Investor Event Transcript
SailPoint, Inc. (SAIL)
Capital Markets Day Transcript - SAIL 2026-06-16
Scott Schmitz, Head of Investor Relations
All right. Welcome. Thank you all for coming. Really appreciate everyone's effort to get here today. Thank you for all those joining on the web. We have a great program for you today that we're really excited to tell you our story. But before that, a little bit of housekeeping. If we go to the next slide, it's our safe harbor statement. So this safe harbor will also be available in the presentation posted on the web. So now we're through that. But let me help frame what we're going to do today. So I think there's really three key themes that you're going to hear throughout today. And the first is innovation. You'll see this clearly in our advancements around AI and real-time governance, which are actively expanding our TAM. And I think you'll also notice it's not just what we're building, but it's the velocity at which we're bringing these things to market. The second theme throughout today is going to be differentiation. So this starts with our depth and breadth of identity coverage, which gives us the required context to link human and non-human identities to their human owner. And this really helps accelerate AI identity security for our enterprise customers. And then the third theme of the day is really the multiple paths to our fiscal 29 targets. So whether it's acquiring new customers, expanding within our existing install base, or developing new routes to market, we have multiple catalysts that are designed to deliver durable top-line growth as well as expanding operating and free cash flow margins. So I think you'll hear those themes prevalent throughout today, so I just wanted to kind of set the stage. The agenda for today, you know, I'm not going to drain the slide just in the interest of time so we can get into the program, but we have a comprehensive lineup of product experts, go-to-market leaders, as well as partners and customers for you today. So with that, and we have plenty of time for Q&A as well, so save your questions. We'll do those at the end of the first section and at the end of the day. So with that, it's my great pleasure to get started and introduce SailPoint's CEO and founder, Mark McClain.
Mark McClain, CEO
Well, good morning and welcome, everyone. It's so good to be with you today. You know, if you look at the daily headlines, there's a lot coming at us. Rapid AI advancements, shifting markets, macro disruptions. we're operating in a period of unprecedented change, which I would prefer to refer to as the new normal. And this new normal of constant change leads to a sense that to survive, you must adapt all day, every day. And for those of us who have navigated some pretty choppy waters before, things like COVID or the mortgage crisis or even 9-11, we know a fundamental truth. Disruptions always precede significant market redefinitions, where new winners emerge and others get left behind. In these times of deep uncertainty, the instinct for many companies is to just play it safe, to blend in, try to weather the storm. But at SailPoint, we fundamentally reject that approach. We're not in this game just to survive. We're in it to win. And to understand how we win, let's look at the evolution of our space. Let's talk about what's been changing in identity, governance, and administration or IGA, and where it's going to go from here. Just as the overall technology market is undergoing a massive structural redefinition in the age of AI, IGA is also undergoing a massive structural redefinition. And we believe there are five dimensions of IGA in which critical shifts are happening. First, timing. We're moving from periodic policy time reviews to continuous real-time security posture. Second, structure. We're abandoning static, rigid governance in favor of dynamic, adaptive security. Third, coverage. The scope of identity has aggressively expanded from humans to humans and agents, not or, and, and all the supporting non-human identity elements. And fourth, privilege. We are moving away from permanent privileged access for a few toward right-sized, democratized privilege for all. And fifth, and surrounding all of it, defense. Security operations can no longer operate in various silos. Modern security operations must encompass everything from the cloud to the network to the device with identity at the absolute center. This isn't just an evolution of IGA I'm talking about. This is the evolution of enterprise security itself. If you're proof of this evolution, let's just take a look at some math. Years ago, when we went public the first time in 2017, we defined the market opportunity as about $10 billion. By our analysts in Investor Day, the first one we did in 2021, we'd expanded that to about a $20 billion TAM. When we re-emerged as a public company in 2025, we believe that addressable market had expanded to $55 billion. And today, we can credibly claim that the TAM has now expanded to $90 billion for this marketplace. And this isn't about a growing TAM. It's about the validation of identity as the core of security. This $90 billion TAM reflects the aggressive expansion of traditional IGA to address challenges like agentic AI, next-gen privilege, data access, and threat response. And today, you see these issues represented in distinct individual markets like ITDR, identity threat detection and response, ISPM, identity security posture management, and IVIP, a newer one, identity visibility and intelligent platforms. But now we believe all of these will be converging into something we call adaptive identity. Identity has become the critical element of enterprise security. And today we're going to tell you why SailPoint is positioned to be the biggest winner in that game. And you know, when a market gets attractive, it draws a lot of attention. More companies jump into the game, the noise gets louder, and it's really loud in identity today. In fact, we'd say that the identity security market has entered a phase of message convergence, as announcements and claims are arriving at an unprecedented pace, all with a pretty similar set of messages. And with all that noise, it's tough to stand out. It's tough to separate the signal from all that noise. As Seth Godin once argued in a great book, in a crowded market, playing it safe is the riskiest strategy of all. A white cow is visible, but you stop noticing them after the first few. But a purple cow, now that gets talked about, that gets remembered, that gets sought out. And right now, the identity security market feels like it's full of a lot of white cows. Lots of vendors reacting to this shift by making the exact same announcements. But here's the reality for all of you behind all that noise. It is, as we say in Texas, all sizzle and no steak. Or as we also like to say in Texas, a lot of these competitors are big hat, no cattle. Anybody can put out a press release, talk about identity and AI. But when it comes down to it, these vendors cannot handle the deep, messy complexity of the modern enterprise as it escalates into an agentic world. At SailPoint, we deliver the steak, not just the sizzle. We deliver the substance. So, fair question, how do we deliver that substance? It really comes down to three interrelated advantages. Our breadth, our depth, and our unparalleled ability to accelerate into agentic AI. Let's start with depth. No one in this industry has our history or our granularity of control. We have 20 years of managing fine-grained human identity data by working with many of the world's largest, most complex enterprises. Today, we manage over 5 billion entitlements across those enterprises. In fact, we possess what we call the steel thread. It's the ability to trace a human identity as it utilizes various non-human identity accounts and services, agents, etc., all the way down to the deepest, most granular data levels of the enterprise. And you cannot build that overnight. And you cannot fake it. Our heritage is not a liability. It actually gives us credibility as this new world emerges. But not just depth, now there's also breadth. We are the trusted control plane for over 3,200 organizations, many of them in the Fortune 5000. And we are actively governing over 145 million identities by automating more than 35 billion SaaS account changes every year. We don't manage just some subset of those human identities. We manage all of them. We are the number one cross-platform identity provider in the world today. Whether it's Azure, AWS Bedrock, Salesforce, or even older legacy on-prem applications in our customers, our platform connects, covers them all with breadth and depth. But, as they say, since a picture is worth a thousand words, or at least a few hundred in today's economy, this two-by-two matrix should help. So on the horizontal axis, you've got breadth. In other words, how much of the identity landscape do you cover? On the vertical axis, you've got depth. How granular is your visibility and control? When you map out the core identity competitors and where they're coming from, the limitations are pretty obvious. If you look at the SSO and access management vendors, they absolutely cover breadth. They touch every employee identity or every human identity. But truthfully, they have very little depth. They're a mile wide and an inch deep. They have the ability to let you in the front door, as we've used this analogy with some of you before, but once inside, they aren't aware of. They're blind where you're going in the building. On the other axis, if you look at the heritage of the PAM and privilege market, they have lots of depth but very little breadth. They govern a tiny fraction of all the identities in the enterprise and are virtually blind to the rest of the landscape. At SailPoint, 20 years of solving hard identity problems across the entire landscape means we have the pattern recognition that the others don't. And as always, in these two-by-two charts, the place you want to be is the upper right hand, isn't it? The top right quadrant. SailPoint sits here pretty much alone in this collection of vendors. We believe no other company can viably claim that combination of breadth and depth at scale. Period. Having both breadth and depth is, in fact, a pretty massive structural mode. But here's the critical part. AI is now becoming a significant multiplier to that advantage. If you feed AI shallow data from a tool that either lacks breadth or depth, you're going to get limited or maybe even questionable outcomes. But because we possess 20 years of the deepest, broadest identity data on Earth, our AI is intelligent, very intelligent, extremely intelligent about what happens in all those complex interrelated entitlements. And we're using it to massively accelerate and extend our lead, extending it to this newest paradigm, the wild explosion of the agentic workforce. And we're not just about defending our current market share, we're aggressively capturing this new explosive TAM, And that's by focusing on, again, the wild explosion of non-human identities, or NHIs, as you've heard them refer to, and agentic AI. With that, we are establishing a powerful new growth engine, which we expect will drive over $100 million of AI-related ARR at the end of this fiscal year. Depth, breadth, and unparalleled AI acceleration. We believe SailPoint is uniquely positioned with the platform, the data, and the proven enterprise experience to get our customers where they want to go. As I said earlier, our vision to address this world is what we refer to as adaptive identity. And we believe it's the only way forward, dynamically adjusting access for all identities, human or non-human, based on real-time risk, context, and observed behavior. We're bringing this vision to life through two distinct accelerated paths. First, we're sitting at the cutting edge of securing this rapidly expanding agentic workforce, specifically in the context of the human workforce. It's not just about securing agents. It's about securing them in the context of humans, and that's why the and matters so much. You cannot secure agents in a vacuum, as some of these startups would have you believe. To govern non-human identities, they must be tethered to a human owner or a human context. To conquer this new frontier, last month, we introduced the SailPoint agentic fabric right here at NASDAQ. It places agents into the context of that human workforce, bringing them fully under control. Ultimately, it ensures that the entire human and agentic environment remains secure in real time, all the time. But we're also focused on massively accelerating how customers can get to this future nirvana state. As you know, many enterprises today are bogged down by massive technical debt. They're paralyzed by trying to rip out rigid, broken legacy systems from other vendors, or some of them even have challenges to manage and upgrade from our own on-prem solution, Identity IQ. Well, today we are radically simplifying this process to get our customers to nirvana by introducing SailPoint Egentic Acceleration, which is a methodology, but it's powered by a brand new technology we call the SailPoint Virtual Architect. The SailPoint Virtual Architect maps all that legacy structure, wherever it's coming from, leverages AI not just to do a lift and shift, but to design the most efficient solution in the new realm and then accelerates migration to that with unprecedented speed. But really simply, we're using AI to map the path to AI, defining the ultimate nirvana solution and accelerating our customers' ability to get there. And we're going to do that faster and better than anyone. We're doing all of this through relentless ongoing innovation, both organic and inorganic. In just a few minutes, you'll hear from Chandra about the capabilities we've been busy building here at SailPoint, but we continue to strategically insert acquired technologies into our roadmap to accelerate our vision. Just yesterday, as you saw, we announced our intent to acquire intro security to deepen and widen, sound familiar, our controls for non-human identities. And we'll continue to scour the landscape for cutting-edge technologies that help us bring our roadmap to life even faster. So as I wrap it up, you know, we've been a leader in IGA space for many, many years. By pairing our two-decade human identity advantage with our new agentic fabric, we believe we have the most complete adaptive identity solution in the market, bar none. And now with agentic acceleration, we can move customers to that desired destination faster than anyone else. To show you how exactly all of this is going to translate into undeniable financial execution, I'm going to steal just a little bit of Brian's thunder coming up. Today, we're going to clearly demonstrate why we expect ARR growth to accelerate as we deliver more than $2.1 billion of ARR in fiscal 29. And we expect about 40% of that revenue to be AI-generated, agentic-related. We're also getting there responsibly, as Brian likes to say. When we hit that $2.1 billion milestone, we expect to generate at least $400 million of free cash flow. As I noted, Brian's going to go into this in a lot more detail just in a few hours this morning. So, let me say it again. We expect SailPoint's growth to accelerate. The demand for enterprise-grade, multi-cloud identity governance is exploding as organizations rush to secure their AI investments and machine environments. With our specialized focus, commitment to innovation, and the rapid scaling of these agentic solutions toward our $100 million target this year, SailPoint is distinctly positioned to continue to lead in the next era of identity security. So as I close, let me turn this over to Chandra. Let me tee him up a little bit by highlighting, again, the four big challenges we are focused on for our enterprise customers around the globe. First, they're looking to us to help them secure this wild explosion of agentic workforce. in the context of their human workforce. Secondly, they need us to help them move their enterprises to real-time, adaptive identity security. Third, they need us to help them democratize privilege by ensuring dynamic, right-sized access for every identity, human or non-human. And fourth, we're going to help them bring identity in the Security Operations Center together for truly effective, truly comprehensive threat response. So with that, thanks again for joining us today. Let me now hand it over to my colleague, Chandra.
Speaker 11
by stopping malicious prompt injections and privilege escalations in real time. Visualize deep identity context and expose underlying risks through the dynamic identity graph and turn signals into immediate action with prioritized critical insights delivered in a unified view. As an agent owner, securely grant just-in-time, time-bound access to your AI agents directly from your mobile phone. And if an agent goes rogue, instantly contain the threat and disable it, all with a single click. Secure your enterprise. Govern all agents with SailPoint Agentic Fabric.
