerging features, including AI agent security, machine identity management, and CORA AI-driven behavioral analytics beyond traditional cloud entitlement management.

CyberArk is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the CIEM Radar chart.

Strengths
Secure Cloud Access scored well on a number of decision criteria, including:

• JIT access: The solution implements ZSP, with self-service access request portals allowing users to request temporary elevated permissions via automated approval workflows. It provides time-bound cloud console access upon approval with configurable fixed-duration expiration and automatic revocation. Integration with the broader platform enables immediate break-glass emergency access, comprehensive audit trails that capture request details and approvals, and policy-based routing to the appropriate approvers for security-sensitive resources.

• Granular policy visibility and control: Secure Cloud Access provides real-time visibility into access policies at individual permission and action levels across AWS, Microsoft Azure, GCP, and Kubernetes environments. It calculates effective permissions by analyzing IAM policies and role assignments and displays the specific API calls each identity can execute through centralized dashboards. Organizations configure custom alerting through webhooks when exposure levels exceed thresholds, with API integrations enabling the incorporation of policy data into external security workflows for coordinated governance.

• Zero trust architecture integration: The solution enforces ZSP by eliminating persistent entitlements and provisioning permissions dynamically only when users connect to cloud resources. It implements JIT  access with context-aware approval workflows, taking resource sensitivity into account when routing requests. Least privilege principles are enforced through continuous analysis of actual permission usage patterns and the automated generation of recommendations to reduce excessive entitlements. However, continuous real-time verification throughout sessions remains limited.

Opportunities
Secure Cloud Access has room for improvement in a few decision criteria, including:

• AI-enabled anomaly detection: The solution uses CORA AI to analyze permissions and detect static usage patterns, identifying unused permissions and excessive entitlements across multicloud environments through basic statistical analysis. However, it operates on scheduled 24-hour scans rather than continuous real-time analysis and lacks documented peer group analytics and multidimensional baseline establishment. Additionally, it focuses on permission usage statistics rather than sophisticated behavioral modeling to establish individual user baselines.

• Automated least privilege: Secure Cloud Access continuously tracks permission usage at the individual action level, comparing granted permissions with observed behavior to generate contextualized recommendations, including exposure-level scoring and usage-frequency data. Nevertheless, it requires manual administrator approval for all remediation actions and lacks automated testing in sandbox environments before production deployment, documentation of dependency analysis, and CI/CD pipeline integration for embedding least privilege enforcement.

• Automated remediation and rightsizing: The solution continuously identifies security issues, including wildcard permissions and policy violations. This generates prioritized recommendations with risk scores through exposure-level analysis and provides deployable remediation policies with step-by-step guidance. However, it requires administrator approval for all corrective actions and lacks documented automated rollback mechanisms, IaC repository integration to prevent drift recurrence, and automated validation testing verifying corrections. 

Purchase Considerations
Secure Cloud Access follows a sales-assisted pricing model, with published starter packages available via AWS Marketplace and custom pricing for enterprise deployments. The solution is described as costly when compared to alternatives, though customers note that its comprehensive security functionality justifies the price. Organizations should expect significant sales negotiation processes. Pricing integrates with the broader CyberArk Identity Security Platform rather than standalone CIEM licensing, potentially requiring broader platform commitments.

Secure Cloud Access deploys exclusively as SaaS, eliminating infrastructure management but requiring cloud connectivity for multicloud account onboarding. Migration involves connecting existing AWS, Microsoft Azure, GCP, and Kubernetes environments through CloudFormation templates or deployment scripts, with initial discovery scans completing within hours. The solution operates on 24-hour scheduled scanning cycles rather than real-time continuous monitoring. Organizations should evaluate platform integration dependencies because Secure Cloud Access functions as part of CyberArk's broader identity security architecture rather than a standalone tool. This could potentially require coordination with existing privileged access management implementations.

Use Cases
Secure Cloud Access addresses a broad range of use cases, including cross-cloud entitlement visibility across AWS, Microsoft Azure, GCP, and Kubernetes; JIT access provisioning eliminating standing privileges; least privilege policy generation through AI-powered permission analysis; multicloud permission management with unified exposure scoring; and permission rightsizing to identify unused entitlements. It also addresses policy compliance monitoring with audit trail generation and ZSP enforcement through temporary credential provisioning. The solution targets large enterprises and government organizations requiring comprehensive identity security across hybrid multicloud environments.

Datadog: Datadog Cloud Security

Solution Overview
Founded in 2010, Datadog provides cloud monitoring, observability, and security via a unified SaaS platform. The company acquired Metaplane (data observability) in April 2025 and Eppo (feature flagging and experimentation) in May 2025. Datadog Cloud Security launched in 2024 as part of Cloud Security Management, initially for AWS, expanding to Azure and Google Cloud at DASH in 2024.

Datadog Cloud Security operates as a SaaS solution integrated within Cloud Security Management, correlating identity entitlements with operational telemetry through Datadog's unified observability platform. Core components include Identity Risks Explorer for visualization and investigation, Cloud SIEM Risk Insights for cross-platform correlation, Security Inbox for prioritization, and Workflow Automation for remediation orchestration. Key features include behavioral analytics powered by ML algorithms; continuous discovery across AWS, Microsoft Azure, and GCP; least privilege recommendations based on usage patterns; PaC with Rego; and semiautomated remediation via APIs and IaC integration. Differentiators include security observability correlating identity risks with infrastructure metrics, application performance data, and log analytics.

Datadog takes a general approach to CIEM, innovating to add emerging features through AI-driven anomaly detection, behavioral baselines, ML risk scoring, and rapid multicloud expansion from AWS to Microsoft Azure and GCP within months. 

Datadog is positioned as a Challenger and Forward Mover in the Innovation/Platform Play quadrant of the CIEM Radar chart.

Strengths
Datadog Cloud Security scored well on a number of decision criteria, including:

• Automated remediation and rightsizing: Datadog Cloud Security provides continuous security posture monitoring with contextualized remediation recommendations using the Datadog Severity Score for risk-based prioritization. Automated workflows execute low-risk corrections while routing high-impact changes through approval processes, with IaCe integration, comprehensive audit trails that track before-and-after states, rollback capabilities, and effectiveness analytics via Security Inbox dashboards.

• Granular policy visibility and control: The solution delivers permission-level visibility by analyzing IAM policies, permission boundaries, and resource-based policies to show the exact API calls each identity can perform. Custom security policies use Rego for rule creation, and continuous compliance monitoring automatically detects violations. Automated enforcement is delivered via Workflow Automation, while Terraform integration enables policy-as-code with version control.

• Compliance and identity governance: Datadog Cloud Security offers semiautomated compliance management with continuous monitoring against frameworks, including CIS Benchmarks, GDPR, HIPAA, PCI DSS, and SOC 2, using more than 1,500 out-of-the-box rules. Scheduled reports show specific entitlement violations and comprehensive audit trails capture identity lifecycle events with 15-month retention. Semiautomated remediation workflows provide step-by-step guidance for executing approved corrections through cloud provider APIs. 

Opportunities
Datadog Cloud Security has room for improvement in a few decision criteria, including:

• AI-enabled anomaly detection: The solution implements ML algorithms to establish behavioral baselines across access patterns, geographic locations, and temporal patterns. It uses content anomaly detection with Jaccard similarity for log analysis and risk scoring, prioritizing anomalies by severity. However, it lacks ensemble models combining multiple algorithms, analysis of dozens of behavioral features, automated baseline recalibration distinguishing drift from threats, and contextual enrichment with HR data.

• JIT access: Workflow Automation provides approval steps and configurable workflows. In theory, this can support temporary access provisioning with manual administrator evaluation and cloud provider API integration for permission grants. Nevertheless, it lacks native self-service portals, automated approval routing, time-bound credential provisioning, automated expiration mechanisms, session monitoring, and policy-based auto-approval. It also lacks dedicated JIT access management functionality beyond customizable workflows, which require significant custom development efforts.

• Lifecycle entitlements governance: Datadog Cloud Security supports SCIM (system for cross-domain identity management) provisioning, enabling automatic user account creation with role-based templates, integration with identity providers for basic status updates, audit logging of provisioning events, and identification of dormant accounts through usage analysis. However, it lacks automated immediate deprovisioning workflows, periodic access review campaigns, systematic orphaned permission detection, role change detection with automatic adjustment, continuous lifecycle monitoring, and comprehensive human identity governance beyond basic provisioning.

Datadog is classified as a Forward Mover due to its late market entry and its initial AWS-only support that required months for multicloud expansion, as well as its missing advanced capabilities, such as native JIT access and sophisticated lifecycle governance. 

Purchase Considerations
Datadog Cloud Security uses consumption-based pricing as part of Cloud Security Management, with costs determined by the number of monitored hosts, data volume, and activated features. Annual billing provides discounts compared to on-demand pricing. Organizations already using Datadog's observability platform may find incremental adoption more cost-effective, while new customers should consider the complete platform investment rather than isolated CIEM functionality.

Deployment requires a SaaS-only architecture with cloud integrations that grant read access to AWS, Microsoft Azure, and GCP environments via agentless scanning or agent-based monitoring. Migration complexity depends on existing infrastructure, with simpler onboarding for current Datadog customers leveraging established integrations. PoC capabilities enable testing discovery, risk detection, and remediation workflows before full commitment. Organizations must evaluate whether platform consolidation benefits justify potential vendor lock-in, as CIEM capabilities integrate tightly with Cloud SIEM, CSPM, and observability features rather than functioning independently.

Use Cases
Datadog CIEM addresses a broad range of use cases, including detecting administrative privileges, identifying cross-account access risks, managing large blast radius scenarios, mitigating permission gaps, and preventing privilege escalation in cloud environments. The solution primarily targets large cloud-native enterprises and technology companies that need to secure their cloud infrastructure from IAM-based attacks. The platform is particularly well suited for organizations with complex AWS cloud environments where engineering teams must rapidly provision identities and permissions while maintaining security, especially in environments with a high ratio of machine-to-human identities.

Delinea: Privilege Control for Cloud Entitlements

Solution Overview
Founded in 1996 and rebranded in 2021, Delinea provides PAM solutions specializing in identity security. In March 2025, Delinea acquired Fastpath (identity governance and administration), and in January 2026, announced its acquisition of StrongDM (JIT runtime authorization, ephemeral credentials, ABAC/PBAC capabilities). Launched following the January 2024 acquisition of Authomize, Privilege Control for Cloud Entitlements (PCCE) operates as both a standalone CIEM and an integrated Delinea Platform module.

PCCE operates on a cloud-native microservices architecture, delivering guaranteed 99.995% availability across seven geographies. Core components include access graph visualization, activity inventory, alert management, behavioral analytics, entitlement discovery, identity normalization engine, Iris AI authorization, policy monitoring, risk scoring, and unified dashboard. Key features include AI-driven anomaly detection, automated remediation, continuous authorization, cross-cloud correlation (AWS, Microsoft Azure, and GCP), least privilege optimization, NHI management, and real-time monitoring. Key differentiators include native CIEM-ITDR integration with shared data models and AI-powered continuous session authorization that evaluates access throughout sessions.

Delinea takes a general platform approach to CIEM, innovating to add emerging features, including AI Agent and large language model discovery, AI-driven anomaly detection, continuous authorization, and Iris AI-powered access decisions.

Delinea is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the CIEM Radar chart.

Strengths
PCCE scored well on a number of decision criteria, including:

• AI-enabled anomaly detection: PCCE employs ML algorithms to establish behavioral baselines for identities and detect deviations, including privilege escalation attempts, unusual access patterns, and compromise indicators through continuous monitoring across cloud and on-prem platforms. Iris AI provides context-aware evaluation, analyzing identity attributes, past access patterns, resource sensitivity, and risk scoring, while correlating entitlement data with identity activity signals for unified risk assessment.

• Automated remediation and rightsizing: The solution implements continuous monitoring, identifying excessive permissions, misconfigurations, and policy violations with automated remediation options executable through APIs and webhooks for real-time threat reduction. Semiautomated workflows enable administrators to review and approve corrections automatically deployed via cloud provider APIs, with IaC integration updating policy definitions and rollback capabilities that restore previous states if disruption occurs.

• Granular policy visibility and control: PCCE delivers comprehensive visibility down to individual entitlement levels. This includes direct permissions, federated permissions, cross-account access paths, and potential privilege escalation across AWS, Microsoft Azure, and GCP through a unified identity graph architecture. Interactive Access Explorer graph and inventory views enable administrators to search, filter, and export entitlement data, while continuous compliance monitoring detects violations and generates risk-scored remediation recommendations. 

Opportunities
PCCE has room for improvement in a few decision criteria, including:

• JIT access: PCCE provides workflow-driven and time-bound access with AI-based context evaluation via Iris. It analyzes identity attributes, past access patterns, resource sensitivity, and risk scoring, while validating user intent through IT service management (ITSM) integration with ServiceNow and Zendesk. Multistage approval workflows route requests based on resource sensitivity with API integration for DevOps tools. However, cloud JIT capabilities remain on the roadmap, pending the StrongDM acquisition's closing, and current support is limited to on-prem environments without ephemeral credentials, fine-grained ABAC/PBAC, or dynamic runtime authorization for cloud resources.

