IAM Spending Jumped 24% in January as CISOs Prioritize Non-Human Identity Control

Enterprise IAM Budgets Surge on Non-Human Identity Risk

Identity and access management spending grew 24% year-over-year in January 2026, nearly triple the 7.5% growth rate for European cybersecurity overall in 2025, according to Context analysts. The acceleration reflects a strategic shift: CISOs now treat identity as the primary security control plane rather than a compliance checkbox, driven by exploding machine identities from AI agents and the failure of credential-based attacks to slow despite two decades of password management investment.

The driver is volume. Enterprises now manage an average of 80 machine accounts per employee — API keys, service accounts, bot credentials, AI agent permissions — compared to roughly one human identity per worker. Attackers exploit the governance gap. While workforce MFA adoption exceeds 70% in regulated industries, fewer than 30% of organizations apply equivalent controls to non-human identities, creating an attack surface that scales faster than security teams can audit. The result: IAM budgets are expanding 10-20% beyond workforce tooling to cover secrets management, privileged access for machines, and governance across hybrid cloud environments.

Saviynt's $700 million funding round in early 2026 signals where the market is moving. The company's converged platform handles identity governance and privileged access management for human, AI, and machine identities in a single control plane, positioning it against fragmented tooling from specialists like SailPoint or Ping Identity. Palo Alto Networks' $25 billion acquisition of CyberArk in 2025 — the largest of $96-102 billion in cybersecurity M&A that year — consolidated the IGA and PAM leaders under one vendor, accelerating the shift from point products to platforms. Microsoft Entra ID, Okta, and IBM collectively hold 25-30% market share, but converged challengers are capturing budget from organizations tired of stitching together separate tools for workforce SSO, privileged access, and machine identity governance.

eIDAS 2.0 Forces Architectural Decisions for EU Buyers

The European Union Digital Identity Wallet rollout under eIDAS 2.0 is creating a second pressure point. Regulations now require organizations acting as relying parties to verify user identities via cryptographic proofs from government-issued wallets, minimizing the personal data they store under the EU Data Act. This decentralized architecture competes directly with centralized IAM models from US vendors like Okta and Microsoft, where identity data flows through the provider's infrastructure.

For multinational enterprises, the compliance cost is immediate. Integrating EUDI Wallet verification adds 5-10% to IAM implementation budgets, but the alternative — storing and protecting PII under GDPR with inadequate controls — carries fines reaching 4% of global revenue. RFPs in regulated EU sectors now explicitly favor vendors with EUDI-ready capabilities, shifting competitive dynamics toward European providers or US vendors willing to build sovereign data residency into their platforms. The long-term liability reduction justifies the upfront cost, particularly for financial services and healthcare organizations facing regular audits.

What This Means for Buyers

The 24% spending increase is not hype. It reflects two concrete shifts: the operational reality of managing non-human identities at scale, and the regulatory cost of operating in jurisdictions that reject centralized identity architectures. For North American enterprises, the decision is whether to extend workforce IAM tools to cover machine identities or adopt a converged platform that handles both. The converged approach costs more upfront but eliminates the integration tax of connecting separate IGA, PAM, and secrets management tools.

For EU-based organizations, eIDAS 2.0 compliance is not optional. The question is whether to retrofit existing IAM infrastructure for decentralized verification or replace it with EUDI-native platforms. Early movers are choosing replacement to avoid technical debt, particularly in sectors where identity verification occurs at high volume — banking, telecom, public services.

The funding and M&A activity confirms vendor confidence that IAM growth will continue outpacing broader cybersecurity spending. Enterprises should expect pricing pressure as platforms add AI-native governance features and decentralized architecture support. Budget accordingly: if your IAM spend has been flat for three years, you are likely underinvesting relative to your actual identity attack surface.