Speaker 9
Good morning and welcome again. Mark really set the stage. What I'm going to do is really get into innovation, talk about customer outcomes, and really talk about how we are using AI. So, if nothing, I would like you to walk away with three things today. One is there are two big rock, big mega growth innovations that we are going to be working on for the next two years. One is agentic. Second one is we are moving governance of human beings, which we have done for 20 years, from static to real time. Number two, we fundamentally believe, just given the security world today, it's time to move all of our customers to a minimum of least privilege and zero standing privilege, and ultimately to our vision of autonomous identity, which is really think of it as the way more of the identity world. It's a self-correcting, self-healing platform. And third, we are quite excited about the three different ways in which we are using AI, and we are incredibly proud of the product velocity. We have really, you know, our product velocity has gone up by two and a half times, two and a half times in the last 18 months, and it's continuing to accelerate. So before I dive into this, I want to set the stage for what we believe is a new normal in the world of threat and security. And the way to think about this is the time it takes to go from finding a vulnerability, when you actually find a vulnerability, to actually a bad actor being able to exploit it. About three, four years ago, it used to about take a year, right? So when a large corporation found a vulnerability, they will actually issue a CVE, and it took the bad actors roughly about a year to get to it. As long as you patch it with them, that you're good. Today, that one year has come down to a day, and it's trending more towards an hour. And just think of that change, where from the moment you find a vulnerability to when it could be exploited, it's trending towards one hour. And it's largely driven by advanced models like METOs and GPT-55. It's organized cybercrime activity, dev environments being overly permissive. It's a combination of it. But it's a stratospheric change in the world of security. And it's really against this backdrop that we are shifting from just securing and governing humans to securing and governing human plus AI. And when I say AI here, I mean broadly, Mark really referred to them as agents. It could be agents, non-human identity, credentials, bots, all of it, all of it inclusive. We at SailPoint think of all of it collectively. And this whole human And it's not just human plus AI It's actually the ratio The ratio matters We are beginning to Well, we are at roughly about 1 to 100 Across all of our customer base And it's trending more towards 1 to 1,000 So for every human We are going to find about 1,000 AI identities Or non-human identities At that scale architecturally, you have to really shift to more of a real-time architecture as well as what we call security in line, meaning when you have the ratio of 1 to 1,000, literally a global thousand will have millions, if not tens of millions of these non-human identities that can do things autonomously. So the only way you can actually manage and be secure is the ability to respond to a threat in real time with deep identity context. That's really what we are building here. Now, this human plus AI has actually introduced two fundamentally new identity security problems today. So what I want to do is frame those problems conceptually before I go deep into it. So I'm going to just illustrate it with some very conceptual basic use cases, right? The first one is really about a human or an AI, developer writing code and putting that code in a GitHub repo or an agent or a human accessing an API. That itself is not new. The fact that the GitHub repo and the API, they have credentials, which are really machine-readable credentials, tokens and keys. That is also not new. What is new is the fact that these have been largely unmanaged and ungoverned. A lot of them, by the way, they would not be rotated for years and years. You can no longer afford it. If you leave a key now that is not rotated frequently, the chances are it's going to get hacked into, and your code could be stolen. That is new. The second one is really the autonomous AI use case, which is you have a big agent calling smaller agents, right? and the smaller agents or the sub-agents accessing application and data. This flow is very, very new, and this whole chain needs to be governed. They need to be discovered. You have to make sure they are authorized to only access the data they are supposed to on behalf of the human they are acting. These two conceptual use cases is what we refer to as the agentic security and governance problem. Now, on the human side, the question is what's changed, because humans have always had access to application and data. What has changed is the fact that the bad actor now can use these advanced models, advanced tech, to really hack into these application and data in no time. And this is why the time to exploit a vulnerability going down to an hour, it really matters. In that world, you can no longer rely on these applications and data being fully secure. You have to fundamentally re-imagine how humans access this application and data. That's why static governance, static privilege is dead. You can't afford it. It's grossly insufficient. You have to move, you have to really risk evaluate every access a human or an agent has to the application and data. That's what we mean by shifting human governance from static to real time. These are the two problems we are fundamentally committed to solving. And our big growth innovations that I talked about, agentic, real-time human governance, are about solving those two problems. And we launched our agentic fabric, which is our fabric to solve end-to-end agentic here at the NASDAQ last month. It'll be GA in the next two months. In less than two months, real-time human governance. It's really, you know, all of you are familiar with our identity security cloud, you know, IOC. This is an upgrade to IOC. We are really delivering next-generation human governance or real-time human governance through next-generation ISC. And Atlas is the engine. It's a shared services layer. It's the engine that powers both of these innovations. Now, here is what we're excited about, which is solving the agentic problem. There is a new role in every large corporation today. It could be described as a head of AI in some places. It's actually a committee and so on. But that's a new role. And the real-time human governance is no longer in the realm of just the identity department. It's the CISO and the entire CISO's office that's really responsible for it. So we are becoming strategically more relevant as well as the wallet size. The wallet size goes up when you go solve these two problems with those two executive buyers. This is why we are quite excited about where we are innovating. Now, the solution to this, the SailPoint solution to this for both agentic as well as real-time human governance has three pillars. Discover, govern, and protect. Now, for the last 20 years, right, we have talked a lot about discover and govern, right? You know, that's really what a great IGA platform does. We are now innovating on that for this new identity type called agents and machines, right? But protect is new. This is new. This is why SailPoint is no longer your old legacy IGA. It's not even your grandmother's identity platform or your parents' identity platform. This is a new SailPoint, and we are really innovating on Protect. I'll talk about what I mean by that. And when Mark talked about how our TAM has really expanded, even since we went IPO from $55 to $90 billion, A good chunk of it is driven by the fact that we are governing a net new identity type called agents. It's also because both for agents and for humans, we are now not just in the discover and govern, sorry, in the governance game. We are also in the protect game. With that, let me just dive in, right, and, you know, talk about what we are doing in both agentic as well as real-time human governance. And I'm going to really focus on what's new and what makes us very, very unique in solving these problems. So, starting with discovery, look, we are super thrilled about the acquisition of Entro, which I think is very, very complementary to what we do. So, with that, we have the most robust, I can confidently say we have the most robust discovery mechanism of any agent, non-human identity type. You know, Entro covers more than 1,200 non-human identity types. And so we have the most robust mechanisms to discover agents and machines and credentials from any platform in the world. But what makes us really special is the fact that we will be the registry, right? You know, which means the moment an agent or a non-human is discovered, it gets... So think of us as the inventory or the warehouse where all of it is stored. We automatically correlate it to the deep human context that Mark talked about, right? And so let's take this persona, Bob. You know, Bob has a coding agent, right? So it's not just correlating the fact that the coding agent, plot code coding agent belongs to Bob. It's also all of the fine-grained context that is associated with Bob, right? So we do that automatically in our registry. The second one, we are getting into posture. We are going to be introducing the SailPoint risk score, which is a mechanism to really evaluate risk at an individual identity level, both for humans and agents. And it's a configurable mechanism, because what risk means changes from one company to another. So we will give our customers the ability to configure how they calculate the risk score. But because in a world where you have millions, tens of millions of agents inside a corporation, you've got to have real-time visibility into what the risk is, right? And so that's really what the SavePoint risk score will provide. That's really on Discover. On Govern, what's net new here or what's special is really? We will be the first to market with our agent audit product in less than two months. So, look, human access has been audited and has been regulated for a long time. The same thing is coming for agents. It's going to be a lot more complicated, a lot more complicated. Already there are about a dozen frameworks. You know, every country seems to have its own framework for auditing agents. Lots of industries like health care and others, banking, have their own frameworks for it. But we are an audit company. We know this. This is in our wheelhouse. So what we have done is consolidate all that into 10 controls. We are going to be launching that very soon, right? And we are working with all the big four audit firms, actually, quite frankly, to make sure when we really come to market, it's very, very pragmatic. On the protect side, there are a few things I would love to highlight. One is just-in-time, real-time authorization. Look, the hundreds of trillions of dollars that is getting spent in the world of AI and in the world of Agentech, it all boils down to the fact that enterprises will have to use them to automate business processes to change the way they work. Doing so requires, which means a bank will automate loan origination and an insurance company will automate claims processing. Doing so requires these agents access application and data. That is where just-in-time and real-time authorization comes in. And having the human context matters because when a multi-agent network is authorizing a loan, it's acting on behalf of an underwriter. And you don't want this agent to access anything that the underwriter does not have permission to. That's why mapping the agent context to the human context during authorization is the only way to do it. This is where we are highly differentiated. Second thing is prompt security. Like every one of you here, I'm sure you are all prompting in some foundation model 20, 30 times a day. You know, one of the biggest threat vectors is that prompt being poisoned, the prompt being hijacked. It's a huge security issue. And our prompt security, because we have a browser architecture now, we have a plugin in the browser, we can intercept these prompts in real time. We are using machine learning to classify the prompts into high risk to low risk. And if we see something, let's say an employee is trying to upload some confidential data into ChatGPT to do some analysis, that's not safe and we'll block it. So we will be doing things like that. And the third one is really response remediation. In a world when you have tens of millions of agents running around, you have to assume breach at all times. Anything else, you're really kidding yourself. There is some breach of some agent or some machine at any given moment in every corporation. And so in that world, the only thing, you know, you can and should do is have the ability to respond to it in real time. So what we are doing, we are launching this product in the next few weeks called response remediation, where any time there is a breach, we have receivers that are really, you know, listening to events. And so we have built a whole event mechanism using the SSF protocol, which is an industry standard. And we are creating what we call a SOC package with deep identity context. So if, let's say, one of you has an agent that gets hacked, we will create a package on what critical data that agent has access to and what the blast radius is and send it to the SOC so that a SOC analyst who is analyzing the breach can actually use that to be surgical in the response. Doing these things is a game changer. Now, as you will see, we also believe from an outcome perspective, the minimum in the world of agents is actually zero standing privilege. Not even least privileged. Certainly not static. And our fabric automatically delivers that. That's our promise. Now, before I get into real-time human governance, I want to just mention a word on intro. So we are quite excited. Entro is a market leader in non-human identities. A simple way to think about this is the world of secrets and tokens and API keys and JWT tokens and certificates and so on, right? They're world-class in managing, not just discovering, governing, and protecting them, right? And so once we close, which should be soon, we are going to be very aggressive in integrating all of Entro into the SailPoint agentic fabric. And so you should hear more from us on it. We have publicly announced a Q3 close maybe earlier. But I think we are going to be super aggressive in terms of integration. More to come on that. Now, real-time human governance, right? Let me just demystify real-time human governance a bit because there is a lot said about static, real-time. What the hell does it mean, right? So governance has always been about who has access to what, right? Now, what has changed is who has access to what, where, when, and why. Answering the where, when, and why is really what the security folks like to call risk context. You know, when you really hear the word, that's really what it is, right? So I'm just going to bring it to life with this persona called Bob. Let's say Bob is an analyst at a large corporation. it's really questions like should Bob have access to financial data 24-7 or should Bob only have access to the data a week before earnings, a week after earnings and no more should Bob have access to Salesforce data inside Salesforce.com when Bob's on vacation on a public Wi-Fi Bob has access to an SCC folder inside the corporation should Bob have access to it at all times or only during a confidential M&A project In all of those situations, there is some condition based on which Bob has access. That's really the essence of real-time human governance. So you don't assume that Bob has access to everything all the time. You are gaining Bob's access. That is simply the world of real-time human governance applied to both agents and for humans. Now, doing so requires a few things, which is what we have completely built here. Doing so requires the ability to classify the application and data that Bob's accessing, which is what we call privilege classification, you will see here, right? Now, you've got to be able to apply that to not just Bob. An average Fortune 500 corporation has 60,000 employees, 60,000. Everyone should be privileged, not just 3% or 4%, which is really today. Everyone should be privileged. It doesn't mean every access they have, everything will go through just in time, but at least you are risk evaluating their access. That's what we mean by democratizing privilege. We are bringing privilege everywhere. Doing so requires classifying applications and data, which is what we are doing now. Once you do that, you've got to have the mechanism to do just-in-time authorization, right? Like I talked about, you only have access. Bob only has access a week before, a week after earnings, and so on. So that means you're doing just-in-time authorization. Bob doesn't, you know, it's not really static access. That is to the right, just-in-time and real-time authorization. Now, there should be policies, right? Every role based on context will have policies based on which their access should be governed. That's what in the middle we mean by governance being driven by policy and intent, not just roles. It's not just, well, Bob's role is that he can have access. No, there should be policy that will govern conditions based on which Bob will have access or not. That should be done for all roles. Hopefully, that sort of demystified real-time human governance. We are delivering, so we have a big launch event in early August in Black Hat. That's when we are formally launching real-time governance or human governance. It's really an upgrade to ISCR. President Matt Mills likes to talk about it as it's not a migration. It's an upgrade, just like how you would walk into an Apple store and upgrade your iPhone from one version to another. That's exactly what we are doing here. It's not a migration. So that's why we are confident as our customers move to our agentic suites, which will have real-time human governance, they will automatically go through the journey of moving to least privilege and zero-standing privilege. That's our promise. Let me spend a minute on this notion of autonomous identity because I said that's our end state. Think of, look, scale is important, right? The context is, you know, why do we need autonomous? Because of scale, right? When you have tens of millions of identity, today, you know, corporations are used to, like I said, the average Fortune 500, 60,000 employees. So you have 60,000 identities. In the future, or like, sorry, not even in the future, today, the ratio is at least one to 10. So, you know, or one to 100. So you're talking about six million identities. One to 1,000, you're talking about six billion identities, right? Sorry, 600 million. So these are like massive numbers. And the only way, so you can't have a human in the loop all the time, looking at what's happening with 6 million, 60 million, 600 million non-human identities all the time. So what we are doing is building a fleet of agents. These are called guardian agents that are autonomously looking at everything that's happening with the identities inside a corporation and looking at whether they are acting inside the policy, outside the policy. Any time they see drift, it will automatically take some action based on policy, meaning with a small drift, it will actually stop it. If it's a major drift, it will alert the SOC or it will alert the human owner. This is our vision for autonomous identity. You should really expect us to be delivering some of the early capabilities in this early next year. But we are working on it, and it's quite exciting. So I talked about Atlas being the engine that powers all of this. And we launched Atlas about, I think, three, four years ago. And there has been a ton of innovation in it. The one I would like to highlight is all the things we are doing to really get into protect. Remember I talked about discover, govern, protect, and protect is new. So we are building a risk engine. a policy engine, an intent engine. As we move to just-in-time and real-time authorization, we're moving a provisioning model from static provisioning to dynamic provisioning. All of this is getting built into Atlas. And so when we launch the next generation ISC with a new brand, the next generation of Atlas will go with that new brand as well. So please stay tuned on that. We are also very, very excited about extending Atlas, right? So we have our ecosystem of partners that build on Atlas today. They use our APIs, workflows, and so on. What we are doing is really building, you know, we will be giving them the ability to extend Atlas. So if you're an ecosystem partner, you can configure your UI, you can configure your workflows, you can potentially extend the data model we have, and so on, right? This is quite exciting, which we believe will in, and Matt will formally announce a new monetization model for how we are going to monetize the ecosystem and give them access to our platform. This is going to enable that. Let me send a, you know, Mark at a very high level talked about the breadth and the depth, right? And I want to link it to the next level of how our product is differentiated. And I think the best way to understand is using a building metaphor, right? You know, because we are very bullish and confident that we are the most differentiated