• Lifecycle entitlements governance: The solution delivers automated lifecycle management through Fastpath IGA integration, providing HR system synchronization, automated provisioning and deprovisioning, RBAC, periodic access review campaigns with intelligent recommendations, zombie account detection, and orphaned permission identification with audit trails. However, the IGA integration planned for H1 2026 represents recent convergence rather than mature native functionality, and it lacks real-time multisource synchronization, risk-based continuous access reviews with varying frequencies, ML-based drift detection using behavioral baselines, and predictive lifecycle event capabilities.

• Compliance and identity governance: PCCE maintains comprehensive audit trails with activity inventory, normalizing management and control plane events in near real time; automated reports and entitlement summaries supporting continuous compliance; automated risk assessments maintaining security standards; and configurable policies tailored to organizational requirements. However, it lacks continuous monitoring with detailed regulatory framework mappings for GDPR and HIPAA, audit-ready evidence packages linking configurations to requirements, immutable audit trails with cryptographic verification, and automated evidence collection for regulatory audits. 

Purchase Considerations
PCCE employs identity-based licensing, sold by the number of identities monitored across cloud environments. The solution can be purchased standalone or bundled with Delinea's PAM product, providing flexibility for organizations with existing privileged access management investments or for those seeking comprehensive identity security platforms. Multiple support tiers include 24/7 availability with options for direct Delinea or partner-provided support. The solution targets midsize and large enterprises across all regions, with proven Fortune 50 deployment scalability.

PCCE deploys exclusively as SaaS with 99.995% availability across seven global geographies, eliminating on-prem infrastructure requirements. However, it requires an acceptance of cloud-based architecture. Organizations migrating from Microsoft Entra Permissions Management benefit from Microsoft's preferred replacement designation and partnership support. The agentless integration model via cloud provider APIs simplifies deployment without requiring agent installation. Customers should evaluate integration requirements with existing SIEM, SOAR, extended detection and response (XDR), and ITSM platforms. Customers should also consider the availability timeline for identity governance and administration (IGA) functionality (H1 2026), and assess JIT cloud access requirements against roadmap delivery schedules.

Use Cases
PCCE addresses a broad range of use cases, including continuous identity discovery across cloud and hybrid environments, identity and access misconfiguration detection (wildcard IAM roles, unused high-risk permissions, publicly exposed resources, excessive trust relationships), and least privilege optimization correlating granted entitlements with real-world usage to reduce excessive access. It also addresses suspicious identity activity monitoring, detecting abnormal access patterns and privilege escalation attempts, as well as unified visibility into permissions and access paths for human and nonhuman identities across multicloud environments.

Fortinet: FortiCNAPP*

Solution Overview
Founded in 2000, Fortinet provides cybersecurity solutions specializing in network security and firewalls. In June 2024, Fortinet acquired Lacework (CNAPP), followed by Next DLP (data loss prevention), Perception Point (email and SaaS security), Suridata (SSPM), and Everest Networks (Wi-Fi). In October 2024, Fortinet launched FortiCNAPP, incorporating Lacework's existing CIEM capabilities within the Fortinet Security Fabric.

FortiCNAPP operates on a SaaS architecture with dual agent-based and agentless data collection methods across AWS, Microsoft Azure, and GCP. Core components include Attack Path Analysis, Cloud Detection and Response, Cloud Security Posture Management, Cloud Workload Protection Platform, Code Security, Identity Threat Detection, and Vulnerability Management integrated with CIEM. Key features encompass behavioral analytics, composite alerting, continuous monitoring, cross-cloud correlation, effective permission calculation, entitlement discovery, exception handling, guided remediation, identity risk scoring, permissions rightsizing, and real-time threat detection. Differentiators include more than 100 patented ML algorithms, blast radius analysis for compromised identities, low-latency alerting (under 15 minutes), and unique integration combining identity risk data with runtime threat detection.

Fortinet takes a general approach to CIEM, innovating to add emerging features, including AI-enabled anomaly detection, identity threat detection and response, Kubernetes machine identity support, and NHI management.

Fortinet is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the CIEM Radar chart.

Strengths
FortiCNAPP scored well on a number of decision criteria, including:

• AI-enabled anomaly detection: FortiCNAPP leverages patented ML algorithms protected by more than 100 patents. These continuously compare past state to present state and identify deviations from normal patterns without relying on predefined rules. The platform automatically correlates multiple security alerts into single, high-confidence composite alerts. It detects coordinated attacks, while analyzing identity risk using more than 20 factors and behavioral analytics to detect impossible travel, privilege escalation, and unusual network connections.

• Automated least privilege: The solution continuously monitors individual API-level permission utilization by correlating activity data with IAM configurations to identify overprivileged and dormant identities. It automatically generates verified, safe recommendations that compare granted versus used permissions and implements semiautomated rightsizing through Jira integration. Additionally, the solution provides granular exception handling with expiration tracking, incorporates peer analysis across similar roles, and enables FortiSOAR to execute approved permission changes.

• Compliance and identity governance: FortiCNAPP provides continuous real-time monitoring and evaluates identity entitlements against detailed control mappings for CIS, CSA, ISO 27001, and National Institute of Standards and Technology (NIST) frameworks, using out-of-the-box policies. The platform enables teams to build custom policies and compliance frameworks within the UI, and it continuously evaluates cloud and Kubernetes services for identity-related configurations. It also maintains comprehensive audit trails with exception management for compliance rationale and implements semiautomated remediation through Jira and FortiSOAR integration. 

Opportunities
FortiCNAPP has room for improvement in a few decision criteria, including:

• JIT access: FortiCNAPP provides continuous permission monitoring, risk-based identity scoring across more than 20 factors, and semiautomated remediation workflows via FortiSOAR integration, which temporarily adjust permissions in response to detected threats. However, it does not provide JIT access capabilities, including temporary time-bound permission provisioning, automated expiration mechanisms, self-service access request portals, approval workflow routing, or dynamic adjustment of access duration, positioning this outside the CIEM scope.

• Automated remediation and rightsizing: The solution continuously identifies excessive permissions and policy violations, generating prioritized recommendations with safety validation that are auto-populated into Jira tickets for administrator approval before FortiSOAR implementation. However, it lacks fully automated continuous enforcement by which low-risk corrections execute without approval, explicit IaC repository integration preventing policy drift, documented CI/CD pipeline integration for deployment-time policy injection, and automated validation testing in nonproduction environments.

• Lifecycle entitlements governance: FortiCNAPP continuously discovers identities across cloud environments, identifies dormant identities and aging access keys as risk factors, and provides comprehensive audit trails that capture identity lifecycle events with exception handling. However, it does not offer lifecycle entitlements governance, including automated provisioning upon employee onboarding, automated deprovisioning triggered by HR termination events, role transition management, periodic access review campaigns, or HR system integration for employee lifecycle synchronization. 

Purchase Considerations
FortiCNAPP offers subscription-based SaaS pricing with capabilities available in various tiers, enabling organizations to select appropriate feature sets. Fortinet provides FortiFlex usage-based licensing for MSSPs with APIs for deployment automation and consumption visibility, while AWS Marketplace availability simplifies procurement through consumption-based billing. Enterprise customers can negotiate custom pricing through enterprise agreements based on scale and requirements. Organizations should evaluate whether CIEM capabilities require purchasing the full CNAPP platform or if tiered options provide the necessary functionality without a comprehensive platform commitment.

FortiCNAPP deploys exclusively as SaaS, with dual agent-based and agentless data collection options across AWS, Microsoft Azure, and GCP environments. Organizations heavily invested in Fortinet Security Fabric benefit from native integration with FortiSOAR, FortiSIEM, and FortiGate. However, those using third-party SIEM or SOAR platforms must rely on general REST API integration rather than native connectors. The platform's recent acquisition integration means customers should evaluate feature maturity, particularly Microsoft Azure support and cross-cloud correlation capabilities. 

Use Cases
FortiCNAPP addresses a broad range of use cases, including attack path visualization, behavioral threat detection, and compliance management across CIS, CSA, ISO 27001, and NIST frameworks. It also addresses cross-cloud entitlement correlation, identity risk assessment using more than 20 factors, identity threat detection and response, and Kubernetes machine identity governance. Additionally, it handles least privilege enforcement, NHI management, permission rightsizing through granted versus used analysis, real-time anomaly detection with composite alerting, and runtime workload protection across cloud-native architectures, including containers and serverless functions.

JumpCloud: Stack Identity

Solution Overview
Founded in 2012, JumpCloud provides a cloud-based directory platform, specializing in identity and access management. The company acquired VaultOne (privileged access management) in May 2025 and Stack Identity (founded in 2021, CIEM/ITDR/IGA platform integrated as a master data platform) in January 2025. It also acquired Breez (identity threat detection and response) in October 2025.

Stack Identity delivers cloud infrastructure entitlement management through an identity security data lake architecture that consolidates identity access risks across cloud and data estates. Core components include behavioral analytics, CIEM entitlement analysis, ITDR monitoring, and IGA workflows. Key features include automated remediation workflows, continuous discovery of human and nonhuman identities, JIT access provisioning, least privilege recommendations, lifecycle governance, policy violation detection, risk scoring, and semiautomated rightsizing. Its  patent-pending Breach Prediction Index differentiates Stack Identity by identifying the 2% of toxic access combinations impacting 90% of data assets, enabling intelligent prioritization rather than exhaustive remediation across all violations.

JumpCloud takes a general approach to CIEM, integrating acquired CIEM and ITDR capabilities into its broader identity platform rather than offering a standalone cloud entitlement management solution.

JumpCloud is positioned as an Entrant and Forward Mover alone in the Innovation/Feature Play quadrant of the CIEM Radar chart.

Strengths
Stack Identity scored well on a number of decision criteria, including:

• AI-enabled anomaly detection: Stack Identity's Breach Prediction Index algorithm analyzes behavioral patterns across multiple dimensions to identify toxic access combinations and privilege-escalation attempts using ensemble ML models. The solution establishes dynamic baselines that adapt to legitimate behavior changes and correlates identity anomalies with resource sensitivity. It also employs automated recalibration to distinguish operational drift from security threats, thereby reducing manual investigation requirements.

• Automated least privilege: The solution continuously analyzes permission use by comparing granted entitlements against observed API calls and resource actions to identify unused permissions beyond configurable thresholds. It provides semiautomated remediation workflows in which administrators review contextualized, risk-scored recommendations that the system implements via cloud provider APIs. This maintains audit trails and rollback capabilities to prevent business disruption during permission adjustments.

• JIT access: Stack Identity implements semiautomated workflows that route access requests through approval processes based on role mappings, automatically provisioning time-bound elevated permissions with configurable expiration timers upon approval. It maintains comprehensive audit trails linking requests to business justifications, sends automated notifications at workflow stages, integrates with collaboration tools for coordination, and automatically revokes access when configured durations expire.

Opportunities
Stack Identity has room for improvement in a few decision criteria, including:

• Automated remediation and rightsizing: Stack Identity continuously identifies excessive permissions and policy violations, generating prioritized recommendations with risk scores through semiautomated workflows in which administrators review suggested corrections implemented via cloud provider APIs, with audit trails and rollback capabilities. However, it requires manual approval for every action, operates on scheduled cycles rather than continuous enforcement, and lacks dependency analysis. Additionally, it cannot automatically execute low-risk corrections while routing high-impact changes through workflows.

• Lifecycle entitlements governance: The solution provides scheduled lifecycle management with semiautomated provisioning and deprovisioning workflows integrating with HR and identity systems. This implements role-based permissions, termination triggers, periodic access reviews, zombie account identification, and comprehensive audit trails. Nevertheless, it requires extensive manual review during certification campaigns and lacks intelligent automation to detect subtle permission drift. The solution cannot predict lifecycle anomalies using behavioral analytics and misses advanced peer comparisons or AI-driven recommendations.

• Data privacy and user consent management: Stack Identity maintains comprehensive audit trails tracking identity and access events. It monitors which identities access specific resources and data patterns, provides detailed compliance logs, identifies policy violations, restricts access based on organizational requirements, and integrates with frameworks. However, it lacks consent management integration, and it cannot automatically enforce consent-based restrictions when they are withdrawn. Additionally, the solution lacks automated privacy policy mapping, linking entitlements to processing purposes and requiring extensive manual compliance demonstration efforts. 

JumpCloud is classified as a Forward Mover due to the acquisition of Stack Identity having halted independent product development, integration uncertainties delaying feature releases, and limited evidence of accelerated innovation beyond pre-acquisition capabilities.

Purchase Considerations
Stack Identity pricing information is not publicly disclosed after it was acquired byJumpCloud in January 2025. As an integrated component of JumpCloud's broader identity platform, rather than a standalone product, pricing is likely based on JumpCloud's enterprise licensing models, bundled with directory services, device management, and privileged access capabilities. Organizations should contact JumpCloud sales for custom pricing based on identity count, cloud environment complexity, and required feature sets.

Stack Identity deploys as a SaaS solution that connects to customer cloud environments via API integrations. This eliminates on-prem infrastructure requirements but requires cloud provider permissions for discovery and remediation. Migration complexity depends on the maturity of existing identity infrastructure and the diversity of cloud providers. PoC capabilities enable organizations to evaluate discovery accuracy, risk scoring effectiveness, and integration compatibility before full deployment. Customers should assess JumpCloud's integration roadmap post-acquisition to understand long-term product direction and feature availability. 

