Zscaler's SquareX Acquisition Targets 40% of Identities Traditional IAM Can't Reach

Zscaler Forces IAM Vendors to Follow Into the Browser

Zscaler acquired SquareX in February 2026, adding browser-native identity threat detection to its Zero Trust Exchange platform. The target: the 40% of enterprise identities running on BYOD and unmanaged endpoints where traditional IAM platforms from Okta and Microsoft Entra ID have no visibility. SquareX's technology inspects browser sessions in real time, intercepting credential theft and session hijacking attacks before they reach corporate authentication layers.

This creates a problem for pure-play IAM vendors. Traditional multifactor authentication and single sign-on assume control over the device. When employees authenticate from personal laptops or contractor-owned machines, those tools see the login event but miss what happens inside the browser session itself — where attackers increasingly operate. Zscaler now closes that gap by embedding detection at the session layer, independent of device management.

The timing pressures incumbents. Palo Alto Networks acquired CyberArk for $25 billion in 2025, merging privileged access management with network security. CrowdStrike already converged endpoint detection with identity protection. Zscaler's SquareX deal shifts the battleground again — this time to runtime browser behavior. Vendors without browser-layer analytics now face 10-15% market share erosion in hybrid work deployments, where unmanaged devices represent the majority of remote access.

Buyers Get Coverage Without Requiring Device Enrollment

For enterprise buyers, the acquisition solves a deployment problem. Requiring BYOD users to install endpoint agents or enroll devices in mobile device management creates friction, compliance risk, and support costs. Browser-based detection runs without installation, covering contractors, third-party vendors, and employees on personal devices who refuse or cannot enroll.

The cost case: non-human identities — service accounts, API keys, machine credentials — grew 40% year-over-year as of January 2026, now outnumbering human users in most enterprises. Traditional IAM budgets allocate 60-70% to human identity workflows like MFA and provisioning. Zscaler's integrated approach justifies reallocating 15-20% of IAM spend from legacy authentication tools to Zero Trust platforms that cover both human and non-human identities across managed and unmanaged surfaces. That reallocation accelerates as the IAM market grows 24% annually, reaching buyers who previously siloed endpoint, network, and identity budgets.

Delinea Counters with Just-in-Time Access for Machine Identities

Delinea announced plans in March 2026 to acquire StrongDM, a universal access management vendor focused on just-in-time access for DevOps workflows and AI agents. StrongDM replaces static credentials with runtime authorization, granting access only when needed and revoking it immediately after use. The technology addresses the 80+ machine accounts per employee common in cloud-native enterprises, where service accounts proliferate faster than security teams can inventory them.

This move positions Delinea against Saviynt, which raised $700 million to scale its converged identity governance and privileged access platform for AI-era workloads. It also competes with CyberArk under Palo Alto's ownership and passwordless vendors like Beyond Identity, which raised $205 million. The difference: StrongDM eliminates the credential entirely rather than replacing passwords with biometrics or hardware tokens. For machine identities, which cannot use biometrics, just-in-time access reduces breach risk by 30-50% by removing persistent credentials attackers can steal.

The buyer implication centers on compliance. Europe's eIDAS 2.0 regulations mandate data minimization, which just-in-time access satisfies by limiting credential exposure windows to minutes instead of months. European IAM spending rose 10.8% in 2025, driven partly by regulatory preparation. Buyers in regulated industries can justify Delinea-StrongDM deployments on compliance grounds, then extend them to reduce governance overhead for AI agents and DevOps toolchains.

Microsoft Tightens Its Ecosystem Lock with Delinea Partnership

Microsoft added Delinea to the Microsoft Security Store in October 2025, integrating AI-driven governance and machine identity management into Entra Suite. The partnership deepens Microsoft's 25-30% share of the IAM market, offering buyers a single-vendor path for hybrid identity management across on-premises Active Directory and cloud Entra ID environments.

The competitive effect: standalone IAM vendors like Optimal IdM face budget consolidation pressure. When buyers can purchase privileged access, governance, and machine identity controls through existing Microsoft Enterprise Agreements, they avoid multi-vendor contract negotiations and integration projects. This consolidation accelerates in a year when IAM mergers and acquisitions reached $96 billion, reshaping vendor viability. Non-human identities are now the top attack vector according to Context analysts, making machine identity management table stakes rather than a differentiated feature.

What to Watch: Browser Security Becomes the New IAM Battleground

Buyers should evaluate whether existing IAM vendors can add browser-layer detection or if they require a separate Zero Trust platform. The SquareX acquisition signals that identity security extends beyond authentication into session behavior — a capability traditional IAM architectures were not designed to provide. Vendors without browser analytics will either acquire that capability, partner for it, or lose hybrid work deployments to converged platforms.

The Delinea-StrongDM deal indicates just-in-time access will become standard for machine identities, not optional. Buyers managing AI agents or DevOps pipelines should audit how many persistent credentials exist in their environments and calculate the risk reduction from eliminating them. The compliance case strengthens in 2026 as eIDAS 2.0 enforcement begins and US regulators increase scrutiny of data breach notifications involving compromised service accounts.

Microsoft's Delinea partnership shows the midmarket will consolidate IAM spend into existing enterprise agreements when possible. Buyers should model whether single-vendor simplicity offsets best-of-breed functionality gaps, particularly for organizations already committed to Microsoft security tooling.