platform to govern and secure both agents and humans in real time. And it comes from the fact that we have a foundation, which is what Mark referred to as a red thread. The ability to connect a human to a non-human context, it's not just that. It's the full depth of that context, which is what application, what data, what accounts, right? And now, imagine the ability to do it across thousands of platforms. The agent here could be in AWS. The machine could be in Google. The application could be Salesforce. The data could be in Snowflake, and so on and so forth. Imagine the ability to do that across all platforms, which is what we have. We have the most robust connectivity infrastructure in the whole world. And so this is really the foundation. On that foundation, we have built an authorization layer. We are the authorization last mile. We are the authorization execution layer. We are an authorization company. We are just moving it to real time. We are moving it to the world of agents. And all of these capabilities here are required to do authorization really well. Look, authorization requires data. You can't authorize if you don't know who should have access to what and when, which is what the foundation provides. This is a sale point differentiation, right? You know, this is, so we have, you know, the strength we have built over the last 20 years, we are now adding to it with all the agent context. And this is the complex engineering we have done, already done, and this is what is getting released now. Now, on top of these two is the second floor, which is all of the customer innovation I talked about. You know, discover, govern, protect, All of it is on the second floor. Now, the startups of the world are starting on the second floor. They don't have the foundation. They don't have floor one. And what happens to a building if you try building a second floor without the foundation, right? That's why it's shaky. And our big platform competitors, you know, look, you know, CrowdStrike and Palo Alto and ServiceNow, they're all co-operators because we partner with them as well. But even they have, you know, strands of identity context nowhere near the – none of them are identity companies. They're all trying to get into the identity world, right? And so that's why we feel very, very bullish about the durable differentiation we have. Now, those were all the customer-facing innovations. There is a ton we are doing on the operational innovation side as well. So I'm just going to highlight a few. Architecture. there are two fundamental shifts that we are really rewiring for one is moving to real time two is building for age and scale like I talked about 1 to 1000 it's a different game altogether and we're doing it through people you might be wondering you've been building static for 20 years how did you just do it so my own leadership team Fuad, Levin, Mitra they've really come from places like Microsoft, Okta, Salesforce Force, Sentinel One. And the next level leadership is where we have also hired some fantastic leaders from CrowdStrike, Salesforce, Palo Alto Networks, who have been there, done that. And so they are being complemented with our existing talent. And SailPoint has always been distinctive in terms of domain expertise for identity. That combination is really the magic. That's how we are driving the architecture shift. User experience, we, you know, hired Mahan, who's our head of design that is really leading our excellent design team, which we have had for a long time. And Mahan sort of believes in this notion of, you know, design should follow a user's emotion. And so you should really expect to see a lot more reimagination. We are fundamentally reimagining the SailPoint user experience. You will actually hear more from us on it. And it'll start with our agentic fabric launch in less than two months. You will say, and Levent will show it, by the way, he's going to do a demo. You will start seeing glimpses of the new SailPoint user experience. Security, this is a big deal for us, right? I talked about the new normal, right? We are, you know, we are religious about it, quite frankly. So, you know, we are using all of the advanced tech. It's more than that. We are also rewiring how we build products. And it's a fundamental cultural Now, the world is less global. It's gotten more complicated. There are lots of sovereign needs. That's why we will soon be announcing our support for five different sovereign needs, including FedRAMPi here in the U.S., as well as things like PCI for the payment industry, EU Sovereign Cloud, availability in South Korea locally, and GXP for the life sciences industry. and there are a few more coming. Expect us to formally announce these things, but I want to give you a sense of where we are headed because without these, it's hard to do business on a global basis, but doing these will give us a real competitive differentiation. Now, I call this the AI triple play. We are using AI. Sorry, we are protecting our customers' AI. That's a sale point for AI. AI for SailPoint, which is all about how we are using AI. And we are using it to build our products, which is really tripling our velocity. Now, we're also an open ecosystem. And, you know, so one of the things that I want to, you know, highlight is Chet Kapoor runs security at AWS, which is one of our deepest partners. And Chet, you know, apologizes for not being able to be here in person. but he wanted to represent his views on our, you know, partnership through me, which is we are a deep partner, right? And so we are one of the very few identity, large identity players in their security hub plus, which is a second-party marketplace they have, as well as we participate early with them on a number of innovations, right? And so there are other partners like Snowflake and CrowdStrike and so on. So we are really an open architecture. Now, I want to take it back to where I started. Two big rock innovations, two big customer outcomes, and AI triple play. Thank you for listening. And with that, I would like to show you things now for which I'm going to invite my good friend and colleague, Levin Pesik.
Levent Besik, Other
Good morning, everyone. Thank you. I should probably plug my laptop in. Are we getting the perfect? All right. Good morning, everyone. I'm Levant Besik, the Chief Product Officer here at CellPoint. As Mark and Chandra mentioned earlier, we're on the frontiers of innovation to provide best-in-class identity security for humans and non-human workforce and enterprise. Today, I'd like to show you some key innovations that we've been working on and we've built for our customers. And all of these are either available today to our customers or will be very soon. I'll first start with SailPoint Agentic Fabric, which is our end-to-end solution to discover, govern, audit, and real-time protect AI and non-human identities. I will then showcase our AI-driven privilege classification and just-in-time authorization capabilities as part of our real-time human governance. So let's start with our agentic fabric. Today, the fastest-growing, most highly privileged workforce inside any global company is non-human identities, which of course includes service accounts and machine secrets and now autonomous AI. Some of our customers see over 100 times more non-human identities than humans. So visibility and a unified inventory, as Chandra said, with human and data context is the first step and supercritical for our customers to secure this new non-human workforce. After all, if you cannot see them, you cannot govern them. If you cannot govern them, you cannot secure them. So let's bring down the lights and take a look. All right, welcome to the unified AI and non-human identity dashboard powered by SailPoint Agentic Fabric. So right from the single pane of glass, an identity admin gets an immediate comprehensive health check of their entire non-human and AI ecosystem. With our AI-enhanced connectors that can virtually connect to all enterprise platforms, as well as our sensors now that are deployed actually on the browsers and on endpoint clients, we provide one of the most complete views of non-human identities and their human context in one place. There are multiple dimensions of insights here that I want to go through that really reveal your security posture very quickly. So, for instance, right here you can see the total number of non-human identities you can see the number of total active agents across your entire enterprise many of our customers for the first time ever see this realize how large their AI and non-human identities are and you can see all the exposed secrets you can click in each of these and and go and drill down and we also show you not just managed agents but the shadow agents that obviously the administrators may not know about. And, of course, the non-human high-risk agents and the abnormal behaviors that they might be utilizing, right, or they might be displaying. So this is a critical security insight that many of our customers, as I said, don't completely realize until they use our fabric for the first time. But let's dig in to non-human identities in a little more detail. So here you see all of our non-human identities. in this case the tokens that you can you know an admin can look through slice and dice and you know look at the securities severity and different aspects of it let's just focus on the high-risk ones for instance but this is you know shows you this shows you all of the critical factors and admin makes right to understand the security posture but let's dig in into one of these to see what we actually see so here in this case this is a it's a token you can see there's a critical issue here so let's understand what's going on here very quickly we see the owner we see the last time it was rotated clearly that's flagged as a risk factor and you know it's it's a production system of some source but here's a unique differentiator as as mark and Chanda told us our agentic fabric has a depth and breadth of human and data context so we can add this to this view and because we have that context we can do some amazing things We can create a complete lineage map. So let's go through what that looks like. So in this case, let's look at this token's lifecycle, right? This was a token owned by Dorn. It was created in a browser and used in a few places. But here's an interesting piece. This token has high administrative privileges. Okay, I mean, that's suspicious. But is it used? Yes, and it was used. It was used in a privileged production system by an AI client that probably Doran used on his laptop. And it was, furthermore, how was it used? It was used in an access management system to create a new user, right? Attach a user policy to it. And worst of it, this was all done from an untrusted location. So this is the context we talk about. It's the full lineage, not just what the token is or the metadata around it, about how it came to life, its life cycle, where it was used and everything. And here's the thing, I've seen enough that this, to judge, you know, to assess that this is dangerous, I'll just disable it. This is not an inside platform, it's an action platform. So with just one click, we just revoked that token. It mitigated the risk. All right, so this is the power of the SailPoint agentic fabric. Let's see how this works in an agentic work. So let's head over to the agent dashboard, inventory and similar to the non-human inventory this is the place to slice and dice and understand how many AI agents you have where they are who owns them again you can see similar metadata across the board you can click on each and every one of them and this is a purpose-built dashboard so you can see here again let's click on one of these to see what we see again similar experiences and non-human identities but of course we see some interesting stuff here right so this was a cursor agent again with our suspicious actor Doran sorry Doran you know interesting stuff is happening here from your machines and you know cursor agents active as interesting so let's go to the lineage map to see what Doran has been up to so again Doran has been using this agent on his MacBook Pro for cursor all right so this is where the interesting stuff comes in right this agent has multiple identities and that was used one one in Figma one in github and and let's see what this agent has been doing right this agent was doing Figma you know probably it sounds like it seems like a developer agent it was accessing the design system and a few other things that's you know thing but suddenly and I need access to github and for a developer agent, we'll see some suspicious things, like it's accessing, for instance, financial automation service, quarterly reports, customer data. Well, that's not right. Right? That doesn't seem right. So, again, with a single click, I just disabled that agent on its platform that it came from. So, it's great that I can take these remediation actions one by one, right? But, as China said, we expect hundreds of thousands of these. So how do we create automatic, real-time access policies for agents and secrets and dictate what they can and cannot do before they're even created in the enterprise, right? Because that's what you want to do. You want to have that autonomous automatic policies, right? So this is where our security policies comes into play. And as you can see, we have a selection of these policies you can create from behavior policy to identity owner. But here, what I want to create is a policy around, you know, in this case, you know, since we just looked at a GitHub agent, let's configure an agentic access policy to deny cloud agents from accessing GitHub for product team. Now, why? This is actually a very common risk vector that recently we hear quite a bit from our customer base. they see a lot of these benign coding agents drift from their original purpose and they in some cases then you know do destructive events like deleting the code base so you know and then they use their excessive privileges so what we want to go do is want to create a policy to block that so we're going to give it a name let's give it a name block out github access now again I can choose a variety of platforms here I'm going to use cloud and again I can do a variety of targets in this case I want to block github access I'm going to select that you can deny and allow policies there's a prolifer of options here of customization but I'm going to select a specific team here because I want my engineers to innovate with agents and I can't create a separate policy for them but for product even I'm just gonna deny that so I'm gonna create a policy and then see how would this oops sorry and see what happens okay great so let's check now we create a policy let's see if this works so we're gonna try to read the file from github I'm part member of the product team so let's see oh hopefully it's gonna work it's gonna think I hope it works there you go request blocked by our policy now this right here is huge business value right here for our customers because this capability allows our customers to create guardrails and to adopt AI innovation securely across the organization all right so let's pivot from a genetic identity back to human element. You know, as Chandra and Mark said, we also have a lot of innovation happening on real-time human governance. Specifically, let's see how we are using AI to radically modernize real-time human governance. So I'm going to go to entitlements here. Now, to achieve true zero trust, an organization must understand exactly what access entitlements they are governing and then classify them accurately in order to apply appropriate security policies but across the enterprise landscape we face a massive data quality problem 64% of our application entitlements are missing descriptions or written in cryptic jargon so you know we're not also talking about a few hundred here some customers have millions of these entitlements that they need to manage and with such sheer volume if a manager or an auditor doesn't understand what an entitlement actually does they often misclassify it and that is a massive security gap a massive compliance cost so this is where we innovated with AI and created AI recommended descriptions which makes this traditionally laborious and critical security task abilities and let me show you how so in this case we have a ton of entitlements here a lot of them don't have any descriptions so let's see what happens with our AI generated recommendations so we click there and And instantly, you can see, we have created some really, you know, detailed descriptions of what this is. In this case, for instance, it's a super user group for Workday. And we came up with like a very good description here. And but here's the best part. Building on those descriptions, the AI then automatically classified the exact risk level for each of entitlements. So we now flagged which ones provide highly privileged access. And you know, you know, we can approve and deny a few of these, but it turns out our accuracy is also pretty good 98 percent of the time 95 percent of the time our customers accept and approve all these classifications so with that confidence you can just go ahead and bulk approve right these things and you can also obviously you know go in and edit them if you wanted to right and you know you can adjust risk to this but we cannot bulk approve these and what used to now take teams of security analysts months of manual work is fully automated thanks to AI we're slashing our customers total cost of ownership we're accelerating their deployment we're laying the robust foundation required to enforce real-time dynamic access policies okay so now that I discovered and classified what is privileged I want to focus on the privileges that represent the greatest risk to the organization so that I can enable zero standing privilege we do that with just-in-time policies I'm gonna go to just-in-time console here and what happens here is that with just in time a privilege is only provisioned when a user needs it and deprovisioned or disabled once they're done and you can do this for all types of entitlements to achieve zero standing privileges and that's what we recommend but for the most sensitive ones you can add additional verification at the time of activation too if you wanted to so let's walk through how an administrator would create an activation policy so that when a user wants to activate workday for super user privilege for instance he will be asked for additional setup authentication right so let's go to an activation policy here I'm gonna create a policy and I'm gonna create an activation work to a super user there's some you know information here I can add It's going to be individual policy ownership. And again, you know, we give great flexibility here. You can create this policy to match attributes and do a whole bunch of other flexible things to fit your needs. But here's the best part. So first there's the why do you need this policy, you know, questionnaire that I can create. But even better, since this is such a privileged entitlement, entitlements, a super user access to Workday, right? I want people to really make sure that, you know, they are authenticated, re-authenticated with multi-factor, right? This is where our integration with identity partners comes to play. In this case, I will require authentication, and I will also create an identity policy for that multi-factor authentication, right? So I'm going to do that. I have the policy set. I'm going to finish. And now let me switch to the user mode. all right so this is now our administrator right david which is one of our administrators so you know when he activates the workday super user policy let's see what happens all right so i'm going to go ahead and activate this again it's time limited i'm going to give it a reason you know okay great great sure and then let me get a service ticket as we because it was set up policy let's enter something there okay great and then here's the most important part right We're going to begin a re-authentication ritual here. So we're going to go ahead and, on the phone, simulate it. We're going to approve a multi-factor authentication backed by biometrics. So we do that. We do biometrics requests. It's approved. And David got his entitlements. And that's how we create zero standing privilege for this entitlements. And hopefully, he can deactivate it. Or if he forgets, it's time bound. It will be disabled after he's done. So please bring the lights back up. that's a quick overview of our SailPoint agentic fabric and our real-time policy so quick recap we got a complete view of all of our non-human and agentic footprint in our enterprise with critical human data context we were able to quickly assess and improve our security posture and create policies we then saw a single control plane on a unified platform with automated governance and real-time protection we now saw how our AI driven capabilities deliver real business and security value by eliminating painful manual work. And finally, we saw how our real-time authorization helped our customers create a zero-standing privilege posture and protect them from privilege, misused, and insider threats. We are incredibly excited to bring these capabilities to market and partner with our customers on their AI and real-time human journey. Thank you. Really appreciate it. And now I'd love to have our president, Matt Mills, to stage on go-to-market.