Use Cases
Stack Identity addresses a broad range of use cases, including compliance reporting for regulatory frameworks, identity threat detection for account takeovers and privilege abuse, and JIT access provisioning with time-bound permissions. It also addresses least privilege enforcement through permission rightsizing, lifecycle entitlements governance for provisioning and deprovisioning, NHI management for service accounts and API keys, shadow access detection identifying unauthorized cloud data access patterns, and zombie account identification for dormant identities. The platform serves enterprises with complex multicloud and multi-SaaS environments requiring comprehensive visibility and control.

Microsoft: Microsoft Defender for Cloud*

Solution Overview
Founded in 1975, Microsoft provides cloud computing, productivity software, and enterprise solutions, specializing in Azure cloud services. In 2024, Microsoft integrated Entra Permissions Management CIEM functionality into its Defender for Cloud's CSPM plan, consolidating multicloud identity security across Azure, AWS, and GCP environments.

Microsoft Defender for Cloud delivers CIEM capabilities through native integration within the Defender Cloud Security Posture Management (CSPM) plan, providing unified multicloud identity security across AWS, Azure, and GCP environments. The architecture combines continuous permissions discovery, behavioral analytics with UEBA, and XDR correlation across cloud and on-prem infrastructure. Core components include identity discovery engines, permissions gap analysis, risk-based recommendation prioritization, and semiautomated remediation workflows with approval gates. 

Key features encompass inactive identity tracking, over-permissioned identity detection, permissions rightsizing recommendations, service account discovery, and workload identity management through Microsoft Entra Workload ID integration. Key differentiators include Security Copilot AI-powered natural language remediation scripting, automatic attack disruption and autonomous containment executed at machine speed, 11 autonomous agents for threat detection and response, and comprehensive integration with Microsoft's identity governance ecosystem.

Microsoft takes a general approach to CIEM, innovating with emerging autonomous defense features (including 11 AI agents, automatic attack disruption, and agentic SOC transformation) rather than incrementally improving traditional entitlement management.

Microsoft is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the CIEM Radar chart.

Strengths
Microsoft Defender for Cloud scored well on a number of decision criteria, including:

• Cloud identity threat detection and response: Microsoft Defender for Cloud implements real-time monitoring across cloud and hybrid identity infrastructure through integration with Defender for Identity and Microsoft Entra ID. It employs UEBA to detect anomalies, including lateral movement and privilege escalation. It provides automated investigation capabilities that correlate alerts across the unified XDR framework and execute automatic attack disruption with autonomous containment actions, including account isolation, session termination, and endpoint quarantine, based on risk thresholds.

• Automated remediation and rightsizing: The solution continuously identifies excessive permissions, policy violations, and unused access rights through CIEM capabilities, analyzing identity configurations and usage patterns across multicloud environments. It provides semiautomated remediation workflows, enabling administrators to approve suggested corrections, including automated permission deletion, custom role generation based on activities, and policy adjustments implemented through cloud provider APIs. However, most corrections still require manual approval.

• Granular policy visibility and control: Microsoft Defender for Cloud delivers real-time visibility into access policies with permission-level granularity across AWS, Azure, and GCP, tracking the identities that perform specific API calls and identifying excessive or unused permissions. Organizations define custom security policies and recommendations using Kusto Query Language (KQL) queries, implement continuous compliance monitoring to detect violations, generate prioritized recommendations, and support policy enforcement through approval workflows that review modifications before deployment.

Opportunities
Microsoft Defender for Cloud has room for improvement in a few decision criteria, including:

• Automated least privilege: Microsoft Defender for Cloud continuously monitors permission usage, analyzing identity configurations to identify excessive or unused permissions, and generating contextualized rightsizing recommendations based on usage frequency data. However, it lacks predictive algorithms to anticipate future access needs, automated low-risk permission reduction without approval, dependency analysis for cross-service requirements, CI/CD pipeline integration, embedding least privilege enforcement into deployment workflows, and preventing over-provisioned configurations.

• JIT access: The solution provides JIT VM access capabilities, temporarily opening management ports with configurable fixed-duration expiration and enabling self-service requests with approval workflows and audit trails. Nevertheless, it limits JIT functionality primarily to VM access without comprehensive identity permission coverage. The solution also lacks multistage approval routing based on resource sensitivity, and it provides no ticketing system integration for business justification and offers no dynamic expiration or session monitoring.

• NHI management: Microsoft Defender for Cloud provides comprehensive automated NHI discovery across the cloud and Active Directory via Microsoft Entra Workload ID and Defender for Identity. It also provides inventories of service accounts, managed identities, and workload identities. However, it lacks ML-based behavioral anomaly detection for NHIs, automated intelligent credential rotation based on risk assessment, JIT credential provisioning for temporary workloads, and robust dependency mapping across environments.

Purchase Considerations
Microsoft Defender for Cloud employs consumption-based pricing with separate plans for specific resource types (including servers, containers, databases, and storage), billed per protected resource monthly. The solution offers a free 30-day trial with automatic billing afterward. Organizations with Enterprise E5 licenses receive access to specific capabilities within their existing subscription. Pricing accumulates when multiple Defender plans are enabled across different resource types, and customers report varying cost structures depending on deployment scale.

Key purchase considerations include native Azure integration versus connector-based multicloud deployments for AWS and GCP, which require additional configuration. CIEM functionality is now available within Defender CSPM rather than as a standalone offering, following the deprecation of Microsoft Entra Permissions Management. Microsoft has partnered with Delinea to add enhanced features, indicating potential gaps. Hybrid deployments require Azure Arc for on-prem servers, while migration complexity depends on the extent of Microsoft ecosystem adoption. Customers note that deployment effort varies significantly based on environment complexity and existing security tooling.

Use Cases
Microsoft Defender for Cloud addresses a broad range of use cases, including AI security posture management, attack path analysis and risk prioritization, and cloud security posture management across AWS, Azure, and GCP. It also addresses compliance management for regulatory frameworks, container and Kubernetes security with agentless discovery, hybrid cloud protection through Azure Arc integration, identity threat detection and response with behavioral analytics, multicloud entitlement management and permissions rightsizing, serverless function security, and workload protection with automated threat detection and response across cloud-native applications.

ObserveID: ObserveID CIEM

Solution Overview
Founded in 2021, ObserveID provides a cloud-native, converged identity security platform that unifies IAM, PAM, IGA, ITDR, and CIEM capabilities. The company focuses on organic innovation, including the OBI (Observational Behaviour Intelligence) agentic AI framework, NextGeneration Epic connector, and extensive partnerships with SDG and ASB Infotech.

ObserveID CIEM operates on a cloud-native microservices architecture built on Azure Kubernetes, providing multicloud entitlement management across AWS, Microsoft Azure, GCP, and OCI. Core components include automated credential rotation, continuous, real-time discovery, granular permission mapping, least privilege enforcement, and the OBI AI framework, combining agentic and generative AI. Key features encompass behavioral analytics, contextual risk scoring, orphaned credential detection, policy violation monitoring, and semiautomated remediation workflows. Primary differentiators include industry-first agentic AI enabling autonomous governance decisions; a converged platform that unifies CIEM with IAM, IGA, ITDR and PAM; real-time behavioral graphs for every identity; and a Universal Connector Framework supporting more than 100 applications.

ObserveID takes a general platform approach to CIEM, innovating to add emerging features, including agentic AI autonomous governance, AI-driven user access reviews, healthcare FHIR and HL7 integration, and NHI management.

ObserveID is positioned as an Entrant and Fast Mover in the Innovation/Platform Play quadrant of the CIEM Radar chart.

Strengths
ObserveID CIEM scored well on a number of decision criteria, including:

• Automated least privilege: ObserveID CIEM continuously monitors access patterns and permission usage across cloud environments, analyzing specific API calls and resource-level actions each identity performs over rolling observation windows. It generates contextualized recommendations for permission reduction using usage frequency data and last-access timestamps. It implements semiautomated remediation workflows in which administrators approve suggested changes that the system executes via cloud provider APIs.

• Granular policy visibility and control: The solution delivers real-time visibility into access policies with individual permission-level granularity across AWS, Microsoft Azure, GCP, and OCI, calculating effective permissions by analyzing complete policy evaluation logic. The platform provides interactive policy visualization through unified dashboards with real-time insights. This enables administrators to define custom security policies using flexible rule engines while implementing continuous compliance monitoring that automatically detects violations.

• Compliance and identity governance: ObserveID CIEM provides continuous monitoring of identity configurations and entitlements, automatically assessing compliance against predefined rule sets mapped to frameworks such as CIS, GDPR, HIPAA, ISO, PCI DSS, and SOC 2. The platform generates scheduled, audit-ready compliance reports with detailed findings and maintains comprehensive audit trails that capture all identity lifecycle events with full context. It also offers semiautomated remediation workflows with built-in capabilities to automatically revoke or adjust risky access.

Opportunities
ObserveID CIEM has room for improvement in a few decision criteria, including:

• JIT access: ObserveID CIEM provides semiautomated JIT access via self-service portals. This allows users to submit temporary access requests that are routed to designated approvers, with automated provisioning upon approval and configurable expiration timers. However, it employs static approval routing without resource sensitivity awareness, cannot dynamically adjust durations based on usage patterns, lacks ticketing system integration for justification validation, and provides no DevOps API integration.

• Automated remediation and rightsizing: The solution continuously identifies excessive permissions and policy violations across cloud environments. This generates prioritized remediation recommendations with AI-driven risk scoring and implements corrections via semiautomated workflows in which administrators approve corrections that the system implements via APIs. However, it requires manual approval for all corrective actions rather than risk-based automated execution. It also operates on monitoring cycles instead of continuous enforcement and lacks IaC integration and effectiveness analytics.

• Lifecycle entitlements governance: ObserveID provides semiautomated lifecycle management integrating with HR systems, automatically creating accounts with role-based permissions for new employees and triggering deprovisioning upon termination while implementing periodic access review campaigns. However, it operates on scheduled batch processing rather than continuous synchronization. It also requires extensive manual certification reviews despite AI assistance, lacks automated permission adjustments for role changes, and provides no risk-based continuous reviews. 

Purchase Considerations
ObserveID CIEM pricing operates through Azure Marketplace subscription mechanisms, with flexible deployment options, including SaaS and customer private cloud models. The company lacks published pricing tiers on its primary website, requiring prospective customers to engage directly or through marketplace channels. The converged platform approach (bundling IAM, IGA, PAM, ITDR, and CIEM into a unified offering) means organizations purchase comprehensive identity security capabilities rather than standalone CIEM functionality. This can potentially affect cost comparisons with point solutions.

Purchase considerations include the company's early-stage market position, which requires evaluating vendor stability and long-term support commitments. Migration complexity involves integrating the Universal Connector Framework, which supports more than 100 applications across cloud and on-prem environments. Advanced workflow configurations require assistance from the product team rather than pure self-service customization. Deployment flexibility across hybrid and multicloud architectures enables PoC testing aligned with existing infrastructure. However, limited documentation about trial programs requires direct vendor engagement for evaluation arrangements.

Use Cases
ObserveID CIEM addresses a broad range of use cases, including automated least privilege enforcement across multicloud environments, behavioral anomaly detection through real-time identity graphs, and converged governance that unifies cloud and on-prem infrastructure. It also addresses healthcare identity integration using FHIR and HL7 standards, hybrid cloud entitlement management, NHI lifecycle management, regulatory compliance reporting for frameworks (including GDPR and HIPAA), and semiautomated access reviews accelerated through AI-driven recommendations that analyze historical approval patterns and peer group behaviors.

Orca Security: Orca Cloud Security Platform

Solution Overview
Founded in 2019, Orca Security specializes in comprehensive CNAPP coverage across AWS, Microsoft Azure, and GCP. Released in 2019, Orca Cloud Security Platform integrates CIEM capabilities within the unified platform (included in all licenses). The company acquired Opus (autonomous AI-driven remediation and orchestration) in May 2025.​​ 

Orca Cloud Security Platform delivers CIEM through a patented agentless SideScanning architecture that provides workload-deep visibility without agents, combining cloud configuration metadata with runtime intelligence in a Unified Data Model. Core components include AI-Driven Remediation, Auto-Remediation workflows, IAM Policy Optimizer with 90-day behavioral clustering, and more than 2,200 built-in alerts across at least 200 compliance frameworks. Key features include AI-powered anomaly detection with ML baselines, attack path analysis to evaluate toxic risk combinations, JIT access to AWS, and NHI discovery aligned with OWASP standards. Key differentiators include patent-pending Agentless Reachability Analysis that prioritizes exploitable vulnerabilities, natural language search across more than 50 languages, and cross-cloud entitlements correlation spanning AWS, Alibaba Cloud, Microsoft Azure, Google Cloud, Oracle Cloud, and Tencent Cloud, with comprehensive identity-to-resource mapping.

Orca Security takes a general approach to CIEM, innovating to add emerging features such as AI chatbot intelligence, AI-SPM detection, agentless reachability analysis, hybrid cloud runtime protection, and NHI management.

Orca Security is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the CIEM Radar chart.

