SailPoint buys Entro to secure the credentials behind machine identities across cloud

SailPoint just moved again in the race to secure non-human identities. The identity-security giant based in Austin said it plans to buy Entro, a Tel Aviv startup that finds and protects the credentials, keys, and machine accounts that now swarm through cloud environments. And in what is becoming its own kind of market tell, the companies did not disclose a price.

That missing number matters less than what the purchase itself represents. Non-human identities are the accounts and trust relationships that power automation: systems talking to systems, services authenticating to other services, workloads accessing data, and applications using cryptographic keys. Those credentials and keys are often scattered across cloud consoles, CI/CD pipelines, secrets stores, and infrastructure tooling. If you cannot locate what you have, you cannot reliably govern what you are exposing. By aiming its acquisition at exactly that inventory-and-protection layer, SailPoint is essentially choosing the problem that shows up after breaches, audits, and outages, not the one that lives neatly in an access request form.

This deal also lands in the middle of a broader identity scramble that is no longer just about humans logging in. Traditional identity and access management has spent years centering users: authentication, authorization, lifecycle controls, and the stuff that auditors can point at. But as enterprises adopt more cloud services, more automation, and more inter-service communication, the “who” expands. Every machine identity becomes a potential authorization path. If a credential leaks, if a key is over-privileged, or if a machine account persists long after it should be retired, it can turn an otherwise well-run environment into an attacker’s playground.

Entro’s framing is telling because it is not centered on end-user behavior. The company is described as finding and protecting credentials, keys, and machine accounts. In practical terms, that suggests an approach aimed at discovery and safeguarding, which is the foundation for things like reducing blast radius, tightening access policies, rotating and managing secrets, and keeping inventory aligned with reality. When the target is “credentials, keys and machine accounts,” the security job shifts from “approve the user” to “control the trust artifacts that never sleep.”

For SailPoint, the acquisition also fits a strategic pattern that identity-security buyers tend to follow: expand from identity governance to broader coverage of access pathways. Even if the source does not spell out the integration plan, deals like this typically aim to close gaps between policy, enforcement, and visibility. If your governance tooling is strong but your organization cannot accurately map non-human credentials and keys to what is actually running, you end up with governance theater. An acquisition built around discovery and protection can turn that theater into an enforcement system, or at least set the stage for one.

Then there is the capital markets and deal-timing angle. The reporting notes this was the companies’ “second deal of the day,” which signals how fast identity security is consolidating around non-human access. These are not just incremental features anymore. They are category moves. When multiple deals land in the same day, boards and founders notice. It tells them buyers are prioritizing capabilities, not just roadmaps. And when prices stay undisclosed, it often leaves room for cautious speculation, while still confirming that the strategic appetite is real.

Regulatory and compliance pressures also play into why non-human identity security is rising. While the source does not mention any regulator by name, the broader compliance logic is consistent: audits increasingly ask for evidence of least privilege, credential hygiene, and controlled access paths across systems. Machine identities complicate that evidence because the number of credentials and service-to-service interactions can grow faster than manual processes. Buying a company explicitly focused on those assets can be a way to compress the time between “we know what should be controlled” and “we can prove what is controlled.”

Second-order implications for competitors are immediate. If SailPoint can integrate Entro’s capability to discover and protect machine credentials, it can make non-human identity coverage part of the core identity security pitch rather than a bolt-on workflow. That raises expectations for the category overall. Other identity and security vendors will face pressure to match visibility and protection for keys and machine accounts, not just user identities. In this market, the winner is often the vendor that can connect the dots fast enough for both engineers and auditors, without turning every incident into a scavenger hunt.