Speaker 16
In our go-to-market session, we're going to take an opportunity and introduce you to really the broad, deep bench that we've built over the years. And so you'll hear shortly from our chief commercial officer, Gary Nafis. You'll hear from our chief customer officer, Meredith Blanchard, our chief marketing officer, Wendy Wu. You're going to hear from our Head of Revenue Operations, Steve Caldwell, and the gentleman that manages and leads our global solution engineering and specialty sales, Jeff Hickman. So the depth of their collective experience is extraordinary, and you'll see that for yourselves, and you'll see the deep bench that we've been able to build here. With that, let me just get started. The physicist David Dewish once noted that humanity is always at the beginning of infinity. With AI, that infinite future is deriving faster than anything we've ever seen in technology history. We are seeing an unlimited growth of knowledge, but crucially for our business, we are seeing an infinite proliferation of AI agents and non-human identities. Last September, if you'll recall, we launched agent identity security. At that time, it was arguably the first solution of its kind. We made a bold prediction that governing autonomous agents would quickly eclipse human identity management as the most critical governance and security challenge of the decade. We were right. We declared 2026 the year of the agent because we saw a fundamental truth that the entire AI wave from co-pilots to autonomous workflows requires one absolute foundation, robust, unified identity and access control. The market urgently needs a vendor-agnostic control plane to govern the connection between humans, agents, machines, and data spanning across all platforms. For instance, Salesforce, Amazon, Microsoft, and Google. And because as the global regulators begin to draw strict lines around AI accountability, proving what an autonomous agent is doing with your data is no longer just an IT issue. It is a massive compliance mandate. And today, that explosion, it's not a forecast any longer. This is the reality we're dealing with. Board mandates are clear. Massive budgets are activated. The AI is undeniably the engine of the modern enterprise. With this rapid AI adoption comes a rapidly growing security problem. We've been saying this now for some time, that identity is the number one breach vector, and most companies have experienced identity-related incidents up to now. Now, take a minute, add autonomous agents. The attack service isn't just growing, it's multiplying exponentially. Agents are being created everywhere, largely outside the purview of IT. They're spawning sub-agents, connecting to critical SaaS apps, massive data lakes, and being granted broad, sweeping privilege across the enterprise. As a result, the fastest-growing form of agent governance right now is no agent's governance at all. With a control plane, the trend of rapid vibe coding quickly devolves into, get this, vulnerability as a service. So let me give you a real-world example. Imagine one of your analysts deploys a Claude agent to build a financial model, granting it broad access to your firm's data lakes. Does the agent know what it is allowed to access? Does it understand an ethical wall? Can it tell the difference between useful data and restricted data? Is it violating SOX controls or creating a toxic access combination a threat actor could potentially hijack? In most enterprises today, the answer is unclear, and that's a big problem. You cannot govern what you cannot see. You cannot secure access that you cannot trace, and you cannot manage risk when agents, machine, and data are operating outside the identity control plane. Now, we are already seeing this in the headlines, an explosion of shadow AI-related breaches, all fundamentally rooted in identity failures. The broader market, and more importantly, the regulatory landscape, is waking up to this reality at a breakneck speed. Around the world, AI governance is moving from policy discussion to operating requirements. We're seeing this across the U.S. Treasury AI Risk Framework, the EU AI Act, DORA, NIST-2. In Asia, you've got MAS and APRA. And the common theme is clear. Enterprise must prove control, accountability, and data lineage across all AI-driven activity. And none of that works without identity. Consider this. 60% of the 230 control objectives in the financial services AI risk management framework depend entirely on foundational identity security to be able to achieve that compliance. 60%. So, simple math, that's 138 of those 230 control objects, right? That's a lot. It's something that cannot be ignored, and it's going to be a big problem. Here's another one, the Monetary Authority of Singapore. This was the MAS I mentioned. Strict demands for data lineage, human accountability of governance, and it states in the regulation organizations must, not should, must deploy robust identity and access management systems. So this is a powerful signal. AI compliance is no longer just about the model governance, right? It's about knowing who or what has access, what they are doing, and who is accountable, right? This is what Chandra went through. Furthermore, tech luminaries who once really just touted the limitless power of AI have kind of changed their tune, right? Leadership at NVIDIA, Google, Box, and Anthropic, now they're really urgently calling out for governance. I don't know if you saw it a few days ago. Anthropic called for a pause in AI development because of this growing concern. Anthropic also recently announced, published a zero-trust framework for AI agents, reinforcing the autonomous agents require identity, task scope permissions, observability and controls designed for AI-driven activity. So all of this together really serves as a powerful third-party validation, I think, of what we're really driving here and what we're sharing with you all today, and that is the proliferation of autonomous AI cannot be secured by traditional network perimeters or firewalls. In short, agents must be secured at the identity layer. So when you step back, there are really three market forces here that are coming together. The threat landscape, it's expanding. Non-human identities, AI agents are creating really this invisible attack surface. The regulatory requirements that I just went through, they're increasing. And compliance has shifted from a basic checkbox to the alternative of severe revenue risk. And finally, technology leadership is voicing the importance of identity, where identity has officially become the new enterprise control plane. And we are seeing additional signals of momentum building in the market. I don't know if you follow Cisco, right? Cisco's acquisition of Asterix. I mean, it's a proof point that large security platforms are moving quickly into non-human identity security. New entrants into the market are shining a light on shadow AI and unmatched agents. And CISOs and CIOs, well, they're increasingly recognizing that their ungoverned AI is not a future problem, right? It is already emerging inside their organizations. And when you bring this together with market sentiment, the technology leadership, you throw in the auditors, what are they saying or all agree on? That identity security is a critical infrastructure and necessary to effectively govern AI. So let me leave you with this to noodle on, all right? Identity is the central control plane for enterprise security. It's not just about securing the agents, but it is about the platform to secure your enterprise. It is the common fabric that brings the endpoints, networks, applications, and data all together so you can properly govern and secure your enterprise. All of these create a powerful tailwind for SailPoint and accelerate our go-to-market opportunity. So with that, let me now invite our chief commercial officer, Gary Nathis, to dive into more details on our go-to-market strategy.
Gary Nafis, Other
What are we going to do? Let me just give it one minute. Oh, it seems like we're good. Just look. Good morning, everyone. SailPoint is attacking this $90 billion TAM that you've heard about this morning with a ton of momentum. We're attacking this with a maniacal focus on customer success and time to value. So as we scale, we are taking significant market share from the incumbents. Over just the past two years, we have expanded our leadership position by nearly five points to capture 23.2% of the market, while the rest of our competitive set has either stagnated or actively regressed. According to Gartner, the IGA market grew 15% last year. SalePoint alone captured nearly 38% of that total market growth. And most importantly, our unit economics and our customer health metrics are stronger than they've ever been. But the best metrics that support the momentum in our sales are the leading indicators such as pipeline. Our pipeline for these advanced capabilities of AI have doubled every quarter since we launched our product. To maintain this growth trajectory and capture our disproportionate share of that $90 billion TAM, we're aggressively executing on three strategic go-to-market priorities. Capturing new logos. Spoke too soon. All clear. All clear. Okay, good. Capturing new logos, accelerating our multi-product platform adoption. One more time. Perfect. Perfect. It's an agent. Yeah, that is an agent. Unsecured, I'll tell you. The third is modernizing our customer base. and so here's what gets me really excited we're innovating within our go-to-market strategy leveraging ai internally to unlock significant acceleration in our sales cycles our customer time to value and our product expansion we're going to show you a demo here shortly of some these capabilities. Okay, moving on to land and expand. So we have, SailPoint has an unmatched opportunity to land and expand. We are looking at a vast, largely untapped market that is reacting to a ton of market pressures. There is an urgent now board-driven mandate to modernize these fragile legacy identity stacks. This imperative is backed by agentic first budgets enforcing the need for access governance. These are budgets that SailPoint has typically not accessed. These are outside of identity, outside of the CIO office, all new budget pools that are now addressable by SailPoint. And we're making it super easy for and seamless for our customers to modernize their solutions with limited risk. These are push-button-like upgrades that just didn't exist six months ago. We have brought new deal constructs like flex modernization to streamline our customers' upgrades, and this is fueling the fastest acquisition growth for SailPoint, which is to liberate the legacy IGA market. There sits out there $3.2 billion in legacy run rate just sitting in these legacy solutions. These foundational IGA programs can't meet the modern demands that enterprises need, and when we upgrade them to our Agentix suite, we see a 3x-plus expansion opportunity put in play. By solving today's immediate identity pressures while building on the realities of agent identities for the future, we are not only protecting their business, but we're accelerating ours. We effectively turn that $3 billion legacy target into a $10 billion expansion opportunity for SailPoint. And today with SailPoint agentic fabric, Rick, we have these new selling paths to engage into this opportunity. We have 4X the number of ways that we can land new logos just in the past six months. We can land human, we can land agentic, we can land both, or we can have a wedge strategy. We've 2X our selling motions via our agentic specialty sales teams, which now allows us to engage these new market buying personas and these new budgets. This market is quickly realizing that competitive architectures cannot survive in this AI era And competitive displacement has become our fastest growing acquisition channel Which is part of the reason why we see that two-thirds of our new logos come from failed competitive deployments This opportunity is massive and we are primed to own this Let me hand it to Steve to take you through some of the platform growth opportunities that we have. Thanks, Steve.
Speaker 4
Thanks, Gary. As Gary had mentioned, we have more ways to land than ever before, whether that's landing agentic, landing human, landing with the platform advantage, that wedge strategy, landing up against the competitors. But just like we have new ways to land, we have more routes to market for the way we can land, whether that's through direct sales, our indirect sales team, our MSP channel, our marketplaces, and more. And we have more ways once we do land in terms of how we can actually expand to create deep, compounding platform stickiness. And when a customer lands with us, they quickly realize that identity is that central nervous system of their enterprise. They don't just stay for core governance. You heard that from Chandra. They see the vision. They rapidly expand to manage other identity populations, whether that's non-employee, maybe non-human identities, and also agents. And then with the success of the SpaceX IPO, maybe non-humans in space too, but customers mature from this static governance to real-time and then being able to eventually get to that end stake, which is autonomous governance, the agentic governance, utilizing more and more of the platform. They govern all identities, obviously under one unified platform. They secure more use cases, whether that's data access governance, GRC, and just-in-time authorization. They'll leverage the extensibility of the platform to integrate with the SOC, create workflows via shared signals, and allow for real-time remediation. And as a result, we're seeing a record number of customers standardized on three or more modules. And this platform expansion, which we're really excited about, massively will be accelerated by our recent announcement of Entro security. If you think about Entro today, their agentic capabilities give us deep software lifecycle management expertise, allowing us to secure not just the agents themselves, but the actual secrets, the tokens, the credentials, all those things that make up the workload of what an agent does. And by bringing agent governance with deep technical secrets protection, we are providing the customers, our customers, with the most robust unified security solution on the market while decisively widening our competitive moat against the agent security solutions, those point solutions out there. We do feel like that market itself is actually commoditizing, in some cases now consolidating as well. And our product adoption strategy is really simple. It's provide quick time to value. really drive that blueprint so our customers are successful over the long term and then more importantly just be there all along the way and just speaking about being there all along the way here's a quick illustration of one of our customers in oil and gas and their expansion journey with us over time. When customers move from Identity IQ like this customer to Identity Security Cloud they are not just upgrading their technology they are making this multi-year commitment to modernize their Identity Security program and effectively readying themselves for the future. In this age of AI agents, this customer knew early. They knew real early that you cannot just manage agents in isolation. You just can't manage humans in isolation. They have to come together to see the full context. That's why in this case, you saw the identity team come together with the AI team to make this decision and leverage budget actually from the AI group. They understood that every AI agent, every automated process, Every bot needs the identity and criticality of a unified control plane. And every security leader, especially at this example, they could not see a fragmented landscape with fragmented tools. They knew that they needed a unified control plane as the tool of choice, and it was the basic starting point for modern security. They knew the connection between the human, the agent, the agent to the machine, the machine to the data, and then a unified policy around that. And our platform delivered that for this customer end-to-end, and it led to a 20x increase in AR, and most recently a 50% increase in AR when they enabled the agentic fabric to govern agents and non-humans via that unified governance model. So, and finally, we have significant opportunity to modernize our base. It's exciting. You'll hear from Brian later that we have about $350 million that still sits with our Identity IQ customers, which represents about a billion dollar or more opportunity for SailPoint. But much like the example that I just shared and the technology shifts that we're seeing in the market, the tailwinds that you heard from Matt, there's more reason than ever to extend beyond just human governance. And SailPoint has created glide paths for these customers to the agentic suites that de-risks, de-risks the move to the cloud. And it starts with commercial constructs. Through our flex modernization program, we co-invest with our customers to remove any financial friction and allow them to adopt the platform as they mature. And from a technology standpoint, we have moved from a migration to an upgrade. This is a technological paradigm shift. Transitioning to the cloud is no longer this high-risk, heavy-lift migration. is a seamless platform upgrade. And we have eliminated the biggest barrier to modernization that drastically reducing the professional services burden by almost 80 to 90%. And we have moved to what we call internally a proof-based methodology, which leverages forward-deployed engineers and virtual agent architects that is truly game-changing. These architects are our IP, our institutional honor, our best of the best in terms of talent in the business, effectively becoming a digital twin to help migrate our customers to our cloud solution. So with that, let's have Jeff Hickman, our SVP of Solution Engineering, join us on stage.