Strengths
Orca Cloud Security Platform scored well on a number of decision criteria, including:

• Lifecycle entitlements governance: The solution provides continuous identity discovery across multicloud environments, automatically covering new identities, detecting inactive users through configurable thresholds, and identifying identity drift by comparing current entitlements against role baselines. The platform maintains comprehensive audit trails that link all lifecycle events to business justifications. It also detects orphaned permissions and supports governance through more than 2,200 alerts covering CIEM use cases.

• Granular policy visibility and control: Orca Cloud Security Platform delivers real-time visibility into access policies with individual permission-level granularity across six cloud platforms, through effective permission calculation and detailed access mapping that shows permissions to and from cloud identities. It provides graph-based relationship visualization, AI-driven natural language search supporting more than 50 languages, and over 2,200 customizable alert templates. This enables sophisticated custom security policies with continuous compliance monitoring and contextualized remediation recommendations.

• Compliance and identity governance: The solution implements continuous compliance monitoring across more than 200 out-of-the-box frameworks. This generates automated audit-ready reports in multiple formats and comprehensive audit trails that capture full context, including timestamps and business justifications. It provides risk-scored dashboards with near-real-time compliance status, semiautomated remediation via configurable Auto-Remediation workflows, and flexible framework customization. This allows organizations to build custom compliance standards from the extensive alert library.

Orca Security is classified as an Outperformer due to its industry-first autonomous AI remediation capabilities, hybrid cloud runtime protection, patent-pending agentless reachability analysis, and a strategic roadmap toward self-learning agents.

Opportunities
Orca Cloud Security Platform has room for improvement in a few decision criteria, including:

• AI-enabled anomaly detection: The solution implements ML-based behavioral baselines and statistical modeling to establish normal patterns using continuously updated moving averages across multiple dimensions. It detects deviations, including privilege escalations and lateral movement, while providing risk scoring based on severity and contextual analysis. However, it lacks ensemble ML models, dynamic baseline adaptation for role transitions, HR and project data enrichment, gradual privilege creep detection, graph-based analysis, and deep learning architectures.

• Automated least privilege: Orca Cloud Security Platform provides continuous usage pattern analysis and tracks actual permission utilization. It uses an AI-powered IAM Policy Optimizer to analyze 90 days of usage and calculate optimal configurations through side-by-side comparisons and peer group analysis. Nevertheless, it requires manual approval for all policy changes and lacks automated time-based permission revocation, cross-service dependency analysis, CI/CD deployment embedding, and sandbox validation testing.

• JIT access: The solution offers semiautomated JIT access via self-service portals, allowing users to create requests specifying permissions and time windows. Administrators approve requests via platform or Slack integration for AWS environments, with automatic expiration and comprehensive audit trails. However, it lacks context-aware approval routing, ticketing integration for justification validation, emergency break-glass procedures, API integration for programmatic requests, and multicloud JIT support beyond AWS.

Purchase Considerations
Orca Security uses workload-based pricing by which customers pay for the volume of cloud workloads protected, with the flexibility to select specific workload types for scanning and billing. CIEM capabilities are included in all licenses as part of the unified CNAPP platform. The one-stock keeping unit (SKU) model provides full coverage across CNAPP, application security, and runtime security with Orca Sensor. Organizations can shift coverage between workloads or apply unused credits toward runtime protection.

Organizations choose from three deployment modes: SaaS for ease and scalability, In-Account for enhanced data security within customer environments, or Private Bring Your Own Cloud (BYOC) Mode for government and enterprises requiring the highest isolation levels, including FedRAMP High compliance. The agentless architecture enables rapid deployment and onboarding of cloud accounts in minutes without agent installation, eliminating migration complexity and performance impacts. PoC evaluations demonstrate immediate value, with customers detecting live breaches during trial periods. 

Use Cases
Orca Cloud Security Platform addresses a broad range of use cases, including anomalous activity detection, API security, application security, cloud detection and response, cloud security posture management, cloud workload protection, data security posture management, enforcing least privilege policies, IAM policy optimization, JIT access management, Kubernetes security posture management, multicloud entitlement centralization, and NHI management. This solution simplifies complex merger and acquisition environments and vulnerability management across AWS, Alibaba Cloud, Microsoft Azure, Google Cloud, Oracle Cloud, and Tencent Cloud.

Palo Alto Networks: Cortex Cloud

Solution Overview
Founded in 2005, Palo Alto Networks provides comprehensive cybersecurity solutions, specializing in network, cloud, and endpoint security. In April 2025, the company acquired Protect AI (AI security). Palo Alto Networks announced its planned acquisitions of CyberArk (identity security) in July 2025 and Chronosphere (observability) in November 2025. The company launched Cortex Cloud in February 2025, consolidating Prisma Cloud's CIEM capabilities into a unified platform.

Cortex Cloud delivers cloud infrastructure entitlement management through a unified data lake architecture that consolidates identity security with CNAPP capabilities across AWS, Microsoft Azure, and GCP. The platform's core components include behavioral analytics, CIEM, CSPM, DSPM, and threat detection modules with cross-domain correlation. Key features encompass AI-powered anomaly detection, attack path analysis, automated remediation workflows, net-effective permission calculation across 45,000 cataloged permissions, permissions rightsizing, XQL query language, and third-party vendor access control. Cortex Cloud differentiates through code-to-cloud intelligence that correlates IaC across runtime, data access governance, granter-level violation alerting, and Action Access Levels that categorize permissions into admin, data read, data write, metadata read, and metadata write classifications.​​

Palo Alto Networks takes a general approach to CIEM, adding emerging features such as AI copilot assistance, Entra ID permissions, Kubernetes RBAC security, NLP interfaces, NHIM, and predictive "what if" policy simulations.

Palo Alto Networks is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the CIEM Radar chart.

Strengths
Cortex Cloud scored well on a number of decision criteria, including:

• AI-enabled anomaly detection: The solution employs an ensemble of ML algorithms, combining supervised and unsupervised methods. This establishes individual behavioral baselines across access patterns, device fingerprinting, geographic locations, resource utilization, and temporal dimensions. It normalizes user events across cloud providers, enriches them with geolocation context, and enables customizable behavioral model training, allowing organizations to control alert disposition by selecting criticality thresholds.​

• Lifecycle entitlements governance: Cortex Cloud integrates with Azure Active Directory, Google Workspace, and Okta to synchronize identity data, enabling enhanced policy alerting and identifying granter-level violations at consolidated role, group, and service principal levels. It detects dormant accounts via inactive service account identification and flags orphaned permissions when accounts are deleted. The solution maintains detailed audit trails, linking lifecycle events to business justifications.​

• Compliance and identity governance: The solution continuously monitors identity configurations against detailed control mappings for GDPR, HIPAA, PCI DSS, and SOC 2, enabling custom compliance frameworks that map internal regulations to policies. The platform maintains immutable audit trails with complete lineage tracking, showing entitlement decision history, including approvals, while implementing semiautomated enforcement via approval workflows that review configuration changes before deployment. 

Palo Alto Networks is classified as an Outperformer due to the February 2025 architectural consolidation of 16 tools into a unified platform, a monthly release cadence that delivers incremental capabilities, and an aggressive roadmap.

Opportunities
Cortex Cloud has room for improvement in a few decision criteria, including:

• Automated least privilege: The solution analyzes permission usage using CloudTrail logs and CSP-native tools (such as AWS IAM Analyzer) and examines two years of historical data to identify unused entitlements. It provides deny policies, custom IAM policies with only used permissions, and semiautomated rightsizing, deploying via IaC integration. However, it requires manual approval for most changes, lacks automated sandbox testing, and has limited cross-service dependency analysis.​

• JIT access: Cortex Cloud provides planned, multicloud JIT capabilities with unified request interfaces, basic approval workflows that route requests to designated approvers, configurable expiration timers for temporary access, and automated revocation when limits expire via custom XSOAR workflows. Nevertheless, it lacks multistage resource-sensitive approval routing, ticketing integration for justification validation, real-time session monitoring with alerting, and dynamic expiration adjustment.​

• Predictive access analytics: The solution analyzes two years of permission usage data, identifies trends, establishes behavioral baselines across access patterns and temporal dimensions, and provides AI-based what-if policy simulations. It implements peer group analysis, comparing permissions across similar roles, and identifies drift patterns, comparing current entitlements against historical baselines. However, it lacks ML-powered forecasting, proactive drift detection, security incident prediction, ensemble algorithms, real-time prediction updates, and accuracy dashboards. 

Purchase Considerations
Cortex Cloud employs consumption-based pricing influenced by deployment size, user count, feature selection, and support tier. Pricing requires engagement with sales for customized quotes based on organizational requirements. Support costs range from five to seven figures, depending on the environment's complexity and whether customers select Premium or Platinum support levels. Organizations should budget for potential complexity, as the platform consolidates 16 previously separate tools, requiring investment in training and configuration to maximize value.​

Cortex Cloud deploys exclusively as SaaS on AWS, with no on-prem or private cloud options. Existing Prisma Cloud customers receive seamless upgrades at no additional cost, while new customers should anticipate steep learning curves in navigating configuration layers. Government organizations benefit from FedRAMP High and Moderate authorizations, enabling compliance-ready deployments. The platform's monthly release cadence delivers continuous capability enhancements.

Use Cases
Cortex Cloud addresses a broad range of use cases, including attack path analysis that correlates permissions with misconfigurations and vulnerabilities, behavioral anomaly detection that flags suspicious identity activities, and compliance monitoring across GDPR, HIPAA, PCI DSS, and SOC 2. It also addresses data access governance to discover and rightsize identities with sensitive data access, identity security posture management to detect misconfigurations, net-effective permissions calculation across cloud providers, permissions rightsizing based on usage patterns, and third-party vendor access control to identify external account permissions. The platform supports code-to-cloud security spanning IaC through runtime.

Qualys: TotalCloud

Solution Overview
Founded in 1999, Qualys provides cloud-based security and compliance solutions, specializing in risk management, cloud security, and threat detection. Qualys launched TotalCloud as an AI-powered CNAPP in November 2022, followed by TotalCloud 2.0 in February 2024 with enhanced AI-powered risk prioritization. 

TotalCloud operates through an agentless, API-first architecture that discovers and analyzes identities across AWS, Microsoft Azure, GCP, and OCI without requiring software deployment. Core components include continuous identity discovery, effective permission calculation, TruRisk-based risk scoring, and QFlow automation with more than 400 playbooks. Key features include AI-enabled anomaly detection with behavioral analytics, attack path analysis correlating identities with vulnerabilities, automated least privilege enforcement, JIT access workflows, lifecycle governance with drift detection, and global compliance frameworks for CIS, GDPR, HIPAA, NIST, PCI DSS, and SOC 2. Differentiators include ETM Identity, which unifies human, machine, and AI identities with asset risks; hybrid visibility spanning cloud IAM, Kubernetes RBAC, serverless computing, workloads, and Active Directory; and third-party integrations with BloodHound, CyberArk, and SailPoint.​​

Qualys takes a general platform approach to CIEM, incrementally improving existing features through 1- to 2-month releases, expanding support for cloud providers, compliance frameworks, dashboard customization, integration connectors, and policy libraries.

Qualys is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the CIEM Radar chart.

Strengths
TotalCloud scored well on a number of decision criteria, including:

• AI-enabled anomaly detection: The solution implements ML models that establish continuous behavioral baselines across AWS, Microsoft Azure, GCP, Kubernetes, and Active Directory environments. It detects anomalies, including lateral movement, privilege escalation, and unusual resource access patterns. Identity anomalies correlate with Extended Berkeley Packet Filter (eBPF)-powered workload telemetry and TruRisk scoring to prioritize alerts by exploitability. However, full UEBA maturity remains under development.

• Automated remediation and rightsizing: TotalCloud provides more than 300 QFlow playbooks that orchestrate semiautomated remediation workflows. These  analyze permission usage patterns, generate contextualized recommendations with TruRisk correlation, and implement corrections via cloud provider APIs after administrator approval. It includes blast radius simulations and rollback mechanisms to protect against operational disruption. However, some low-risk corrections require manual approval rather than executing automatically based on configurable risk thresholds.

• Lifecycle entitlements governance: The solution delivers semiautomated lifecycle management with scheduled provisioning and deprovisioning workflows. It also delivers periodic access review campaigns in which managers certify permissions, dormant account detection to flag inactive identities, and QFlow-automated remediation of orphaned permissions and identity drift. The solution integrates with Active Directory, Microsoft Azure Entra ID, Okta, and Ping Identity for identity synchronization. However, real-time authoritative source integration for immediate provisioning adjustments remains under development. 

Opportunities
TotalCloud has room for improvement in a few decision criteria, including:

• JIT access: The solution enables temporary privilege elevation through QFlow workflows with automated provisioning via cloud provider APIs, configurable expiration, TruRisk-aware evaluation, and comprehensive audit trails, capturing request details and revocation events. However, it lacks sophisticated multistage approval workflows with dynamic routing, business system integration for justification validation, dynamic expiration adjustment based on usage monitoring, and intelligent auto-approval for low-risk requests.

