Security teams used to map the org chart cleanly onto identities. That assumption is quietly breaking.

Identity security was built to govern the humans in your workforce: who they are, what they can reach, when their access should be revoked. A second population has moved in alongside them. AI applications and agents now hold credentials, accumulate permissions, and act on your behalf. None of them is a person.

The market's answer was two product categories: identity security for the humans, AI security for the machines, each sold as a separate problem to a separate owner. They are not separate problems.

The real exposure is the hybrid identity: an AI agent operating with a human's delegated authority. It sits in the gap between the identity team and the AI team. Buy coverage as two products, and that gap is exactly where you have none.

A phished employee and a hijacked agent arrive at the same place: an over-permissioned identity behaving abnormally inside your environment. The attack has the same shape whether the actor has a pulse or not.

You can't pre-write a rule for every human and every agent. You can learn what normal looks like for each identity and catch the deviation.

That's what Attune does: baseline every identity, human or otherwise, and flag the action that breaks the pattern. The deviation is the signal, whether it's a human account or a service account, a phished employee or a hijacked agent.

The teams that stop treating who is acting and what is acting as separate questions are the ones that pull ahead.

See the latest from Abnormal's product and engineering teams.