The enterprise security industry received a significant signal this week as Cisco announced its acquisition of Astrix Security, a specialist in securing AI agents and application-to-application connections. The move is not just a product expansion — it is an acknowledgment from one of the world’s largest networking companies that non-human identity (NHI) security has become a board-level priority.
The Problem Cisco Is Buying Its Way Into
Modern enterprises run on integrations. OAuth tokens, API keys, service accounts, and AI agent credentials are stitched together across thousands of applications — and almost none of them are managed with the same rigour as human user identities. Astrix Security built its reputation on providing visibility into exactly this attack surface: which non-human identities exist, what they can access, and whether those permissions are still justified.
As AI agents increasingly operate autonomously — reading data, making API calls, and triggering workflows without human intervention — the volume of machine credentials has exploded. Security teams are discovering that an AI agent granted broad API access in a development environment has a nasty habit of retaining that access in production. Astrix Security’s technology addresses this directly, mapping the full lifecycle of NHI credentials and flagging over-privileged or stale connections before they become breach vectors.
Why Cisco and Why Now
Cisco’s acquisition strategy has consistently targeted security gaps in the network-to-application layer. With its existing portfolio spanning network access control, SASE, and identity through Duo, adding Astrix fills a critical blind spot: the connections between applications and AI systems that traverse those networks.
The timing reflects broader market pressure. The NHI security market is projected to exceed 8 billion by 2030, driven by regulatory pressure around credential hygiene, the proliferation of SaaS integrations, and — increasingly — enterprise adoption of agentic AI workflows. Cisco cannot credibly offer a Zero Trust architecture while leaving machine identity security to point solutions.
For IAM practitioners, the acquisition carries a practical implication: NHI security is no longer a niche product category. When Cisco commits to acquiring a specialist in this space, procurement conversations change, vendor evaluations accelerate, and enterprise security budgets follow.
What Security Leaders Should Take Away
The Astrix acquisition reinforces three principles that CISOs should already be acting on. First, every AI agent deployed in your environment is a non-human identity that needs to be inventoried, governed, and rotated on a lifecycle cadence. Second, the OAuth and API key sprawl accumulated over years of SaaS adoption represents a material risk that traditional PAM tools were not designed to address. Third, machine identity attack surface is now a mainstream security category — the window for treating it as a future consideration has closed.
Organisations waiting for their incumbent identity vendor to solve this problem should note that Cisco’s move was an acquisition, not an organic feature build. The market is consolidating around specialists, and the companies with existing NHI programmes will be better positioned to evaluate and absorb those capabilities as they integrate into larger platforms. The Astrix deal is a signal: NHI security and machine identity governance are now enterprise-grade priorities, and the competitive landscape is moving fast.