In an interview with CRN, SailPoint CEO Mark McClain also discusses the implications of AI-powered vulnerability discovery, in the wake of Anthropic’s disclosure about Claude Mythos Preview capabilities.
The rising adoption of AI agents in the workforce is driving a massive boost in demand for identity security as organizations digest the fact that many of their core practices around identity and privileges are falling short for existing human users—issues that will only be exacerbated with the usage of agents, according to SailPoint founder and CEO Mark McClain.
Identity security powerhouse SailPoint has heard from countless customers that have recognized they are in “huge trouble” if their employees begin using agents, since those agents are typically dependent on existing identities and privileges that are not themselves secured, McClain said in an interview with CRN.
[Related: The 20 Hottest AI Cybersecurity Companies: The 2026 CRN AI 100]
Whether agents will ultimately multiply the number of identities by 10-fold or even 100-fold—the estimates vary—“it’s a lot more than the humans,” he said. “And most companies feel today they’re not very good at the humans.”
As a result, “the demand we’re feeling on this topic is amazing,” McClain said. “It certainly feels like the tailwind is picking up.”
McClain also discussed the implications of AI-powered vulnerability discovery, in the wake of Anthropic’s disclosure earlier this month about the effectiveness of its unreleased Claude Mythos Preview model. The security industry has signaled that a potentially unprecedented spike in cyberattacks from the use of similar capabilities by threat actors could be coming in the near future.
“If an AI system can try a million permutations in seconds and go, ‘Wow, I found a 19-step path here through to that code,’ that’s what [experts] are saying is so frightening,” McClain said. “It massively decreases the friction of trying all these things to figure out one of those really complex paths through the code to exploit the code.”
What follows is more of CRN’s interview with McClain.
How is the rise of agentic changing the way that identity and security are managed?
One of the things we’re articulating more and more—and it’s certainly being driven by agentic AI—is the connection or collaboration between the identity core and the traditional security core. Nobody was talking about it a lot. In some ways, these things have sort of been independent islands. You had the SOC [Security Operations Center] and it’s looking for patterns and needles in haystacks and signal from noise. One of the dark secrets was, with a whole lot of that stuff, the root cause ended up being an identity problem. And they had no visibility to identity. They’d have to get up from the desk, proverbially, and walk over to the identity group and go, “Hey, I see this thing going on. I don’t know who or what this is.” Then they do the cross-reference to figure out, “Oh, that laptop that’s acting funny is Kyle’s laptop. Why does Kyle’s laptop show that it’s in China? I know Kyle was at his desk yesterday.” That’s where you had to get the cross-referencing of the identity with all the security stuff. We now are seeing ourselves more integral to that broader security story. Therefore, working with partners who have that broader security perspective feels really smart. They’re going to come in with a level of understanding of the rest of that security ecosystem that, frankly, our guys haven’t had to deal with as much. So we’re wanting our teams to collaborate with [partner] teams like that—that really deal with the broader security problem in the customer’s mind. Because, now we see we’re going to get pulled more and more—especially in the world of agentic—to say, “You’ve got to map what you’re seeing in the network or the device or wherever with what you understand about identity.” That’s a super important integration, I think, that is really picking up steam.
What do you see as some of the biggest implications of AI-powered vulnerability discovery, in the wake of the disclosure about Claude Mythos?
[Former CISA director] Jen Easterly was commenting that one of the things she thinks will come out of this noise around Mythos is, to the effect of, we’ll finally do what we said we [would do], which was secure by design. Maybe you just shouldn’t even release software into the world that’s insecure, that has to be patched. Maybe Mythos finally forces people to say, “Wait, I can’t even put this software out there if I’m not very confident it doesn’t have a bunch of vulnerability holes that can be exploited.”
With AI technology now, we’re really going to have to get serious about [this issue]. You can’t release stuff out there that’s not fundamentally very secure. There are still going to be attempts to go around it, hack it. All of that’s about vulnerability and code, which really isn’t identity. Identity is, can I get to it? But I think that’s an interesting reaction to Mythos—this may actually force the software development community, across applications and customers, to get way more buttoned up about not releasing code that’s got vulnerabilities in it. And I’m like, that’s all great, but that still doesn’t solve this problem of identity and what we’re doing. But it just keeps pulling the topic of security into the core.
We’ve already been seeing lots of LLM usage by attackers, but it seems like the reaction to Mythos suggests we haven’t seen too much yet in terms of the amount of AI-powered vulnerability exploits out there?
Yes, I think that’s right. What’s been challenging for bad actors is, sometimes to break into a system, it was like this multi-chain, Rube Goldberg [process]. “I knock the ball over here, it falls in the cup, that causes this to roll down three dominoes.” They’re saying, for a human to figure out all those connection points—to wind their way through that—is pretty hard to do. If an AI system can try a million permutations in seconds and go, “Wow, I found a 19-step path here through to that code,” that’s what [experts] are saying is so frightening. It massively decreases the friction of trying all these things to figure out one of those really complex paths through the code to exploit the code.