• Compliance and identity governance: TotalCloud generates AI-driven TruRisk Executive Reports with continuous real-time drift monitoring; automated audit documentation mapped to CIS, GDPR, HIPAA, NIST, PCI DSS, and SOC 2; comprehensive audit trails; and QFlow enforcement workflows. However, it lacks predictive compliance forecasting identifying violations before occurrence, automated regulatory adaptation mechanisms, intelligent remediation scheduling considering business impact, and risk-based prioritization distinguishing material business consequences from procedural violations.

• Zero trust architecture integration: The solution aligns with DoD Zero Trust 7 Pillars through least privilege enforcement, CI/CD IaC assessment, attack path analysis, workload monitoring, data access visibility, behavioral analytics, and QFlow automation. Nevertheless, it provides framework alignment rather than architectural integration, lacking native zero trust network access connectivity, continuous authentication adjusting trust scores based on behavioral signals, and identity-based microsegmentation automation translating entitlement policies into network segmentation rules.

Purchase Considerations
Qualys TotalCloud uses a flexible Qualys Licensing Unit (QLU) consumption model, allowing customers to purchase units that can be allocated across all CNAPP modules (including CIEM, CSPM, and workload protection) without separate SKUs or procurement involvement. All modules unlock upon purchasing QLUs, enabling customers to reallocate units dynamically as requirements evolve, such as shifting licenses from hosts to containers during cloud modernization without repurchase. This predictable usage-based pricing consolidates tool costs and eliminates redundant solutions while providing centralized reporting for license utilization tracking and cost efficiency.​

TotalCloud deploys as SaaS across more than 14 global platforms, with optional self-hosted private cloud platform configurations and hybrid support. Deployment complexity remains minimal, with customers reporting 5- to 10-minute API integration for cloud account onboarding without maintenance overhead. Core implementation assistance, configuration guidance, connector setup, and optimization services are included at no additional cost. Qualys provides 24/7 SLA-backed support with direct access to subject matter experts. Organizations should evaluate MSP requirements if managing multiple customer tenants, as TotalCloud supports MSP portals for multitenancy.

Use Cases
TotalCloud addresses a broad range of use cases, including automated identity discovery across cloud and on-prem environments, and compliance audit readiness with continuous monitoring against CIS, GDPR, HIPAA, NIST, PCI DSS, and SOC 2 frameworks. It also addresses entitlement risk prioritization using TruRisk scoring; least privilege enforcement with access certification workflows; threat detection correlating identity anomalies with runtime behaviors; third-party risk ingestion from BloodHound, CyberArk, and SailPoint platforms; and toxic combination detection preventing privilege escalation across AWS, Microsoft Azure, GCP, Kubernetes, and Active Directory.

Rapid7: InsightCloudSec

Solution Overview
Founded in 2000, Rapid7 specializes in vulnerability management, incident detection and response, and cloud security through its unified Exposure Command Platform. The company acquired Noetic Cyber (cyber asset attack surface management) in July 2024. It  integrated DivvyCloud, acquired in April 2020, to create InsightCloudSec.

InsightCloudSec operates as a cloud-native application protection solution hosted on AWS infrastructure, providing CIEM capabilities across AWS, Microsoft Azure, Alibaba Cloud, GCP, and Oracle Cloud Infrastructure. Core components include Application Context for dynamic infrastructure grouping, automated remediation bots for real-time corrective actions, compliance packs for regulatory frameworks, Event-Driven Harvesting (EDH) for continuous resource discovery, Identity Analysis for entitlement visibility, and Threat Findings for runtime security correlation. Key features include automated permission rightsizing, behavioral analytics to establish usage baselines, continuous multicloud identity monitoring, cross-cloud entitlement correlation, least privilege recommendations, policy-as-code validation, risk-scored prioritization, and semiautomated remediation workflows. InsightCloudSec differentiates through agentless deployment, comprehensive support for Kubernetes and serverless workloads, data-centric risk prioritization integrating sensitive data classifications, and a unified CNAPP architecture.​

Rapid7 takes a general platform approach to CIEM within its comprehensive CNAPP, incrementally improving existing features through monthly releases rather than pioneering transformative innovations.

Rapid7 is positioned as a Challenger and Forward Mover in the Maturity/Platform Play quadrant of the CIEM Radar chart.

Strengths
InsightCloudSec scored well on a number of decision criteria, including:

• Cloud identity threat detection and response: The solution continuously monitors authentication systems and access patterns through Identity Analysis. It establishes behavioral baselines that detect anomalies, including privilege escalation attempts and unusual resource access. It correlates identity events across AWS, Microsoft Azure, and GCP through unified dashboards, provides investigation capabilities with contextual threat information, and supports semiautomated response actions via administrator-approved remediation bots.​

• Automated least privilege: InsightCloudSec tracks actual permission utilization at individual API call levels through continuous monitoring, automatically generating contextualized recommendations by comparing granted entitlements against observed behaviors and surfacing unused permissions. It provides semiautomated remediation workflows in which administrators approve suggested reductions that the system implements via cloud provider APIs. It also detects permission creep by identifying entitlements unused beyond configurable thresholds and recommends intelligent remediation policies.​

• Granular policy visibility and control: The solution delivers permission-level visibility across multicloud environments through Identity Analysis. This calculates effective permissions by resolving inheritance, permission boundaries, and resource-based policies, while providing interactive visualizations that show identity-to-resource relationships. Administrators define sophisticated custom security policies using flexible rule engines via the Insights feature. Additionally, the solution provides continuous compliance monitoring automatically detecting violations, generates risk-scored remediation recommendations, and supports basic enforcement via approval workflows that validate policy modifications before deployment.

Opportunities
InsightCloudSec has room for improvement in a few decision criteria, including:

• JIT access: The solution provides JIT user provisioning, synchronizing users from Identity Providers (including Okta, Lightweight Directory Access Protocol [LDAP], and Microsoft Entra ID) into the platform via scheduled sync jobs. However, it lacks JIT access to cloud resources, user-request workflows, time-bound permission provisioning with automatic expiration, approval workflows, ticketing integration, break-glass procedures, session monitoring for access extension or revocation, and JEA capabilities.​

• Automated remediation and rightsizing: InsightCloudSec implements continuous posture monitoring, detecting over-provisioned permissions and drift. It also automates low-risk corrections while routing high-impact changes through approval workflows. However, it lacks ML-optimized remediation timing based on usage patterns, limited correlation with application dependencies and microservice communications, and automated validation testing to verify fixes before production deployment. It also has incomplete policy-as-code integration, which prevents overprovisioning at deployment time.​

• Lifecycle entitlements governance: The solution implements basic provisioning via JIT User Provisioning with identity providers, such as Okta and Microsoft Entra ID, via scheduled sync jobs. It also maintains audit logs and detects dormant accounts. However, it lacks automated deprovisioning from HR events, scheduled access review campaigns, and automatic permission adjustments for role changes. Additionally, the solution operates on batch versus continuous synchronization and cannot predict lifecycle needs based on organizational changes.

Rapid7 is classified as a Forward Mover due to incremental enhancements through monthly releases that expand compliance coverage, detection rules, and integrations, rather than pioneering transformative AI-driven automation or predictive security.

Purchase Considerations
InsightCloudSec uses consumption-based pricing based on the number of cloud instances monitored, with tiered pricing starting at 500 instances. Subscriptions include unlimited managed clouds and containers, compliance packs, automated remediation capabilities, user accounts, policy guardrails, and unlimited dashboards and reports. Organizations can track consumption against allocated quotas through service usage metrics displayed in real-time dashboards. ​

InsightCloudSec deploys exclusively on AWS infrastructure as SaaS, self-hosted, or managed self-hosted, with no on-prem deployment option available. Organizations that require government compliance can deploy to FedRAMP-authorized InsightGovCloud in AWS GovCloud environments. Rapid7 provides a formal 90-day onboarding program that includes setup, user training, rule-building assistance, report configuration, and automation guidance. 

Use Cases
InsightCloudSec addresses a broad range of use cases, including cloud security posture management across AWS, Microsoft Azure, and GCP; compliance monitoring for regulatory frameworks; container and Kubernetes security; identity and access management visibility; and least privilege enforcement through permission rightsizing. It also addresses misconfiguration detection with automated remediation, policy compliance assessment with custom rule creation, threat detection correlating runtime findings with cloud resources, and vulnerability management for cloud workloads.

SailPoint: SailPoint CIEM

Solution Overview
Founded in 2005, SailPoint provides identity security solutions, specializing in IGA. In March 2023, SailPoint launched CIEM as an integrated component of Identity Security Cloud. In December 2024, SailPoint acquired Imprivata's Identity Governance and Administration business (healthcare-focused IGA solutions), strengthening its healthcare identity security capabilities.

SailPoint CIEM runs on the Atlas platform architecture, delivering a unified backplane that integrates cloud entitlements with identity governance via SaaS infrastructure. Core components include Access Intelligence Center for analytics, CIEM access graph for visualization, Entitlement Catalog for centralized entitlement management, certification campaign engine, policy enforcement framework, and provisioning workflow orchestration. Key features encompass AI-driven role modeling; cross-cloud entitlements correlation across AWS, Microsoft Azure, and GCP; effective access calculation with twice-daily processing; federated identity visibility from Azure AD and Okta; GenAI-powered entitlement descriptions; lifecycle management; and separation of duties enforcement. Primary differentiators include an identity-first architecture that correlates cloud accounts to organizational identities, native integration with more than 1,100 application connectors, session-level Identity Risk monitoring, and comprehensive governance workflows that embed cloud entitlements within enterprise IGA processes.

SailPoint takes a general platform approach to CIEM, incrementally improving existing features through enhanced BI capabilities, GenAI descriptions, AWS Identity Store provisioning, regional data collection, and refined certification workflows.

SailPoint CIEM is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the CIEM Radar chart.

Strengths
SailPoint CIEM scored well on a number of decision criteria, including:

• Lifecycle entitlements governance: The solution automates provisioning and deprovisioning across cloud and noncloud resources through deep provisioning rules that extend to identity attributes, such as department or manager, beyond group assignments. Cloud entitlements integrate with certification campaigns, RBAC, and ServiceNow workflow automation. This enables centralized lifecycle management in which cloud infrastructure follows enterprise application governance, with audit trails linking events to business justifications.

• Granular policy visibility and control: SailPoint CIEM provides fine-grained entitlement visibility to individual cloud resources with action-level detail (admin, read, write) and calculates effective access by processing deny policies and grants across direct assignments, groups, and roles to determine actual permissions and derivation paths. It displays activity data with last access timestamps on resources; normalizes actions across AWS, Azure, and GCP for consistent policy enforcement; and enables administrators to answer who has access to specific resources and how they obtained it.

• Compliance and identity governance: The solution maintains FedRAMP certification pursuit and delivers immutable audit trails, capturing entitlement lifecycle events, with business justifications and approval workflows. This allows for comprehensive compliance reporting through the Access Intelligence Center. The solution enforces separation-of-duties policies, detects violations, and supports automated certification campaigns with AI-driven insights. It also enables policy-based governance, ensuring cloud entitlements adhere to organizational frameworks through configurable rule engines.

Opportunities
SailPoint CIEM has room for improvement in a few decision criteria, including:

• Cloud identity threat detection and response: SailPoint Identity Risk operates at the session level, with extensible policy-based evaluation engines providing granular context for identity behaviors. It also integrates with CrowdStrike, Proofpoint, and risk management tools. However, it remains in limited availability and lacks real-time streaming telemetry with microsecond-granularity capture. Additionally, it does not provide automated investigation workflows, assembling attack narratives by correlating identity events with resource access and movements.

• Automated least privilege: SailPoint CIEM provides AI-driven role modeling that continuously recommends and maintains roles. It also provides outlier detection identifying elevated risk and unused access reports showing entitlements by actions, resources, and services. However, it requires human certification approvals rather than automatic remediation, calculates effective access twice daily instead of continuously, lacks auto-generated least privilege policies considering application dependencies, and does not automatically revoke unused permissions without administrator intervention through certification campaigns.

• AI runtime policy enforcement: The solution continuously applies AI/ML-generated access policies, identifying outliers with excessive access, unusual behavior, and unused entitlements. It enforces policies through certification campaigns, separation-of-duties detection, and enforcement. However, it operates through scheduled batch processing with twice-daily effective access calculations rather than true runtime enforcement, requires human involvement in remediation workflows instead of autonomous policy execution, and lacks real-time streaming analytics with microsecond-granularity event capture for immediate policy enforcement and blocking. 

Purchase Considerations
SailPoint CIEM uses per-identity licensing available as part of Identity Security Cloud Business Plus or as an optional add-on to the business package. As pricing details are not publicly disclosed, quotes require sales engagement. Implementation services typically cost 1.5 to 2 times more than software licensing fees, with annual maintenance accounting for about 20% of license costs. Custom connectors incur additional charges ranging from substantial amounts per connector. Organizations should budget for professional services, including Setup Services, Technical Consulting subscriptions, and Expert Help to ensure successful deployment and ongoing optimization.

SailPoint CIEM deploys exclusively as SaaS via AWS Cloud or AWS GovCloud, with no on-prem option. Complex implementation necessitates dedicated IT staff or professional services, while a connector-based architecture requires configuration for AWS, Microsoft Azure, and GCP environments. Migration from existing CIEM solutions requires planning for data mapping and workflow reconfiguration. Pre-sale Business Value Assessments provide complimentary quantitative evaluations to establish PoC viability. Organizations with existing SailPoint Identity Security Cloud deployments benefit from simplified integration, while new customers face steeper learning curves and longer implementation timelines.