Speaker 14
Nice up. All right, get the demo set up here. All right, before we jump into the demo, a couple slides as they get that queued up. So good afternoon, good morning, everybody. We're very excited to showcase this innovation. It's been talked about a couple times throughout the day. And if flex modernization was the license unlock, what we're talking about now is another unlock. And that's really the unlock of the cost and time of modernizing. And it's driven by the SailPoint agentic acceleration methodology, which is powered by the virtual architect or the set of agents that Steve mentioned. And this is an AI-powered capability that automates and accelerates the transition today from an on-prem IAQ environment to the cloud or the ISC environment. And one of the hardest things about doing these modernizations is really untangling years of custom code, custom workflows. And if you think about it, dozens of people, if not hundreds, of people and partners probably have touched these legacy systems. And it creates a complex environment and a complex code base with very little documentation of what's really under the hood. So unlocking that legacy stack used to take months of, frankly, human analysis and consulting. And so the solution now is a no-cost, AI-powered, virtual architect trained with over 20 years of SailPoint IP and the know-how that completes a production-ready ISC instance in a matter of hours and days, not months. And in many cases, modernization becomes just as easy, if not easier, than a standard version upgrade. The virtual architect has de-risked this transition and creates value day one. This is really the game changer when we talk about that billion-dollar unlock of our greatest asset, which is our existing customer base. So one key point as we move to the next slide, I want to emphasize here that this virtual architect, this is not a translation we're not transposing code we're not copying pasting code from one environment to the other this is truly a virtual architect that requires and is built on intelligent transformation and this is the magic is we've ingested or input 20 years of knowledge into this architect and there's insights from all of our top our top human architects into this to create a skills database that trains this virtual architect. And this SAA methodology combines deterministic engineering with non-deterministic LLM-based models, all informed by these architect's curated skills. And so the virtual architect transforms your legacy investment into a modern, scalable cloud environment ready for rapid innovation. So let's quickly review how this works. So what you see on the slide is just the macro process. First, we ingest a customer's IIQ configs, and the virtual architect gets to work. The virtual architect automates the analysis, the planning, the building, and the deploy to create that functional ISC environment. The virtual architect performs the heavy lifting, which, you know, parsing that IIQ environment, mapping the dependencies, and it does it within a matter of minutes, really and from there it moves to the plan build and actually deploy and crucially is I want to highlight here there's still a human in the loop here and and a human along the journey the entire way because they validate the build they validate that everything is working if there's things that need to be adjusted or fixed they jump in and they can do that and what's interesting is that starts to create a self-learning self-healing capability because everything that we find that we haven't seen before, we then build a new skill for that architect. So this is the flow that we'll walk through. You'll kind of see this represented in our virtual agent here in a second. So let's just dive into that. If you want to switch to my screen here, locally we'll walk through what this starts to look So if we can switch to my laptop. I'm sorry? Two seconds. So one of the things you're going to see as we get into this, unplug and replay the The old tried and true. Okay, here we go. Now we're working. Cooking with gas. All right, so what we're going to see here, I was going to say under the covers. We talked about this being our virtual architect. This is really a multi-agent architecture under the covers. So we have six orchestrator agents with 36 agents working under them with 137 sub-agents working under there, all trained and working on these skills that we talked about. translated from our humans. So this is why we talk about the virtual architect. This is a complex multi-agent system that we have built ourselves. And so as we say, we ingested what you're looking at here. We've already ingested a customer's IAQ instance. This is actually a working or this is a real customer. We've anonymized it. Normally the customer's name would appear here and we land on a report card. This is what you're looking at. And so this is our full blueprint of what the agent has discovered within that analysis of the IIQ environment. And I'm going to jump into or just highlight a few things. First, I'm going to key in on 79%. The agent and the architect has said in this environment, let's effectively round up to 80, 80% of it can be automated through what the architect knows how to do. That only leaves 20% that the humans have to intervene. So if it was a 1,000-hour project, it becomes a 200-hour project. Another thing that I want to highlight as we think about this environment, we talk about sources here, 748, so 750 sources. These are applications that are connected. This is a complex environment. What you're seeing here for this customer is not just a vanilla, easy layup, if you will. This is a very robust, there's two authoritative sources in here, human capital management systems, and then 746 connected applications through this environment. We've discovered, or the agent has, the architect has discovered 19 core use cases across the system. And so now we've got a view of what do we see in that IAQ environment. And as we scroll down, you can see our, effectively, our pipeline that we saw on the slide previous. This is the analyze, plan, build, deploy. These are all the stats and activities that we're underpinning at each of those steps, you can see that those steps are complete. We have run this through the entire process. As we scroll down further, we have some more report card stats in this case, highlighting we've got 6,000 hours effectively remediated. That 80% in this case translated to about 6,000 hours of human work that did not need to take place at this point. Scrolling down further, I want to highlight a couple things. And so life cycle events for folks that aren't steeped in identity like some of the folks in the room here from SailPoint, I want to highlight life cycle events here. And this is kind of a simple process. These are bread and butter use cases for identity. And we're going to jump into the new hire process. So think about this. Everybody, when you guys got hired at your jobs, you walked in day one and there's an email waiting there that says, welcome Jeff, we're super excited to have you here. Here's how you access your systems. Here's all the things you can go do. Well, that email is a complex orchestration under the covers of a lot of things going on. And that is very, as nice as it is for you walking in day one, knowing you can, you know, get ready and start to work. You know, there was a ton of work, and IIQ or ISC helps make that simple and automated. So this is the new hire process we're into, and I want to highlight a couple things here. One is right up here, which says, in IIQ, we had nine artifacts. I think the artifacts is a workflow or a set of rules. We had nine discrete artifacts that are now being translated into five. I mentioned this is transformation, not transposing. We're not copying and pasting. It's not nine to nine. It's nine to five. And what's interesting in this, and I'll zoom this a little bit so we can kind of see, what the agent is telling us is, hey, a lot of these things are going to collapse just into standard configuration items in ISC. We don't need them. We don't need to copy-paste it over. But there is one thing it kind of called out, which is this send welcome email. We need to have one custom cloud workflow that we're going to go build out of this. And so I'm highlighting this. Remember this SAA joiner send welcome email workflow because the agent had to go build that in ISC. That's what it's telling us here as it's going through its work. And so we'll close that off, but you can start to see, as I close that out, take a look at the numbers here. 30 to 4, 7 to 3, 7 to 3. You start to see the consolidation or the mapping of what used to be complex, and in ISC it's all code. You're coding all of these workflows, lines of code living in IIQ, sorry. And when it goes to ISC, it needs to map into a SaaS environment, which is largely configuration or declarative-based. So the architect knows and knows how to do that and makes that intelligent decision. If we highlight here, overall, if you think about all of those boxes of reductions, what we're saying is the virtual architect has figured out how to reduce complexity by 55% moving from IIQ to ISC. That's a 55% reduction in technical debt, things that people have to manage and maintain at a code level. It all becomes much more of a declarative instance. So this is the overview. A ton of great insights. That's at the macro view of what the virtual architect has discovered. Let's go to the micro. In the micro side, this architect has actually already built all of the documentation for us automatically. We have our requirements and our solution design document. Think of this as what you would hand to of the 20% that I was talking about before that still needs to be created. we now hand those humans the blueprint for what they need to go create. And it sits inside the design documentations. We've got a full upgrade plan. We've got our report cards. If we can dive into these, we don't need to go through them. It's a lot of text, but it's a lot of insights. And so for customers, as we go in and explain what's happening and what the process and what this blueprint looks like, we can give them all this information. We can show them in detail what we're mapping from one environment to the next. And that's kind of static, right? Those are reports and things we've already created, but this is actually a live, we can talk to our agent. And we have the ability through an inference window here to start asking questions. So I wanted to, I'll give it a softball question, just how many workflows are going to be in ISC? And as it is chewing on this, it's actually using, we're bringing a language model into the world of, effectively iiq if you think about it we're taking a look at that environment and now the agent is coming back with insights we have 87 workflows and effectively you can just have a conversation with this architect and you can start to understand what's inside that tangled web of years and years in iiq of the build i actually did something i was thinking about this on the plane last night. I asked it another question, which was, and this took a little bit longer, so I had it queued up here, but I said, do you have any concerns or, you know, are there any security concerns, any vulnerability concerns with your current IIQ environment? You know, I'm not saying anything about moving to the modern platform, but you can see here, the number one security concern for this customer came back that said, holy smokes, you've got hard-coded credentials and API IAQs inside your coat. So if you listened to the presentation before, that is the opposite of zero standing privilege. It's the complete opposite of that. And so we can go, and we actually had this conversation with the CISO of this customer, and we were able to come in and say, look what we discovered within just your IAQ environment. There's a lot of items in here to be remediated. And it opened their eyes to not only how do I protect by moving forward. And oh, by the way, there's a recommendation in here, if we can see this, which says, hey, by the way, if we do migrate to ISC, when you do that, there's standard configuration items that are capabilities within ISC that would remediate this automatically and prevent it from happening. It is a way of moving into a best practice posture when you move to ISC. And so not only are we helping them with the vulnerability they've got today, But we're mapping to the future of how do you remediate that going forward in ISC. So pretty powerful to not only have a macro report card, a capability of full documentation, a way to interact with that agent in a real-time basis. But if you recall, the last step in our pipeline as we went through was build deploy. And so this agent has, an architect has gone in and said, you know what, let us just get going and we'll build that ISE environment for you. So what you're seeing is a live demo environment that was created by the virtual agent. You can see here on our homepage, this certification campaigns. These were configured in items that were within their IAQ. There are six certification campaigns that are in here. They came over, they're already working. We can demo those certification campaigns straight away out of the box. All of that data came with us, and all of those workflows came over, transposed, from the IAQ environment. So I want to jump in. Remember that workflow we talked about as far as the new hire goes? Well, if I jump in, here's our SAA welcome email. So again, this is the welcome email. This is the description of what that email is. But if I want to really go see what that looks like, remember what I said? This was code, right? This was a set of workflows and rules, effectively, that were coded into IAQ. And now all of a sudden, the agent has built that, and it's come to life in a declarative form within ISC. And now what's amazing about this is it doesn't require a developer like you used to have in the IAQ environment where you had to go manipulate code. Now you're an administrator that can use declarative tool sets to make changes into this workflow. And you can see it's quite complex and quite robust. This customer did not want to change what this workflow was. It was, you know, they liked the workflow. They wanted it replicated. And the agent and architect have built that over here in ISC. Quite powerful. And so what's, this provides a platform, right? What else can we go do with this? And so what I've just shown you is how do we move IIQ to ISC in a kind of similar like-for-like feature function kind of way. You have to do the translation, but it is the like-for-like. But what happens if I want to start layering in all that innovation that Shonda was talking about? Discovery of agents, the power of the platform getting in and using the power of the Atlas platform. Well, one of those capabilities that lives within our platform today is our identity graph, right? And so this is a great way to visualize these identities. Dawn Oliver was an employee that lived in IAQ. Now she's living in ISC. We've brought her to life here. You can see her access profiles, her roles. All of her entitlements came over. And I want to blow out her entitlements real quick. And so what you're seeing here is all of her entitlements. We can see those. There's one line in here, which is yellow, if you can actually see that right here. And this thing, this entitlement is actually to an agent. Well, we didn't have agents in IAQ. Now that we're running an ISE, we can start to layer in, in a demo fashion, all of the amazing innovation to bring to life for a customer when we're demoing this. Hey, look, now you're on a platform that you can start to ingest all of this amazing stuff. And so if I go look at this agent that we had discovered. This is a payment history agent. It has four entitlements itself. And I'm going to go into the details here. And, you know, I can see a lot about this agent. But what's interesting is, right, the source says AWS SaaS. This was discovered. We connected this to a Bedrock environment. We pulled back and brought this agent, discovered the agents that were living in Bedrock, brought them back in. We've already discovered them, visualized. But what's amazing here is I've just we've assigned the owner. And so now what we're showing is we've moved from Discover Visualize to govern and protect, right? We're able to start showing that path, and we can demonstrate that. Even though this was an IIQ environment and we walked in to do an IIQ demo, now all of our folks and our sales engineers can say, hey, here's what else you can start to go do. Here's why this is an acceleration path, and it unlocks all of the other capabilities of SailPoint for these customers, and we can visualize that walking in day one. So this becomes an amazing platform to jump off. If you think about this from a go-to-market perspective, what we are able to do now is as we walk into a customer's environment, we can not only show them the blueprints, show them what we discovered or show them what we've analyzed within their IQ environment, but we can show them what it looks like working, their workflows, their data with our new innovation working alongside that And all of a sudden, the light bulbs start to go off as far as what the future looks like in a much faster way. As we think about innovation here and thinking about that go-to-market posture, this engine effectively is a paradigm shifter for us because what our virtual architect knows how to do very well is speak ISC. It can build ISC from a set of artifacts. And the artifact in this case was an IAQ config. We are working on other artifacts. Imagine a world where we have RFIs or RFPs that come in with outline basic use cases. Well, we know what those use cases kind of look like when a customer says, hey, I need a new hire workflow use case. Well, we know what that kind of looks like. Our agent can go stand that up for you. And so instead of coming into a customer's environment and PowerPointing them, we can come in and say, here it is. Here is what it looks like working. And so that goes for new logos like Gary was talking about. It goes for the unlock of legacy platforms as we start to teach our architect how to speak other legacy platforms. This is a true unlock across not just our customer base, but a paradigm shift across our go-to-market here. So with that, I want to come back to get one more slide to present as we wrap up. So if we go to the next slide, come back to the PowerPoint here. Okay, perfect. so as we wrap this up as we just saw we're investing in no cost to our customers to use our virtual agents our goal is to accelerate our customers journey to the cloud preparing them to take advantage as I said of all this new innovation driven by this non-human explosion and if you think about this massive shift like I said in that very first meeting we can sit down with the customer show them their blueprint as well as their live data working within a live environment with their data, their workflows. We can eliminate hours of collection of information, analysis, demo creation, PowerPoint theory. And if you step back, it means we're moving to a world where we can sell and almost simultaneously deploy. And that is kind of the true north of where we want to go. So perhaps most importantly, the virtual architect allows us to leverage our customers' investment that they've already made. That investment in IIQ is no longer a sunk cost. It is an accelerant into this world. Their ISC environment has stood up much more intelligently because of that past investment they've made in IIQ. It brings the customer's identity IP, as effectively if you think about it that way, into the cloud quickly and at a much lower cost, enabling the ability to rapidly adopt our latest innovations here that we saw this morning. So this is a good segue. This all sets the stage for kind of this next bit of discussions. If we've won, we're starting to unlock this blocking and tackling of IIQ to ISC. And how do we use, you know, it starts to free up human time. And so how do we use that time and mind space freed up from those lower level tasks to do much more strategic things? And so I think that's a great segue to bring up my friend Rex Thexton. He's our senior managing director from Accenture. to give his perspective of what he's seeing in the landscape.