It’s super problematic, and therefore [is] a big exposure that we’re all going to need to get focused on closing as an industry. But I would also say, [that’s] not necessarily solving the set of problems we’ve been focused on. That’s why security has always been so complex. There are so many different aspects to it. This is the aspect of, you’ve got to have secure code so you don’t have problems because you weren’t patched. You can be fully patched and still have an identity problem. These are independent but related concepts.
So with all the increased focus on vulnerabilities and exposure management, you’re saying we shouldn’t be taking the eye of the ball on identity and modernizing our approach there?
Defense in depth is still a very good metaphor. At your home, you have a deadbolt. You probably have a camera. You might have a dog. You might have a safe closet or a safe room. There have always been these layers of defense. Nobody thinks, “I’ve got one solid defense mechanism, I’m good.” Most people think, “No, I want to stop different types of problems.” That metaphor is all we’re talking about. You want to write good code. You want to make sure identities are well governed. You want to make sure your device isn’t compromised. Nobody should think that we’re saying in the identity security landscape, “You no longer need network defense or device defense. What we’re saying is, we’ve had that stuff a long time, and it’s not sufficient to stop all the problems. There’s this other dimension we haven’t really been watching, called identity.”
And now agentic is just [increasing] the focus on, “Oh wow, I’ve really got to understand that.” That’s what’s happening. People are recognizing, “I was pretty bad at managing my humans. I’m in huge trouble to manage the multiples of humans that are coming”—whether that’s 10X, 100X, whatever the number is. It’s a lot more than the humans. And most companies feel today they’re not very good at the humans.
What have you seen so far in terms of the demand for helping to secure agents?
Agentic is so top of mind for people. [They] are thinking, there’s so much promise, so much opportunity here with this technology-and very, very clear that there are risks, some of which are not even that well understood yet. Everybody is like, “Wow, this stuff is powerful. Wow, this stuff is scary.” And I think everybody is scrambling to try to match the sense of momentum coming from the business to use this stuff, and [their ability to] counterbalance that. We’re back to the old metaphor of brakes and race cars. I’ve got to have good brakes. People want to go really fast right now. I better have some good brakes. The demand we’re feeling on this topic is amazing. I don’t even know how fast some of this shows up in revenue. I think it’s going to help us over time, for sure. We can’t predict the slope of that curve. But it’s very clear this has become the topic du jour, and people think SailPoint has a voice on this. And we’re getting pulled into a lot of conversations about it. So certainly there’s a sense that with the tailwind we’ve been describing, it feels like it’s showing up. This is going to drive a lot of possible demand. It’s our job to turn it into actual demand and then go capitalize on it. But it certainly feels like the tailwind is picking up.
Once a company starts looking into doing this with you, is it often the case that they’re going to find a lot of the foundational identity work needs to be taken care of?
I think that’s one of the really interesting things that’s evolving right now. There is this sense that people want to go “straight to agentic security.” There’s this concept that there are agents that are attached very clearly to [a user], and there are other agents that will be more autonomous. Today, that’s got some of the most interesting promise—the autonomous idea. [It will be] very slow and careful adoption, because people understand that’s a risk. This is where people are the most cautious. Therefore, we think some of the early wave is going to be more [around] agentic technologies tied to humans. So to your point, we’re telling customers, “Look, we can go straight to agents—but the early agents you use are likely going to be tied to the humans. So you need to understand the human’s access privileges to map that onto the agents acting on their behalf.” Not that that will be the only thing happening in agents. And I think over time we’ll see more of the scary, ephemeral, autonomous “agents of agents” and all the stuff people are talking about. But in the near term, most of the agents are going to be [in the realm of] Cursor and Copilot and ServiceNow and Salesforce agents—which are very clearly adding to my work as an individual person. I’m doing my work, and this agent is supplementing and augmenting my work. That’s why you’re going to have to be able to map that to the human to get the protection of that agent, because it’s going to be tied to that person. It won’t be the only agentic thing we’re doing security for—but in the near term, I think it’s going to be the predominant one.
What would be your message to partners about the challenges and opportunities here?
In the world we’re living in, customers are confused. There’s a lot of noise. There are a lot of claims. So I think partners have the potential to show up as that trusted advisor, to say, “I’ve done the work to understand this part of the landscape. Let me guide you to what I think is needed here and now.” It’s a time when customers, with so much change and confusion, are looking for guides. I think it’s an opportunity for the partner community to figure out who are the vendors they want to get aligned with—that they think are good technology providers and good companies to work with. That’s always important in the world of partnering. These are trusted partners. You want people you can trust in a partnering world. I think that’s the opportunity, for those partners and the vendors they work with coming to customers with guidance—“Let me help you navigate this very confusing, rapidly evolving landscape.”