Use Cases
SailPoint CIEM addresses a broad range of use cases, including automated cloud access provisioning across AWS, Microsoft Azure, and GCP; certification campaigns for attestation and remediation; cloud policy enforcement with separation of duties; and compliance reporting for regulatory requirements. It also addresses discovery and visualization of complex IaaS environments; lifecycle management for joiners, movers, and leavers; least privilege enforcement through unused access identification; and risk management for excessive permissions and policy violations.

Saviynt: Saviynt Identity Cloud

Solution Overview
Founded in 2011, Saviynt specializes in cloud-first identity security. Unifying IGA, PAM, and CIEM capabilities, the Saviynt Identity Cloud platform manages more than 50 million identities across human, nonhuman, and AI agents. It delivers unified identity governance, cloud security, and privileged access in a single SaaS solution.

Saviynt Identity Cloud delivers CIEM through a converged, cloud-native architecture that unifies identity governance, privileged access, and CSPM. Core components include continuous discovery engines, the Identity Warehouse with ML, policy enforcement, SaviAI for intelligent automation, and automated remediation workflows. Key features comprise cross-cloud entitlement correlation across AWS, Microsoft Azure, and GCP; effective permission analysis; Identity Security Posture Management for AI agents and nonhuman identities; JITaccess with ZSP; risk-based analytics with peer scoring; and SCIM-based provisioning. Key differentiators include agentic AI for application onboarding, category-defining AI agent governance as identities, comprehensive NHI lifecycle management with interactive mapping, and architectural convergence eliminating IGA-CIEM-PAM boundaries.

Saviynt takes a general platform approach to CIEM, innovating to add emerging features such as AI agent governance, agentic AI automation, NHI management, and ZSP implementation. 

Saviynt is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the CIEM Radar chart.

Strengths
Saviynt Identity Cloud scored well on a number of decision criteria, including:

• JIT access: The solution extends ZSP principles to the application layer through automated multistage approval workflows, which integrate with ticketing systems to validate business justifications against project assignments. Organizations provision time-bound access with expiration policies varying by resource type and sensitivity, supporting self-service extension requests, voluntary early relinquishment, and automatic revocation upon expiration. This eliminates standing privileges while maintaining operational efficiency.

• Lifecycle entitlements governance: The converged architecture unifies identity governance and cloud entitlement management through the Identity Warehouse, performing ML across all identities in a single repository and enabling risk-based analysis. The solution implements continuous discovery across AWS, Microsoft Azure, GCP, on-prem, and SaaS with semiautomated lifecycle tracking, monitoring credential creation, ownership changes, usage patterns, and eventual deprovisioning through configurable policies with approval workflows.

• Compliance and identity governance: The solution provides out-of-the-box compliance rulesets for applications such as NetSuite, Oracle, Salesforce, and SAP, with AI-driven segregation of duties (SoD) analysis that prevents violations through ML recommendations. Organizations maintain comprehensive audit trails with complete provenance tracking, automated compliance risk surfacing with prioritization, and continuous controls that block regulatory violations for GDPR and HIPAA. The solution also provides native ServiceNow integration, extending remediation workflows across organizational systems.

Saviynt is classified as an Outperformer due to its category-defining ISPM for AI agents, comprehensive NHI management, agentic AI automation, and application-layer ZSP implementation ahead of market evolution.

Opportunities
Saviynt Identity Cloud has room for improvement in a few decision criteria, including:

• Cloud identity threat detection and response: The solution integrates with ISPM and NHI modules, providing behavioral monitoring, anomaly identification, credential intelligence, deception techniques (including honeytokens), and unified trust scoring ingesting contextual signals from security tools. Customizable playbooks address credential compromise, privilege escalation, and compliance violations with ITSM, SIEM, and SOAR integrations. However, it lacks explicit ML detecting sophisticated attack patterns (including credential stuffing, golden ticket exploits, and pass-the-hash attacks) and is missing automated investigation workflows assembling complete attack narratives with root cause analysis.

• Automated least privilege: Saviynt Identity Cloud continuously monitors access patterns and permission usage, analyzing which specific entitlements each identity actually accesses over observation windows with usage frequency data and last-access timestamps. The AI and ML recommendation engine provides contextualized recommendations for permission reduction, supporting insights such as business rule suggestions to improve role quality and user membership. Nevertheless, it implements semiautomated enforcement requiring administrator approval rather than autonomous permission reduction, lacking fully automated least privilege adjustment that grants minimum access for specific tasks and automatically revokes privileges upon task completion without human intervention.

• Automated remediation and rightsizing: The solution provides embedded workflows for certifications and approvals with native remediation capabilities through integrated IGA and PAM modules, enabling privilege reduction, credential rotation, and JIT access without requiring third-party ticketing systems or ITSM integration. Customizable playbooks address compliance violations, misconfigurations, and policy enforcement through graphical editors with SIEM, SOAR, and ITSM platform integrations. However, the implementation requires human sign-off for remediation actions despite technical capability, since Saviyant claims that most customers prefer manual workflows for excessive entitlement removal. 

Purchase Considerations
Saviynt Identity Cloud employs an all-inclusive subscription model by which PAM Pro licensing provides access to the entire converged platform, including IGA, CIEM, and PAM capabilities, without separate module pricing. PAM Essentials offers basic features at reduced cost for organizations with limited requirements. Standard support, platform upgrades, initial deployment assistance, and ongoing maintenance are included in base subscription fees.  

Primary deployment is via SaaS on AWS infrastructure, with virtual private cloud and on-prem options available for specific regulatory requirements. Migration complexity is high, requiring dedicated technical expertise and implementation partners to support architectural convergence across IGA, CIEM, and PAM. The partner-first sales model means implementation quality varies significantly based on partner selection, which impacts deployment success and timeline predictability. The steep learning curve requires comprehensive training programs and ongoing professional services. 

Use Cases
Saviynt Identity Cloud addresses a broad range of use cases, including AI agent governance and lifecycle management; cloud entitlement management across AWS, Azure, and GCP; compliance and audit for GDPR, HIPAA, and segregation of duties violations; hybrid and multicloud identity governance; JIT privileged access provisioning; nonhuman identity discovery and risk remediation; privileged access management with session monitoring; and ZSP implementation at the application layer. The converged platform architecture enables organizations to address identity governance, cloud security posture management, and privileged access requirements through unified workflows rather than disparate point solutions. 

SecurEnds: SecurEnds CIEM*

Solution Overview
Founded in 2017, SecurEnds provides cloud-native IGA software that automates user access reviews, entitlement audits, and compliance. The company acquired BankStride (loan compliance and covenant monitoring) in August 2025.

SecurEnds CIEM operates as an integrated module within the SMART IGA platform, deployed on a cloud-native architecture using AWS infrastructure, with multicloud connectivity across AWS, Microsoft Azure, GCP, and Okta. Core components include Access Analysis for entitlement pattern discovery, Access Templates for RBAC and ABAC design, and T-Hub for automated provisioning and deprovisioning workflows. Key features include AI/ML-based entitlement outlier detection, automated least privilege enforcement, cross-cloud entitlement management, JIT access with multistage approval workflows, lifecycle governance with HRMS integration, NHI management, policy-based access control, real-time monitoring, automated alerting, and compliance assessments for GDPR, HIPAA, PCI DSS, and SOX. Key differentiators include more than 200 prebuilt application connectors for rapid deployment, an emphasis on simplicity and low TCO, unified identity governance spanning cloud and on-prem environments, and interactive access mind maps with entitlement clustering visualizations.

SecurEnds takes a general platform approach to CIEM, incrementally improving existing capabilities through automation enhancements, AI-driven analytics for role mining and risk assessment, and streamlined workflows rather than transformative innovations.

SecurEnds is positioned as an Entrant and Forward Mover in the Maturity/Platform Play quadrant of the CIEM Radar chart.

Strengths
SecurEnds CIEM scored well on a number of decision criteria, including:

• Granular policy visibility and control: The solution provides multicloud policy monitoring across AWS, Microsoft Azure, GCP, and Okta with consolidated visibility into IAM policies, role assignments, and user entitlements through centralized dashboards. It enforces policies in real time by alerting when noncompliant configurations (such as wildcard permissions) are detected. It also supports basic custom security policies that flag violations and generate manual remediation guidance.

• Compliance and identity governance: SecurEnds CIEM offers comprehensive automated compliance assessments with real-time continuous monitoring and evaluates identity configurations against detailed regulatory frameworks, such as GDPR, HIPAA, PCI DSS, and SOC 2. It maintains immutable audit trails that capture all identity lifecycle events with complete context, including approver identities, business justifications, and timestamps. The solution also provides preconfigured compliance assessments, audit-ready reporting with evidence packages, and semiautomated policy enforcement via approval workflows.

• Zero trust architecture integration: The solution enforces continuous identity verification through adaptive authentication mechanisms in JIT access workflows. It implements least privilege principles by analyzing actual usage patterns and by comparing granted permissions against observed behaviors to restrict access. It provides policy-driven access control, validating requests against predefined rules before granting temporary time-bound permissions with automated expiration. Additionally, the solution maintains comprehensive logging of access decisions with contextual information, including business justifications and approval workflows. 

Opportunities
SecurEnds CIEM has room for improvement in a few decision criteria, including:

• Automated least privilege: The solution continuously monitors access patterns and permission usage across cloud environments, analyzing specific API calls and resource actions performed by each identity to identify unused or excessive permissions and flag over-privileged accounts for review and remediation. However, the solution lacks fully automated permission rightsizing for low-risk scenarios and predictive analysis of future access needs. It also lacks  dependency analysis for cross-service requirements, CI/CD pipeline integration for least privilege enforcement, and automated sandbox testing before production changes.

• JIT access: SecurEnds CIEM delivers comprehensive JIT access management with multistage approval workflows routing requests to designated approvers. It provides automatically provisioning time-bound access with configurable expiration policies, real-time monitoring of active sessions, detailed audit trails linking grants to business purposes, and API integration for programmatic requests. However, it lacks intelligent auto-approval for low-risk requests, dynamic expiration based on activity monitoring, risk-based approval routing that requires additional reviews, session monitoring for automatic extension or early revocation, and granting JEA with specific permissions.

• Automated remediation and rightsizing: The solution continuously identifies security issues, excessive permissions, and policy violations across cloud environments, generating prioritized remediation recommendations with risk scores and contextual information on which permissions to remove. However, it lacks automated execution of low-risk corrections, IaC integration for drift prevention, automated rollback when remediation causes issues, CI/CD pipeline injection to prevent over-provisioning, and automated validation testing.

SecurEnds is classified as a Forward Mover due to platform redesigns and AI/ML adoption that follow market trends in automation and governance rather than pioneer transformative architectural innovations or set security paradigms.

Purchase Considerations
SecurEnds CIEM operates on a subscription-based pricing model with flexible plans and a free trial. It offers predictable monthly costs without significant upfront infrastructure investments, making it accessible for organizations of varying sizes. Pricing scales are based on organizational needs, with modular capabilities allowing customers to start with core functionality and expand as requirements grow. The solution optimizes costs by automatically identifying dormant users that contribute to licensing expenses.

SecurEnds offers multiple deployment options, including SaaS as the primary model, on-prem installations for organizations with data sovereignty requirements, and public cloud deployments on AWS or Azure infrastructure. The platform features more than 200 prebuilt application connectors, enabling rapid implementation. Migration complexity remains moderate given hybrid cloud support and Active Directory (AD) integration. Organizations should evaluate the platform's elementary AI/ML capabilities and semiautomated workflows requiring manual approvals against requirements for advanced autonomous remediation and sophisticated behavioral analytics.

Use Cases
SecurEnds CIEM addresses a broad range of use cases, including automated access certification campaigns; cloud entitlement management across AWS, Microsoft Azure, GCP, and Okta; and compliance assessments for GDPR, HIPAA, PCI DSS, and SOX. It identifies lifecycle governance with automated provisioning and deprovisioning, JIT access for temporary elevated privileges, least privilege enforcement through continuous permission analysis, and NHI management for service accounts and API keys. The solution also provides policy-based access control with real-time monitoring and role-based access design through AI-driven role mining and access templates.

Segura: Cloud Entitlements

Solution Overview
Founded in 2010, Segura (formerly senhasegura) provides identity security solutions, specializing in privileged access management and cloud entitlement management. The Segura 360º Privilege Platform encompasses six product families: Privileged and Remote Access, Workforce Password, Endpoint Protection, DevOps Secrets Manager, Certificate Life Cycle, and Multi-cloud Protection (including Cloud Entitlements CIEM, Cloud IAM, and CSPM), available in SaaS, cloud, and on-prem deployments.​​

Cloud Entitlements delivers cloud-native SaaS CIEM across AWS, Microsoft Azure, GCP, and Oracle Cloud, powered by a continuous real-time monitoring architecture. Core components include automated discovery engines, AI-powered risk scoring, policy compliance frameworks, and remediation orchestration. Key features include attack path analysis, custom security policies, JIT access provisioning, least privilege automation, multicloud correlation, real-time alerting, and rule-based anomaly detection. Key differentiators include all-inclusive pricing that eliminates per-feature costs, the Build With Us customer cocreation program, the Free Community Plan with unlimited feature access, Oracle Cloud support beyond standard three-cloud coverage, and Segura Intelligence that generates IaC remediation scripts.