Speaker 15
At Accenture, you have a front row seat,
Speaker 14
a catbird seat to boardrooms and C-suites. And we've been telling investors today that this explosion of AI and agents is really creating a massive inflection point for customers and for us, frankly, about how you rethink security and strategies. So from your vantage point in this agentic shift, what are the frameworks or why are the frameworks that are built for human-centric governance probably not sufficient in this new world?
Rex Thexton, Other
Yeah, no, I think it's a great question. So just more background, I'm our global CTO for our cybersecurity business as well. And, you know, I think over the last 30, I don't know how long it's been, three or four weeks, we had this thing called the mythos moment, right? Everybody was concerned about vulnerabilities and all these different aspects. And what it fundamentally taught people is nobody is prepared for what the frontier models can unlock from a security perspective. And then if you look at where identity sits in that big picture, but all these agents can do and drive that, identity is the control plane for people to be able to unlock agentic identity in their environments. If you don't know what the agent has access to, how it has access, and what it can do, you are in big trouble. And I will give you an example. The reason I brought up this Mythos Bulmer Frontier model, when we started looking and running tests, one of the things was it can find vulnerabilities, right? That's step one. Step two is it can find novel attack paths. When we found these novel attack paths, you know what the funny thing was? 80 percent of the way to break the attack path was either was to do an intervention with an identity capability being able to go in and and and limit or or or revoke an identity or token or something they're all a lot of them were that related versus this patching this cve will break the chain a lot of the minimum cut paths were identity related which i found somewhat surprising from that perspective just initially but that was just fact-based data as we went out and and mine these attack paths with you know some of the latest frontier models and so that that is super important from from an unlock perspective I think if you look at you know what what clients struggle with and this is what we see every day is hey I've got this human identity infrastructure first they try and adopt it and use that for non-human and they struggle pretty pretty adamantly with their legacy tech solutions so one of the things that we've been very focused on and I think you know we talked about this last summer is about getting our clients to modernize at little or to no cost. And the funny story about that was one of my favorite consulting stories. A few years ago, there was a multi-conglomerate that wanted to, you know, break away and had to take their identity system. And I remember one of our lead consultants at the time, the client, he said, yeah, so we're going to go, man, we're going to configure this infrastructure, we're going to do all this stuff. And the client says, so what do I get? And he goes, nothing. That's it. And I thought that was funny because, you know, that's what we're getting rid of right we're able to get them so they can start unlocking you know the value of a genetic identity and I think there's this other aspect you know if you watch some of the Sequoia talks you know they talk about this concept of diffusion clients can't unlock they can't keep up with the frontier models from being able to unlock the power of AI and part of that is they all sit there every conversation we have is how do we do this securely how do we how do we how do we how do we do this securely and being able to leverage agentic AI and And so there's, you know, the first answer is non-human identity and being able to make sure that you know what your agents have access to, what they can do, and the context in which they have it. That's step one. If they don't do step one, what they end up getting is, and I was at a client the other day, and they ran a shadow AI discovery. They found 1,000 agents running on their network, tokens everywhere. And that is a big problem, and that's happening no matter what. So they either cut it all off or they get identity under control, and then they can adopt from that perspective. If that makes sense.
Speaker 14
Yeah, super helpful. All right, so let's talk about some execution of our massive install base that we kind of walked through. And we introduced, you know, obviously the CellPoint Agentec Excaloration here today, which is heavily automating this transition. And a natural question from really the larger community might be or probably should be or will be, you know, how will this Agentec innovation reshape the services industry, you know, from the traditional implementation as those traditional implementation models evolve and as more of this modernization becomes automated, how should we think about the potential impact on partners for that?
Rex Thexton, Other
So I think it's a different type of impact. So we've been shifting to an outcome-based model for quite some time. And where we see the value is being able to unlock. And if you look at what we're trying to do is provide the best outcomes for our clients. And a lot of times, you know, in the early days of identity, we can only cover the socks apps or the regulated apps. We can only cover a portion of the estate. That's no longer going to work. So what we're able to do now, instead of spending money on that what I call the Seinfeld phase, the nothing phase, we're able to go in and get that done and then go in and scale the estate and help our clients scale. I think there's no one better positioned than SI's in the world to be able to go in. We've been doing this for years. We've been making SAP work, we've been making the identity tools work, we've been making everything work. We have that institutional knowledge on how to best integrate and implement these capabilities from a frontier perspective. I think that's what's unique about us, and so we're shifting to what we do best versus spending time on what I would call the mundane, and we're able to go and start unlocking that high value and helping our clients deliver those outcomes that they're looking to deliver, being able to leverage this new technology. I mean, it's probably the most exciting time I've ever seen in my life. I think the biggest issue that I see out in the market is our clients aren't moving at AI speed from a procurement perspective. They're still trying to go through and evaluate. And I think, you know, one of the things that, you know, we talked about early on in our partnership was how do we help our clients unlock? Because clients don't want to buy another tool. They've had these processes for regulatory capabilities. You know, there's a huge data switching mode around just the human. And if you're going to go reimplement those in a new tool, different policies, it doesn't make a lot of sense. So they expect their vendors like CellPoint to be able to come in and be able to provide this non-human identity capability. And being able to, you know, unlock and get there faster allows them to be able to unlock the agentic future in their enterprise with that new control plan. That is super important. And that's why we've been, you know, pushing, you know, you guys pretty hard to come up with something like this so we can get in there and start doing it faster. because if the first inhibitor is cost and time, that doesn't work. And so if you take time, cost, and uncertainty out of it, because a lot of clients are afraid to migrate because they're stuck in this mode of, I don't understand what I have today, or I do it this way, and there's this, you know, what I call this fear, uncertainty, and doubt. If you're able to unlock those three things, time, money, and confidence, then they can move at pace and then unlock the future, which is this agentic world. And that's how they're able to provide outcomes to their clients and to their board and to their bottom line.
Speaker 14
You've said this before when we've been talking. The work doesn't go away. The work is just different. And I think that was really well. More of it. Awesome. Thank you so much for joining us today. This was great. I'm going to turn it back over to Mr. Steve Caldwell to take us home for the go-to-market here.
Speaker 4
That was good stuff. Our operational rigor, we talk about this quite a bit, it sets us apart, and we've been investing in AI across SailPoint. Since the inception of ChatGBT in November of 22, we've been early adopters. But we do live in this world of what we call internally institutional deepfakes and enterprise software, where you can vibe code, and you can vibe code something that seems real. You can vibe code something that can be a great POC as well. But buyers, as you heard from Jeff and Rex just moments ago, need to really change the way they evaluate enterprise software. I think profound trust and integrity becomes more essential than ever before. And we think about the market of IGA, and you think about how IGA has evolved into identity security, IGA going to the edges and governing more identities is effectively identity security. But IGA in its acronym form is more important than ever in the age of AI. Think about the acronym. Identities, there's more identities than ever before. There's more governance that's required than ever before. There's more administration that's required as well. Thus, the financial and security risks of a failed deployment are just simply too high in this world where AI is just moving so fast. There's no time to ever catch up if you get that decision wrong. So that's why we operate now internally as something we call the velocity of trust, which is a paradigm shift in the way we sell. You heard a lot about that from Jeff moments ago in terms of our capabilities in this area. It's moving from what we call a promise-based selling, where you're making a bet, and then you're going through an implementation and you're hoping it pays off, to moving to proof-based, where you know up front that you're making an investment that's going to have a return. You know you're going to be successful. And so by utilizing agentic acceleration, we absorb the risk for the clients. It's risk off the buyer, now it's risk on the vendor being SalePoint. And we have automated away the complexity that sometimes gets associated with identity governance or legacy IGA or competitive IGA. What we didn't mention was our agentic acceleration can be applied to legacy IGA. It can be applied to competitive IGA to make those transitions to SailPoint that much more effective and timely. And this allows us to simultaneously sell and deploy all at the same time. which we believe is a financial and operational motion that the competitors, the market itself cannot match. So with that, I'm going to turn it over to Wendy Wu, our chief marketing officer, to share the successes we're seeing with customers, the analysts, and then also share with you our pricing and packaging model.
Wendy Wu, Other
Thanks so much, Steve. Hi, everyone. So at SailPoint, the ultimate foundation of our business is the trust. We're not a point solution. were the definitive system of record for identity security in serving the most complex organizations on the planet. Today, we protect over half of the Fortune 500 and nearly 30% of Global 2000 from Forbes. These are organizations, they operate in the highly complex and hybrid environment under massive regulatory pressure. They chose SailPoint for one single reason. We scale and we deliver. And you can see that trust in our retention rate at 97%. And that speaks to the stability of the business and the critical role that we play for our customers. When SailPoint is deployed, we become very hard to be replaced. and were deeply embedded in our customers cyber security defense. This level of trust is validated by major independent analyst firms as you see here. In the most recent IDC market scape and Carpenter Coal leadership compass SailPoint was positioned as the undisputed leader in identity governance and we stood out for our market leadership and our vision. And most importantly, our customers have spoken. Their feedback earned us the Gartner Peer Insights Customers Choice Award for 2026. So for us, these recognitions really matter because they reinforce what we see in the market today. Customers want a platform that they can trust for mission critical identity security needs and that trust gives us a very very strong foundation to expand and evolve our solution and that allow us to capture the next wave of demand as identity expands from humans to non-humans and agents so I know you guys are wondering how do we monetize our product portfolio. Up until recently, our commercial baseline was built primarily around our identity security cloud suites, Standard, Business and Business Plus. And built on our foundational Atlas Common Services, these suites they deliver the comprehensive out-of-box governance for human identities. Customers can easily expand with the advanced add-on capabilities such as non-employee risk management and several others. But the enterprise buying behavior is shifting. Customers they want commercial investment that can perfectly align with their maturity without a rigid lock-in. That is why we created SailPoint Navigators. They're the flexible purchasing pathways that let customers buy and adopt exactly what they need, and it simplifies the procurement process, accelerate to the sales cycles, and create a frictionless pathway for future expansion. Now while securing human identities really drives our baseline the market it's moving incredibly fast and we are launching the industry's third shift into the agenda era today the most urgent operational risk is really the explosion of the unmanaged AI agents and machine identity that we've been talking all this morning so to capture this market shift we have evolved our market entry and packaging strategy. For the very first time customers do not have to start with this SailPoint human identity solution. If a net new logo or an IAQ customer they need to solve their agentic identity problems immediately, they can purchase the SailPoint agentic fabric that we just launched as a standalone solution to secure their non-human identities. What this means is it unlocks a massive new time for us it allows us to really capture the enterprise who otherwise would have turned to our competitors but as we said the ultimate security for enterprise can only be achieved through a unified control plane because you cannot secure agents in their own silos and you cannot fully govern these agents without mapping its access and its accountability back to its human owners so to solve this we have introduced our agentic business and agentic business plus suites they unify both humans and agents under one control plane for our existing customers the upgrade path is completely seamless customers can step up directly from business to agentic business or all the way up to agentic business plus as their needs mature and customers who are already on business plus they can move directly into agentic business plus and each upgrade represents a seamless journey with a corresponding price increase to cover the extra value we deliver so this is the future of our business as our platform continuously discover more unmanaged non-human identities customer naturally they will see more risks in their environment that they want to keep under control so that creates a very compelling reason for them to expand their footprint and turning the agentic fabric and agentic suites into a highly scalable growth engine for sale point now having talked about the packaging strategy how do we price for this shift let's keep it simple and predictable and really monetize the growth through a hybrid pricing model as we know legacy based pricing alone today is just not adequate anymore. It does not fully capture the reality of the modern security. AI eventually they may optimize the number of human workers but at the same time it is also causing machines and agents to explode. If we only charge per human we miss out the massive upside we have at the same time the reality with our customers is they are very very hesitant to commit to a large upfront payment because they simply don't know how many agents are there in their environment that they need to secure so our hybrid model solves this by balancing the budget predictability with value-based scaling. We land with seat and we grow with extra capacity. To make this initial landing completely frictionless, our commercial anchor remains on the predictable human identity licenses. But to remove the upfront guesswork, we include a generous baseline of non-human identities with every single human identity that you purchase. This really allows our customers to safely discover and secure their authentic identities on day one without having to worry about immediate overages. Then as their environment grows, they're likely to exceed that baseline. Now they can scale seamlessly by purchasing our modular capacity packs and this ensures that their ongoing financial investment scales in proportion with their actual platform usage such as the increase in their agent volume the API calls are making the workflow automation data retention and data refresh so here is bottom line we eliminate the initial buying friction to accelerate immediate adoption and as customers ai and automated entities multiply our revenue will scale in lock steps and we're directly monetizing the explosion of agent-driven work so to bring it all together we have the trust of the world's largest organizations we have the leading platform to secure these new identities of human and AI agents and now with our hybrid pricing model we have the commercial engine to capture the financial upside of this digital explosion as our customers environment to grow more automated and complex our revenue will scale alongside with them and we're not just securing the future of the enterprise, we're actually building a scalable and predictable growth engine to go along with it. Thanks, everyone. I'll bring it back to Scott.
Scott Schmitz, Head of Investor Relations
All right. Thank you. And thanks, Wendy. Thanks, team. That was a lot of information this morning. I hope we found it valuable. I'm going to call a little audible. We were supposed to do Q&A, but I think instead we're going to add some time to the end. And we're going to go to break, let everyone stretch their legs, get a snack, use the restroom. So we'll be back in about 10, 15 minutes and we'll start back up again so thank you all are we good all right welcome back um you know there's a lot of things that go in to an event like this and uh i gotta say there's a lot of people to thank uh to help us prepare for today the one thing i didn't have on my list was a fire alarm so i will add that to my checklist i apologize for that um but anyway uh we got a lot more content this afternoon and then we'll get into the full q a so uh with with that let me
Meredith Blanchard, Other
introduce meredith blanchard our chief customer officer hope you can join me i'll i'll introduce you um so hopefully no no fire alarm um so this morning we spent a lot of time talking about sale points technology um but the reality is is that major technological shifts like this are never just about the vendor they really require this true forward thinking partnership between the vendor, the customer, and the partners like Accenture. And what our next guest and his organization have achieved in terms of modernizing and securing their identity perimeter really does deserve to be in the forefront. And honestly, we're just incredibly proud to play a supporting role in your story. So what I want to do for this session is flip the script a little bit and instead of talking mostly about SailPoint, talk about the incredible transformation that is happening at one of our customers, the Vanguard Group. Vanguard has been a customer of SailPoints, a great customer, for 10 years, and it's been really fun to watch how they've matured. And talking about AI, they're not just starting to adopt AI, they're actually actively using it to design behavioral nudges to help over 50 million clients make better investment decisions. They've rolled out tools like Expert Insights that gives their financial advisors, think of it like superpowers, they can personalize their portfolios at scale. And then they have, it's called the Well on Your Way platform, and I actually saw a commercial about it the other night, and it was really interesting. It uses AI to analyze 35 million, 35 million data points to help employees improve their financial well-being and move closer to retirement. So with that, I want to welcome our guest, Srinath Chigalapalli, who is the global head of identity at Vanguard. So, Sreenath, thank you so much for joining us. I appreciate you taking the time out of what I'm sure is a very, very busy schedule to share your insights with us today. It's fantastic to have you.
Srinath Chigalapalli, Other
Thank you. Thank you, Meredith. Can you guys hear me? Okay, perfect. It's great to be here today.
Meredith Blanchard, Other
Okay, well, thank you. We appreciate it. So I'll set the context. You manage identity for an organization that oversees trillions in assets. And I want to learn more about your role and Vanguard in particular, And then understand with all these massive AI initiatives that are rolling out, what's the most exciting AI initiative in your world right now? And then more importantly, as global head of IAM, how do you help balance this need for massive innovation yet keep things secure?
Srinath Chigalapalli, Other
Great question. So just for everybody's benefit, like I'm sure everybody has heard of Vanguard, but Vanguard is an organization whose mission is to make sure that our clients have the best chance for investment success, right? Like you know us as a low-cost fund provider, but our goal is to provide the best products at the best price and make sure our clients are successful. So, as Meredith touched on, it's 50 million clients across the world, and we have a workforce of about 30,000 to 40,000 that provides this service at scale, right? And we're a digital-first company, so we leverage emerging technologies to provide these services at scale. Like, we don't have physical offices where people can come in and interact with us, right? So whenever we talk about a technology, and especially as an exciting technology as AI, we've kind of adopted and embraced AI in a very aggressive way, right? So what's fascinating is, you know, the definition of what a user has evolved over the last few years. When we talk about AI-driven initiatives, Vanguard, whether we talked about the expert insights or benefiting our retirement clients, we're no longer talking about just human beings logging into systems, right? Like the processes behind are pretty complex and autonomous, a combination of human systems and AI agents that act, make decisions, and execute workflows, complex workflows on behalf of our clients and advisors. So my role in IEM and broadly across security in our organization isn't just about being a gatekeeper, right? So especially when you talk about gatekeeper, I think people think of like, hey, somebody is stopping people from doing things, right? And that's not what we want to be. It's about building a robust identity-first foundation of trust so we keep our clients' assets secure, right? so we want our developers and business units to innovate at lightning speed but they need to do it within a secure framework so if we can secure the identity of these AI agents and systems from day one we give the best chance and the best confidence for our business units to innovate fast I appreciate the
Meredith Blanchard, Other
context I want to come back to that gatekeeper analogy here a little later in this session I think that's that's really interesting you know but we have crucial distinction here we're transitioning from gen ai as a passive co-pilot if you will to autonomous ai agents that are acting as like you mentioned a very large in this case digital workforce um i don't know if you're hearing kind of this this discussion or debate i certainly am especially across cso's and cios but one of the biggest organizational hurdles they have right now is structure. How do we actually govern this? There's a passionate debate around do we need a chief AI officer? Do we do this via committee? How do we keep control of this? So Vanguard's interesting. You're in one of the most highly regulated spaces in the world. So I'm curious how you're thinking about this. Are you looking at a chief AI officer? Is it a committee? And then more importantly, your team, how do they integrate or coordinate with this structure to make sure that security is moving at pace with innovation and isn't an afterthought?
Srinath Chigalapalli, Other
Yeah, it's a great question again. And look, I'm sure every leader in this room and everybody out there is thinking about the same question, right? So we recognized as an organization very early on that AI adoption and governance cannot live in a silo. Like, there's not one person who's going to sit and make a decision, right? So we do have an AI officer. We actually merged the AI officer with the technology officer roles now. But we have established dedicated AI leadership and cross-functional AI governance committees, right? So there's executive sponsors, and then there's governance committees and decision makers, which includes business leads because they have a very large stake in it, risk officers or legal teams, privacy teams, and technology champions. But the one I just held on to the last but not least is the security organization. So the CISO, myself, and the Security Operations Center, We're all part of that AI governance council right from day one, right? And I am in security organizations. We all have a permanent seat at the table, and we make it a non-negotiable principle that AI agent is an identity that we have to manage, right? So when our AI governance leads design the guardrails for what an AI system is allowed to do, what my team does is transfers those guardrails into actionable policies, governable policies, right? So if an AI counsel decides they're going to create an advisor-facing agent that can read portfolio data, we make sure that, hey, if you rebalance the portfolio, you're not actually executing the trade because that's not the intent of it, right? So that constraint, we enforce it at the identity layer, right? But not just in the code, but even in the identity layer. So because of this tight partnership, we ensure that as AI leadership pushes the envelope on what's possible, as a security team, we're right there with the right architecture and the dynamic
Meredith Blanchard, Other
enforcement. Yeah, so a permanent seat at the table. I think that's phenomenal. So I want to transition now and talk about agentic sprawl or this agentic wave that is coming at us or rather on top of us right now. Enterprises are rapidly deploying autonomous AI agents, and this is creating this massive new risk vector for us. These agents adapt. They learn. They take unpredictable actions, which means that legacy static controls completely ineffective completely ineffective in fact we were talking earlier right we have an intern group and I was asking one of our data scientists interns I said what's the one thing I should know about AI just tell me one thing pick it and she said you know AI agents like to please and they will tunnel through walls they will jump over buildings they will wedge their way through even the slightest crack in a door to get you an answer to the question it thinks you ask so that's what we're dealing with here we're dealing with this in its scale. And that's why dynamic, not legacy static, dynamic context-aware governance is essential, absolutely essential to secure us in this day and age. So again, Srinath, with Vanguard operating under this kind of intense regulatory scrutiny, I'm curious, how is your team thinking about the unique risks that are associated with this agentic wave? And how does it differ or does it differ from previous shifts like moving to the cloud And then secondly, how are you considering this as part of your strategy?
Srinath Chigalapalli, Other
Yeah, absolutely. So I'll address the second part of the question first, which is how do I see this different from the earlier transitions of cloud and SaaS? So we moved about 90% of our workloads to the cloud, right? So we've kind of made a huge bet into moving to the cloud. But when I look at those transitions, they were mostly IT-driven initiatives. They were not necessarily like a business saying, hey, why aren't we moving to the cloud, right? But the AI transition has been very much like a joint partnership between the business teams and the IT teams, right? So the willingness to adopt AI is coming from both sides. So when we started looking at this deeply, we realized that, like, the traditional security models of being reactive are not scalable. Like, that's not something that can fit in this, right? So this is a new reality that we all have to adapt where this adoption of technology is much faster than you can actually prevent it, right? The blast radius, as I like to say, was much smaller when we did the cloud migration or the SaaS migration. In that world, if something went wrong, like, hey, you could look at firewall logs, you go to your SIM logs, and get information about what went wrong, right? But we heard this morning, too, on the speed at which AI can cause you to identify vulnerabilities and also exploit it that quickly, right? So, AI agents act at machine speeds with human access, which is really scary, right? So, AI agents can query databases, aggregate data, take actions, talk to other agents, right? So, it's very important that you constrain the blast radius of an agent. So, especially because if an agent has a hallucination or it's given the wrong data, it can cause severe damage. So it's not just your threat is no longer an external actor coming in and causing damage. It's also a rogue agent internally, which has wrong information provided to it, right? So that's where reactive monitoring is too late. We had to realize that identity is the only viable control play, right? So if we don't have absolute real-time visibility of who created an agent, what is the intent, and what data does it have access to, and what is actually happening in real time, that creates a massive blind spot for us.
Meredith Blanchard, Other
It's a massive blind spot. And at the end of the day, you really can't secure what you can't see. And if you have an AI agent that is operating with a generic shared service account, which is honestly what we see in a lot of these legacy setups, you have zero accountability. If that agent goes rogue, you have no idea which business unit owns it. You can't even figure out how to shut it down. And by the way, if you can, you have no idea what you're breaking from a business process standpoint down the line. So I want to double-click and talk a little more about SailPoint in this portion of it, but let's talk about how we solve this. So if you look across the landscape, there are a lot of vendors out there, a lot of point solutions, and they're touting discovering visibility as really their core value. That's great, but simply discovering and finding an agent, that is table stakes, absolutely table stakes, which is why, honestly, we give discovery, we give that capability away for free. The real power isn't finding the agent. It's once you find it, what do we do? What do we do next? And that's where we do, as Chandra spoke, have a real competitive advantage here. We are the only organization that has that enterprise-wide identity context. We can link these non-deterministic agents to their human owners, and we can govern their intent. So, Sreenath, I want to understand from you how Vanguard looks at this. When you're deploying AI at scale, how important is context and intent as opposed to discovery? And then from an access governance standpoint, how is that driving your strategy?