Segura takes a general platform approach to CIEM, incrementally improving existing capabilities through biweekly releases, adding attack path visualization, custom policies, JIT workflows, Oracle integration, performance enhancements, and real-time monitoring.

Segura is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the CIEM Radar chart.

Strengths
Cloud Entitlements scored well on a number of decision criteria, including:

• Automated remediation and rightsizing: The solution implements AI-powered remediation via Segura Intelligence, automatically generating CloudFormation and Terraform IaC scripts for permission adjustments, enabling semiautomated execution with configurable approval workflows. It provides flexible operational modes from monitor-only to fully automated, maintains comprehensive audit trails with before-and-after state comparisons, and supports automated rollback when remediation causes operational issues. The solution delivers continuous usage pattern analysis that tracks actual permission utilization at individual action levels across configurable 30- to 60- to 90-day windows.

• Lifecycle entitlements governance: Cloud Entitlements delivers comprehensive automated lifecycle management with real-time synchronization to authoritative identity sources, including Active Directory, HR systems, and identity providers, for immediate provisioning and deprovisioning. It implements JIT entitlement management with dynamic, time-bound permission elevation. The solution also provides automated provisioning based on approved requests, automatic revocation to ensure ZSP detection of orphaned permissions and zombie accounts, and identity drift detection by comparing current entitlements against role baselines.

• NHI management: The solution provides continuous real-time discovery across cloud environments. It automatically identifies machine identity types, including API keys, managed identities, service accounts, and workload identities, with semiautomated lifecycle tracking for creation, rotation, and deprovisioning. The solution analyzes usage patterns to determine which credentials are actively used versus dormant and enforces least privilege principles by analyzing actual NHI usage and recommending permission reductions. It also detects orphaned credentials lacking proper ownership and provides basic risk scoring that prioritizes high-exposure credentials.

Segura is classified as an Outperformer due to its biweekly release cadence, practical AI-powered IaC remediation, customer cocreation through the Build With Us program, a 40% improvement in scanning performance, and an aggressive roadmap.

Opportunities
Cloud Entitlements has room for improvement in a few decision criteria, including:

• AI-enabled anomaly detection: The solution analyzes cloud provider logs across dimensions, including geolocation irregularities, IP reputation changes, temporal anomalies, and user behavior patterns. This provides real-time alerts for privilege escalation and dormant account reactivation. However, it operates with rule-based detection rather than ML models (with AI capabilities planned for 2026). It lacks individual behavioral baselines from supervised or unsupervised algorithms, and UEBA.

• Compliance and identity governance: Cloud Entitlements provides continuous monitoring, automatically assessing configurations against GDPR, HIPAA, ISO 27001, PCI-DSS, and SOC 2 frameworks. It generates scheduled compliance reports with detailed findings. Nevertheless, it lacks automated audit evidence collection, predeployment compliance validation of noncompliant configurations, immutable cryptographic audit trails, and compliance trend analytics.

• JIT access: The solution implements a self-service portal that enables temporary elevated permission requests via automated approval routing, real-time provisioning with automatic expiration, activity tracking, detailed audit trails, and integration with identity providers and Jira ticketing systems. Nevertheless, it lacks automation to analyze request patterns for policy-based auto-approval, dynamic adjustment of expiration durations based on historical completion times, session monitoring to enable intelligent extension or early revocation, and JEA to grant specific permissions.

Purchase Considerations
Cloud Entitlements employs all-inclusive pricing, eliminating extra costs for API queries, log storage, and per-user fees. Its Free Community Plan provides unlimited access to core features for limited identities with no time limits, enabling risk-free evaluation before financial commitment. The Build With Us program offers a free one-year evaluation, early access to features, and direct product team engagement. Cloud Entitlements can be licensed independently from the broader Segura 360º Privilege Platform, providing flexibility for organizations focused specifically on cloud entitlement management.

Cloud Entitlements deploys exclusively as SaaS, although the broader Segura Identity Platform supports cloud and on-prem options for other modules. Organizations can evaluate capabilities in Sandbox Mode, which features randomized data. Migration complexity depends on existing identity infrastructure, and organizations already using Segura PAM benefit from unified platform integration. Customers should consider that advanced ML capabilities are roadmap items scheduled for 2026 but are not being deployed currently.

Use Cases
Cloud Entitlements addresses a broad range of use cases, including cloud security posture management with identity-centric risk assessment, and compliance and audit readiness for SOC2, ISO 27001, PCI DSS and HIPAA frameworks. It also addresses human identity governance covering employee lifecycle from onboarding to offboarding, incident response and remediation with automated workflows, least privilege enforcement and optimization through continuous discovery and automated rightsizing. The solution also provides NHI security managing service accounts, API keys, and workload identities across multicloud environments.

Tenable: Tenable CIEM

Solution Overview
Founded in 2002, Tenable provides exposure management solutions, specializing in vulnerability management and cloud security. Tenable acquired Vulcan Cyber (exposure management and remediation optimization) in January 2025 and Apex Security (AI attack surface protection) in May 2025. In October 2023, Tenable completed the acquisition of Ermetic, integrating CIEM capabilities into Tenable Cloud Security, part of the Tenable One exposure management platform. 

Tenable CIEM operates within a unified CNAPP architecture that integrates CIEM with CSPM, CWP, DSPM, and AI-SPM capabilities across AWS, Azure, GCP, and OCI. Core components include continuous entitlement discovery, cross-cloud permission normalization, automated least privilege policy generation, and JIT access provisioning. Key features include access-level evaluation (classifying public, external, cross-account, internal, and trusted external permissions), behavioral anomaly detection with baseline learning, compliance framework mapping, and one-click remediation. Key differentiators include AI-driven blast radius prioritization that correlates identity risks with misconfigurations and vulnerabilities, cross-platform JIT workflows spanning cloud providers and identity providers, and exposure management integration providing contextualized risk assessment beyond traditional flat permission inventories.

Tenable takes a general approach to CIEM, incrementally improving existing features through monthly enhancements, such as automated single sign-on (SSO) remediation and enhanced Slack JIT integration, while innovating with early DSPM and AI-SPM integration.

Tenable is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the CIEM Radar.

Strengths
Tenable CIEM scored well on several decision criteria, including:

• JIT access: The solution provides cross-platform JIT capabilities spanning AWS, Microsoft Azure, GCP, and identity providers, including AWS Identity Center, Google Workspace, Okta, and OneLogin, with automated conversion of least privilege policies into JIT eligibility policies. It implements configurable approval workflows with auto-approval, justification requirements, multilevel reviewers, time-bound automatic revocation, an API-first architecture for CI/CD integration, and seamless Slack and Microsoft Teams collaboration workflows, allowing request submission and approval tracking.

• Lifecycle entitlements governance: Tenable CIEM continuously monitors entitlements across multicloud and hybrid environments with unified visibility into human and nonhuman identities, including creation ownership, usage tracking, and federated identity provider correlation. It provides enhanced Microsoft Entra ID PIM group eligibility support, OCI dynamic group membership mapping, automated compliance assessment against regulatory frameworks, complete audit trails with SIEM integration, and continuous permission evaluation, detecting excessive privileges with automatic remediation recommendations.

• Self-service access management: The solution offers context-aware self-service portals that allow users to access only pre-eligible resources based on group, resource, and user mapping, with integrated chat-based workflows via Microsoft Teams and Slack. It enforces dynamic policy-based controls, including duration limits, justification requirements, multistage approvals, selective revocation of recurring requests, automatic access expiration without manual intervention, comprehensive audit trails, and API support for custom portal integration.

Tenable is classified as an Outperformer due to monthly product enhancements, including automated SSO remediation and enhanced JIT workflows, early integration with DSPM and AI-SPM, and an aggressive roadmap to deliver AI-driven ITDR. 

Opportunities
Tenable CIEM has room for improvement in a few decision criteria, including:

• Cloud identity threat detection and response: The solution monitors identity systems and access patterns across AWS, Microsoft Azure, GCP, and OCI, detecting anomalous behaviors such as credential misuse, privilege escalation, and reconnaissance activity using baseline-learning algorithms. However, it lacks advanced ML models with ensemble algorithms, deep learning architectures, graph-based anomaly detection, and automated orchestrated response capabilities. Its enhanced AI-driven ITDR is explicitly roadmapped for 2026 but is not being deployed currently.

• AI-enabled anomaly detection: Tenable CIEM generates near-real-time findings by leveraging baseline learning to detect anomalies across entitlement changes, permission escalations, and reconnaissance activities, producing alerts that combine API data and behavioral deviation identification. However, it employs rule-based heuristic approaches rather than sophisticated ML with ensemble algorithms, neural networks, or UEBA. Its AI capabilities for monitoring are listed as 2026 roadmap enhancements.

• AI runtime policy enforcement: The solution provides automated least privilege policy generation, one-click remediation, and JIT access workflows with automatic revocation. It also provides continuous permission evaluation enabling deterministic policy enforcement across multicloud environments. However, it does not offer AI-driven runtime policy enforcement. According to Tenable, AI-active enforcement creates operational risk due to insufficient accuracy, with the company preferring deterministic, predictable logic for responses and enforcement. 

Purchase Considerations
Tenable CIEM uses asset-based pricing that scales with deployment size, offering built-in economies of scale as volume increases. Cloud instances, containers, IaC, and identities convert at 5:1 ratios, while servers and network devices convert at 1:1, enabling predictable budgeting across hybrid environments. Customers can dynamically allocate asset capacity across different asset types as environments evolve. Pricing is not publicly available and requires custom quotes based on billable resources. 

Tenable CIEM deploys as SaaS with FedRAMP authorization available for government customers, requiring no on-prem infrastructure for cloud monitoring, while supporting agent-based integration for hybrid Active Directory environments. Professional services include dedicated solution architects, weekly implementation meetings, ongoing support post-deployment, and purchasable dedicated hours for advanced training. Organizations should consider multicloud complexity, existing identity provider integrations, and planned 2026 AI-driven ITDR capabilities when evaluating timelines. 

Use Cases
Tenable CIEM addresses a broad range of use cases, including automated least privilege policy generation with resource-level conditions, behavioral anomaly detection for privilege escalation and reconnaissance activity, and compliance framework mapping. It also addresses automated regulatory assessment, cross-platform JIT access provisioning with automatic revocation, data exposure correlation through integrated DSPM capabilities, lifecycle entitlements governance for human and nonhuman identities, and multicloud permission normalization. Additionally, the solution provides effective access evaluation, third-party vendor access monitoring and control, and toxic combination identification across AWS, Microsoft Azure, GCP, and OCI environments with unified visibility and remediation workflows.

Wiz: Wiz for CIEM*

Solution Overview
Founded in January 2020, Wiz specializes in agentless multicloud security across AWS, Azure, and GCP. Wiz for CIEM is integrated into Wiz’s CNAPP platform. Wiz acquired Gem Security (cloud threat detection) in March 2024 and launched Wiz Defend in December 2024. Google announced its acquisition of Wiz in March 2025, with a pending 2026 closing. 

Wiz for CIEM uses a graph-based architecture powered by AWS Neptune's Security Graph to correlate identities, permissions, vulnerabilities, and data exposure across multicloud environments. Core components include the CIEM Explorer for querying entitlements, the NonHuman Identities Dashboard for service account visibility, and agentless scanners for continuous discovery. Key features include attack path analysis, automated least privilege policy generation, behavioral anomaly detection, cross-cloud effective permissions calculation, and runtime monitoring via Wiz Defend. Key differentiators include AI-driven SecOps agents for automated threat investigation, correlation with DSPM for data access governance, and unified CNAPP integration, eliminating siloed point solutions.

Wiz takes a general platform approach to CIEM, innovating with quarterly releases to add emerging features, including AI-powered SecOps agents, attack surface management, generative AI remediation, and Microsoft 365 integration. 

Wiz is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the CIEM Radar.

Strengths
Wiz for CIEM scored well on a number of decision criteria, including:

• Cloud identity threat detection and response: The solution continuously monitors authentication systems and access patterns using behavioral analytics. It establishes user baselines and detects anomalies, such as privilege escalation and unusual resource access. The Security Graph correlates identity events across systems with real-time threat detection, providing investigation dashboards with blast radius analysis and semiautomated response actions, including account quarantine and session termination, subject to administrator approval.

• Granular policy visibility and control: Wiz for CIEM calculates effective permissions by resolving policy evaluation logic, including explicit allows, denies, permission boundaries, resource-based policies, SCPs, RCPs, and ACLs across cloud platforms. The Security Graph provides attack path analysis showing privilege escalation chains, while the CIEM Explorer enables custom entitlement queries. IaC scanning integrates with CI/CD pipelines for deployment policy validation, preventing noncompliant configurations.

• Identity threat detection and response integration: The solution provides API integration with SIEM platforms (including Panther, QRadar, Splunk, and Sentinel), enabling automated event forwarding and correlation rules combining security posture with logs. It enriches CIEM findings through Wiz Defend threat detection, generates alerts combining entitlement context with security events, and supports investigation workflows presenting unified identity risk views through audit trails. 

Opportunities
Wiz for CIEM has room for improvement in the following decision criteria:

• AI-enabled anomaly detection: The solution implements ML models that establish individual user behavioral baselines across access patterns, geographic locations, resource utilization, and temporal patterns. It automatically detects deviations, including privilege escalations, lateral movement, and dormant account activations. However, the solution lacks ensemble ML models that combine algorithms such as neural networks or random forests, as well as dedicated UEBA for insider threats, automated baseline recalibration to distinguish behavioral drift from threats, and contextual enrichment with HR data or project assignments.

• JIT access: Wiz for CIEM emphasizes JIT access principles in its security guidance and integrates with partner solutions (such as CyberArk) to implement ZSP through combined CIEM visibility and privileged access management capabilities. However, it provides no native self-service access request portals, approval workflow routing, automated time-bound credential provisioning, expiration mechanisms, or emergency break-glass procedures. It also provides no request-tracking interfaces that require third-party integrations for JIT access functionality.

• Lifecycle entitlements governance: The solution continuously monitors dormant accounts that show no activity beyond defined periods, detects orphaned permissions when accounts are deleted while resources remain accessible, and maintains comprehensive audit trails that link identity changes to business context. However, it lacks automated provisioning workflows, account creation with role-based permissions, HR system integration that triggers deprovisioning upon termination, periodic access review campaigns for manager certification, and automated role-based entitlement adjustments during organizational changes.

Purchase Considerations
Wiz for CIEM uses consumption-based pricing calculated by workload counts across cloud environments, with tiered service levels, including Essential and Advanced offerings, providing different feature sets. Pricing is available through AWS Marketplace, with custom enterprise agreements requiring direct vendor contact for detailed quotes. Organizations should budget for the full CNAPP platform, as CIEM is integrated rather than standalone, with costs scaling based on total cloud workloads monitored rather than through per-identity licensing models used by traditional identity governance solutions.

Wiz deploys as an agentless SaaS solution that requires only cloud API connector configuration, enabling rapid deployment in minutes without agent installation or infrastructure changes. Migration complexity is minimal due to read-only cloud access, though organizations should plan Security Graph learning periods for establishing behavioral baselines. Proof-of-concept capabilities include immediate multicloud discovery with FedRAMP High availability for government requirements. With closing scheduled in 2026, customers should evaluate the pending Google acquisition's impact on the roadmap, pricing, and support structures before making long-term commitments. 

Use Cases
Wiz for CIEM addresses a broad range of use cases, including attack path analysis that reveals privilege escalation chains, automated least privilege policy generation, and cloud identity threat detection with behavioral analytics. It also addresses compliance monitoring across regulatory frameworks; data access governance combining entitlements with data classification; multicloud entitlement visibility across AWS, Microsoft Azure, and GCP; and NHI security for service accounts and API keys. The solution also offers orphaned permission detection after account deletion, permission rightsizing based on actual usage patterns, and runtime threat detection through integrated Wiz Defend capabilities.

Zscaler: Zscaler Posture Control*

Solution Overview
Founded in 2007, Zscaler provides cloud security through its Zero Trust Exchange platform, specializing in SASE and zero trust access. Zscaler acquired Red Canary (managed detection and response) in August 2025 and SPLX (AI security and red teaming) in November 2025. In June 2022, the company launched Posture Control, an integrated CNAPP platform with CIEM functionality for securing cloud-native applications.

Zscaler Posture Control delivers agentless CIEM via its cloud-native CNAPP architecture, built on the Zero Trust Exchange platform, which processes 500 trillion daily security signals. Core components include CIEM for entitlement analysis, CSPM for configuration management, DSPM, IaC scanning, and workload protection across AWS, Azure, and GCP. Key features encompass AI-powered data classification spanning more than 200 categories, automated remediation workflows with rollback capabilities, cross-cloud risk correlation identifying toxic permission combinations, generative AI prompt inspection and policy enforcement, Smart Groups ML using genetic algorithms and K-means clustering, and compliance mapping to CIS, GDPR, ISO, NIST, PCI DSS, and SOC2 frameworks. Primary differentiators include pioneering AI security posture management for model discovery and governance, integrated zero trust enforcement leveraging existing platform telemetry, and comprehensive CNAPP unification, eliminating siloed security tools through unified data models and policy engines.

Zscaler takes a general platform approach to CIEM, innovating to add emerging features such as AI-SPM, AI-powered data classification, generative AI protections, and integrated CNAPP capabilities across cloud-native workloads and serverless environments.

Zscaler is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the CIEM Radar chart.

Strengths
Zscaler Posture Control scored well on a number of decision criteria, including:

• Automated least privilege: The solution implements continuous usage pattern analysis, tracking actual permission utilization at the individual action level. This is done through Smart Groups technology that learns organizational infrastructure and permission patterns based on hundreds of parameters using genetic algorithms and K-means clustering. It provides semiautomated remediation workflows in which administrators approve suggested changes implemented via cloud provider APIs. Its IaC integration enables policy adjustments across AWS, Microsoft Azure, and GCP environments while maintaining rollback capabilities.

• Lifecycle entitlements governance: Zscaler Posture Control provides basic entitlement lifecycle management through continuous monitoring that detects dormant accounts with no activity beyond configurable thresholds. It also identifies orphaned permissions that lack proper ownership after account deletions. The solution maintains comprehensive audit trails that capture permission changes and policy modifications with contextual information. However, it requires manual access review processes and lacks automated HR system integration for provisioning, deprovisioning, and scheduled certification campaigns that would enable systematic governance throughout identity lifecycles.

• Granular policy visibility and control: The solution delivers real-time visibility into access policies across AWS, Microsoft Azure, and GCP with permission-level granularity, calculating effective permissions by analyzing evaluation logic, including resource policies and roles to uncover risky access paths. It enables custom security policy creation using template builders with more than 400 configurable policies and provides continuous compliance monitoring against CIS, GDPR, ISO, NIST, PCI DSS, and SOC2 frameworks. It also implements risk-scored findings prioritizing violations while offering interactive graphical views of infrastructure relationships.

Opportunities
Zscaler Posture Control has room for improvement in a few decision criteria, including:

• JIT access: The solution provides Security Assertion Markup Language (SAML)-based JIT user provisioning for platform authentication, automatically creating accounts when users authenticate through identity provider integration. However, it lacks dedicated JIT capabilities for temporary cloud resource permissions, including self-service portals, automated approval workflows, time-bound expiration mechanisms, session monitoring, and ticketing integration. It also lacks audit trails linking temporary access grants to business justifications and compliance requirements.

• Automated remediation and rightsizing: Zscaler Posture Control provides continuous monitoring and detects over-provisioned permissions. It generates contextualized recommendations with guided workflows, and supports semiautomated remediation, allowing administrators to approve corrections implemented via APIs or IaC with rollback capabilities. Nevertheless, it requires manual approval for most actions rather than automated, risk-based remediation. The solution lacks ML-optimized remediation timing and provides limited proactive CI/CD policy injection, preventing overprovisioning at deployment.

• Compliance and identity governance: The solution implements continuous monitoring, automatically assessing compliance against CIS, GDPR, ISO, NIST, PCI DSS, and SOC2 frameworks. It generates scheduled reports and maintains comprehensive audit trails that capture permission changes. However, it lacks automated evidence collection for regulatory audits, predictive analytics, or ML-enhanced assessments, and it cannot prevent noncompliant configurations at predeployment gates.  

Purchase Considerations
Zscaler Posture Control operates on a per-user, per-year subscription model with pricing determined through sales negotiations based on user count, selected products, contract length, and volume discounts. It offers a 30-day free trial with limited functionality. Premium support tiers are available at an additional cost, and technical account manager coverage is strongly recommended for medium- to large-scale deployments. Pricing details are not publicly available, requiring an extensive sales engagement to obtain accurate cost estimates specific to deployment requirements.

Zscaler Posture Control deploys exclusively as SaaS, using agentless API connections to AWS, Azure, and GCP environments, eliminating infrastructure installation but requiring cloud security expertise to maximize value. Migration involves connecting cloud accounts via provider APIs without disrupting workloads. The platform integrates with the broader Zero Trust Exchange, potentially requiring additional Zscaler products for comprehensive functionality. Customer reviews indicate variable performance with occasional slowdowns, suggesting PoC evaluation before commitment to validate scalability for specific organizational requirements and workload characteristics.

Use Cases
Zscaler Posture Control addresses a broad range of use cases, including AI security posture management for model governance and cloud security posture management across AWS, Azure, and GCP. It also addresses compliance monitoring against CIS, GDPR, ISO, NIST, PCI DSS, and SOC2 frameworks; container and Kubernetes security with agentless scanning; data security posture management with AI-powered classification; generative AI prompt inspection and policy enforcement; and IaC security validation in CI/CD pipelines. It provides multicloud entitlement visibility and correlation, permission rightsizing through usage analysis, serverless function security, and zero trust architecture integration.

The CIEM market is experiencing exponential growth as organizations manage identities and permissions across multicloud environments. The market is shifting decisively toward integrated cloud-native application protection platforms (CNAPP) that combine CIEM with CSPM, CWPP, and CDR, and away from standalone solutions. Major themes include AI-driven automation, identity threat detection and response (ITDR), zero trust enforcement, and self-service access management.

Market Evolution
Organizations recognize that standalone CIEM solutions lack the contextual visibility required for modern cloud security. Mature CNAPP platforms now integrate CIEM with API security, DSPM, AI-SPM, and attack path visualization. The market shows accelerated demand for agentic AI capabilities for autonomous remediation, Kubernetes identity management (KIEM), and identity security controls for AI workloads.

Understanding the Buyer Journey
The CIEM buyer journey involves multiple stakeholders and requires evaluation of organizational maturity and cloud security architecture:​

• Awareness: Identify gaps in cloud access governance and quantify risks posed by overprivileged identities and toxic permission combinations

• Discovery: Map identity management challenges and research integrated CNAPP versus standalone CIEM approaches.

• Learning: Evaluate AI-driven analytics, Kubernetes support, self-service portals, and integration capabilities.

• Selection: Conduct PoC testing focused on automated remediation, attack-path visualization, and TCO

• Implementation: Execute phased rollouts with metrics to reduce privileges and improve compliance

Making the Right Choice: Standalone vs. Integrated
Organizations must consider several critical factors when choosing between standalone CIEM and integrated platforms. The decision should be based on:

• Cloud security maturity: Assess whether you need comprehensive cloud-native protection or targeted identity governance, as CNAPPs provide unified visibility across configuration, workload, identity, and runtime risks.​

• Scale and complexity: Evaluate your multicloud footprint, including AWS, Azure, GCP, Oracle Cloud, regional providers, Kubernetes clusters, and AI infrastructure.​

• Identity ecosystem: Determine coverage requirements for human identities, machine identities, service accounts, NHIs, and federated access.​

• Compliance needs: Evaluate support for SOC 2, NIST, CIS Benchmarks, GDPR, and industry-specific regulations with automated reporting.​

Essential Capabilities and Features
To ensure a CIEM solution meets organizational needs, security teams should focus on specific capabilities and features that align with their security objectives. These include:

• Comprehensive cloud coverage: Support for major CSPs, Kubernetes, containers, and unified policy management​

• AI-driven threat detection: ML-powered anomaly detection, identity behavioral analysis, toxic combination identification, and ITDR capabilities​​

• Automated remediation: Automated workflows for privilege rightsizing, self-service portals for JIT access, and policy enforcement with governance guardrails​

• Attack path visualization: Graphical representation of effective permissions, multi-hop access paths, and contextualized risk scoring​

• Integration ecosystem: Native connectivity with IAM platforms, SIEM/SOAR tools, ticketing systems, and collaboration platforms​

• Emerging capabilities: Kubernetes RBAC management, AI workload identity security, NHI governance, and agentic AI for autonomous operations

Call to Action
As cloud environments become increasingly complex and identity-based threats evolve, implementing a robust CIEM solution, whether standalone or integrated within a CNAPP, is essential. Act now to gain visibility into cloud entitlements, automate least privilege enforcement, and ensure continuous compliance. The choice between standalone and integrated CIEM solutions will significantly impact your security posture, operational efficiency, and ability to scale. As such, the decision should be approached strategically.

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Formerly an enterprise architect and management consultant focused on accelerating time-to-value by implementing emerging technologies and cost optimization strategies, Ivan has over 20 years’ experience working with some of the world’s leading Fortune 500 high-tech companies crafting strategy, positioning, messaging, and premium content. His client list includes 3D Systems, Accenture, Aruba, AWS, Bespin Global, Capgemini, CSC, Citrix, DXC Technology, Fujitsu, HP, HPE, Infosys, Innso, Intel, Intelligent Waves, Kalray, Microsoft, Oracle, Palette Software, Red Hat, Region Authority Corp, SafetyCulture, SAP, SentinelOne, SUSE, TE Connectivity, and VMware.

An avid researcher with a wide breadth of international expertise and experience, Ivan works closely with technology startups and enterprises across the world to help transform and position great ideas to drive engagement and increase revenue.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2026 "GigaOm Radar for Cloud Infrastructure Entitlement Management (CIEM)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.