Srinath Chigalapalli, Other
I love the free price, by the way. Discovery, right? Most people do. But I think you kind of mentioned it, which is like when it comes to AI agents, context is everything, right? So if you want to govern an agent, one, you need to find it, and two, you need to understand, hey, what is the intent that it was, right? So we typically ask three questions. is who is a human sponsor behind an agent? I think I saw the earlier presentations talking about how do you do human-based agent governance? So human sponsor is very important, right? So every agent must have a human owner who's ultimately accountable for its action. Enforcement is important. The second part is what is the intent of the agent? What's the purpose of this agent, right? So we need to kind of be, should be able to dynamically map the permissions to the specific business function and the need that the agent is created for, right? So you cannot generally give, like, the broad administrative access to every agent. That's just very over-permissive. Like, get as close to zero-stating process as possible, right? And the last but not least is what data is it touching, right? We need to know if it's interacting with public data, proprietary data, client PII, investment information that's considered confidential in our world. So all of that matter quite a bit for us when we think of managing agents, right? The other piece of it is, like, hey, look, you need, like, a single pane of glass view into your human and non-human entity. I think Chandra earlier talked about the scale of, you know, humans to machine or non-human entities being 1 to 100, 1 to 1,000. The scale of impact is huge in this world, right? So having a single system where you can see all of this in one place is very helpful. and again kind of coming back to the government aspect of it it's hey if if the owner of the agent leaves the company what's your process right lifecycle management becomes a major concern so or if the agent's behavior deviates from what its original intent is or people change the axis on it like do you have a way of flagging it and governing it and reviewing it right so I like the feature of like the certification of agents like you know we don't do that as well for service identities today but getting into the agent equal I think that's an area that we need to kind of really really get better at yeah no
Meredith Blanchard, Other
that's that's great insight and and watching and flagging that behavior that is that dynamic context that we're talking about that is so critical right now so as I'm listening to your answers it's clear that you've you've managed to find that perfect balance between security and innovation I may have you talk to other customers about that as well but we'll talk after this but you know unfortunately and back to the gatekeeper analogy you know I still have conversations where I hear from leaders that they're leveraging security as a brake pedal and they're slamming on the brakes they're saying okay we got to stop and then we'll figure out this whole AI thing and then we'll start moving quickly but to use a formula one analogy foundationally if you have good brakes you can go 200 miles an hour right out the gate and that's how fast we need to move right now so knowing Vanguard is a customer for 10 years you've got a very very strong foundation so I'm curious how has that and from a security standpoint enabled your business to innovate faster yet still stay secure I love the break
Srinath Chigalapalli, Other
pearl analogy because I've been in the security industry for about four years five years but before that I used to call security the no police so but when we kind of think of security in at Vanguard right we like yes our primary purpose is to protect clients assets and Vanguard's assets but the the second goal or the second mission statement we have is how do we need the enabler for the organization right so securing identity is our ultimate business enabler right and because we have like a robust I am and security frameworks our development teams don't come to us with with every little thing like we give generic frameworks and then they can navigate if just based take a take risk-based approaches but we don't spend months negotiating on with security and compliance and privacy and everybody else on hey whether if you want to launch a tool right so we have out-of-the-box decision frameworks that we can leverage to kind of go and implement things right they know that if they're if they want to create an agent they have to assign a human sponsor they have to request the privileges through our sale point system and they can deploy to production pretty rapidly right so that foundation of trust and control allows us to innovate safely while at the same time protecting our clients assets right so and adopting latest AI breakthroughs I mean there's so much happening every single day every single hour I'm pretty sure by the time we finish this conversation there's a new frontier model that we should be scared about but there's so much happening that you'd need to kind of have a quick decision process and easy pass lane for those of you on the East Coast that we we think of I think that
Meredith Blanchard, Other
that's so important that decision framework I hadn't really thought about that but having a way to react and respond quickly is going to further the trust between the organizations that's that's great advice so I'm gonna ask you for one other piece of advice just to close us out what what is the single biggest recommendation words of wisdom that you would give to others that are navigating their way through this agentic space yeah this is a tough question but look
Srinath Chigalapalli, Other
technologies like AI quantum you know blockchain like you name it like they're really pushing the pace of change I've been in the industry for 20 20 plus years now and the pace of just change just keeps increasing and increasing and increasing and it is exciting to see what these advances can do, whether it's healthcare industry or financial services or client service, security professionals, we as security professionals cannot be the roadblock. You use that analogy of break pearl. We cannot be the roadblock. We have to figure out how to fundamentally redesign security to be more of an enabler, like what I talked about, at the beginning of the adoption, because if you tend to be the no police, then people tend to go around you which is a much bigger risk so you want to make sure that you are staying ahead of the game or at least at the table at the beginning and designing your system so it's easy for people to create and adopt security as a service right so don't wait till you have a sprawl agent sprawl to think about identity and if you're waiting for developers to build dozens of autonomous agents before you come up with your agent security strategy it's too late Like, then you're running around to kind of grab your arms around the whole problem, right? So you'll end up with a legacy mess of unmanaged service accounts, shadow AI, and massive security gaps. So it's something that you have to be worried about. And start treating AI agents as first-class citizens, right, in your identity directory. So establish your governance frameworks, partner closely with your AI leadership teams, wherever they are in the technology domain, business domain, privacy, legal. and build an identity control plane that can scale at the speed of how the industry is moving. So start early and figure out a way to enable.
Meredith Blanchard, Other
Great, great words of advice. And you mentioned don't wait for agent sprawl. I think the reality is it's out there. It's out there. So we just assume it's there and need to tackle it. So thank you. Thank you so much for joining us, sharing your insights, and, of course, for being such a great partner along the way. We really appreciate it.
Srinath Chigalapalli, Other
Awesome. Thank you.
Meredith Blanchard, Other
And at this point, I'm going to transition to our chief people officer, Abby Payne, and our CIO, Shree Kancharlat.
Abby Payne, Other
Good morning or good afternoon, everybody. I'm happy to say that I am not the last presenter before lunch. Brian Carolyn gets that distinction. So we'll get through some of our internal AI initiatives together with Shree. I'm really thrilled to be here. Thank you all so much for being here. I'm also excited to share how SailPoint is driving innovation through our own internal AI transformation, improving both our employee and customer experiences while minimizing the risk that you've heard about all today. As I said, I'm joined by Sheree Kancharla, our Chief Information Officer. She keeps me kind of on the rails on the technology. I appreciate her so much. Because, look, a lot of you may look at me and go, gosh, your Chief People Officer is up here talking about AI infrastructure. and kind of IT readiness, why is the head of HR talking about this? You know, I'll tell on myself a little bit here. Last night, as I was practicing some of my remarks, I actually vibe-coded a teleprompter like the one in the back that we've all used today. My vibe-coding did not work, in fact, and so it was a lot to do for nothing. But, you know, I think when Mark asked me to do this, his vision was actually very clear that AI is not a traditional SaaS or software deployment. It's actually a fundamental shift in the way humans work together. And so that's why we decided to pair these functions together during what is an incredibly transformational time. So we've gotten really specific in order to avoid the AI sprawl that Meredith just talked about, to anchor our strategy around three specific outcomes, revenue generation, customer experience, and as I talked about, workforce transformation. And then to put even more rigor to that, we've really structured our own execution internally on four core pillars, or four things we really want to do well before we move to the next First, tooling. We have delivered a baseline productivity tool called Neptune. everything at SailPoint's nautical, if you haven't heard that today, to our entire employee base. And really, our goal there is to better enable our crew, our employees, for both job efficiency, right, we've heard a lot about job efficiency, and effectiveness. The second is integration. So we are connecting Gemini and other core LLMs directly to our big internal data systems and applications that allow our employees secure contextual answers and insights right at their fingers, sort of immediately to both augment and accelerate their work. Third, agents. We're automating high friction workflows. You've heard some of them described today by deploying highly specialized vended agents in partnership with some of our large application vendors that you ServiceNow, Workday, Salesforce. And then fourth, velocity. You heard a little bit of this from Chandra. We are really shifting IT from a centralized gatekeeper through this process to a decentralized enabler. Rather than forcing all that we do with AI through a single, sometimes time-constrained queue, we are building a secure, scalable infrastructure. I'll continue the car reference that Meredith just talked about. IT is paving this road, and the business is really driving the execution. And so to this point, our work has really bought us to two critical realization. As I said, first, true AI transformation is about human behavior change. And second, as I said, this is not a traditional technology rollout. We really want to encourage exploration all across the business, create a pull to AI, not a push. And so we're pairing our safe technical infrastructure with a strategic sort of organizational model that seamlessly integrates both top-down guidance, right, hearing from the top about what we want to do, and bottoms-up organic ideation. So top-down, we have really called on our functional leaders to take ownership of those large-scale high-friction workflows in their own corners of the company, right? We have lots of use cases, lots of those high-friction workflows that we can go address. We can't address them all through IT so that's why we're asking our other leaders to take ownership and responsibility. We're also arming them with AI toolkits, we're helping them set expectations, and we're really setting a tone with our employees across the business around the importance of impactful, innovative, and responsible use of AI in all the jobs that all of our people do. And then bottoms up, we've established a network of sort of grassroots AI, what we call AI champions and super champions across the company. Steve Caldwell, who you've heard a couple of times from today, is one of our super champions across SailPoint. They help us ideate. They help us really importantly deliver business value and priority, right? We could think of 10,000 cases to go build, but we want to build ones that actually solve problems. They help us troubleshoot, and then they really help set that tone and set best practice inside the business all across our organization. And then finally, we are reinforcing this culturally across the company. This is where the people side of my job actually comes in. We're highlighting wins in AI Digest every week. We're talking about it at all hands. We're integrating it into the fabric of how we operate inside the company. We're even doing awards. I did hear the rumors of awards being given for most tokens being used at other organizations and then huge consumption bills showing up at the end of the month. That's not the kind of awards I'm talking about. We really are just attempting to have our employees use AI as another one of their tools in their toolkit as they complete their work every day as they deliver on the value that they create for SailPoint. We really consider AI to be a next generation tool, an element that professional growth and development of our organization is really critical to bring those two things together. So as we look to the horizon, the journey is pretty clear. I like that this slide has a curve, but it is not that smooth. It actually behaves a little bit more like a step function. And SailPoint currently sits very squarely between augmentations and making our human employees faster and more effective and true end-to-end automation. We actually believe we'll get there and we'll achieve this by automating all those routine operational tasks, which frees our crew, our human beings, to elevate the judgment and the human-centered approach in all that we do, particularly because we have such a strong differentiated relationship with our customers. We never want to lose that. And that's really how we scale this business, not by adding more people to do the same tasks, but by improving the strategic impact of every person we have by removing those volume tasks that take up so much of their day. Our goal is to seamlessly integrate AI into every facet of our business. How we build our solutions, you heard about that from Chandra. How we enhance credibility with our customer, you heard that from the revenue organization. And really how we evolve the entire operational model to include a digital workforce that is running right alongside our crew members. So this next slide is a little bit of a hot topic, as I said, with the consumption bill catching some companies off guard. We really want to be really intentional about how we both measure value and manage expense related to our AI investment. And, you know, we've heard lots of different anecdotes in the market about this, but to be transparent, it is still too early for us to commit to permanent bottom line cost savings or hard reductions in future hiring targets. Instead we are really focusing on leading indicators, building a framework of those to score use cases on two fronts. One, the value they create for our business, and two, the feasibility of addressing them, of building them. So we're monitoring that AI spend on a weekly basis, particularly the consumption front. And really, one of Mark's longtime core values of this organization is innovation, and that has served us at SailPoint for so long. We have not built technology and then gone and run to find a problem to go buy it. We have first looked for a problem, identified a problem, and then built the technology. We want to apply that same rationale here. So our goal is prioritizing the use cases that we're building and investment where there's real demonstrable value, particularly to avoid the AI sprawl that you just heard from Meredith. In fact, I do want to share a little early when we've had with Neptune, which is our enterprise-wide employee efficiency tool, our engagement is already really high, like in the 80s percents, where we have employees using Neptune every day in their work. And I'm happy to share that that deployment has actually paid for itself because we've been able to cancel or consolidate various SaaS applications whose functionality is now fully covered by the tool. So not only are we helping our employees do their jobs more effectively and more efficiently, we're also reducing risk in our business by reducing the number of AI or number of SaaS tools that we have in our stack. So let's take a quick look at the set. Let's go back one maybe. Let's take a quick look at all the use cases emerging across our business. I'm not going to read this slide. I just want to share the kind of breadth and depth of what we're pursuing at SailPoint. Many of these are in various states of development or maturity, but what this really demonstrates is there is not a corner of our business where we are not thinking about how we deploy AI to make whatever role in that part of the organization more efficient and more effective. You just heard from Meredith. Actually, we flip to the next one. I'll tell you a couple of ones where we've made some really nice progress. Obviously, Meredith owns our customer support and our customer success organizations. First, in customer support, we have realized meaningful reduction in incoming support tickets from our customers, while our average time to resolution has improved by 10%. The really interesting thing here is we've seen a more than 90% increase in our knowledge base creation, meaning that our AI models are actually learning faster, which continuously improves our self-serve accuracy. And then in customer success, this is actually a really interesting one. and customer success, we're leveraging AI, all the data we have in all of our applications about our customers. So think ServiceNow, Gainsight, Salesforce, even some of our professional services tools. We use all that information to leverage AI, auto-generating customer health summaries that our account managers used to manually bring together, building comprehensive 360 account views. And that's really helpful to our account managers. One, they go into our customers armed with more insightful information. Two, they can extract action items from our client interactions to take actions on this quicker. And then three, help score those companies. And what that does is allows us to identify and potentially remediate churn months earlier than we were previously able. And this is not theoretical efficiency. We are not talking about something we think could impact our business or hopeful will We're seeing it today. It is real. It's active operational leverage that's giving hours back to our crew members every single day. With that, what we'd like to do is share the information we're learning in real time with our customers as they're on their own AI transformation journey. And Sri's going to talk a little bit about Customer Zero.
Speaker 1
Thank you, Abby. With all the AI innovation and transformation we are driving to accelerate SailPoint business, a unique part of our strategy is being Customer Zero. At SailPoint, we are proud to be the very first and undenavably the most demanding user of our own platform and its advanced AI capabilities. Chandra couldn't agree more about this fact because we trouble that team a lot, a lot of the real-time feedback. This brings us to, I want to focus on SailPoint agentic fabric. Today, we have successfully deployed some of the already existing key features which actively are protecting SailPoint as we roll out all the AI agents across our enterprise. Whether our teams are using Gemini, Cursor, Cloud, or AWS Bedrock, our guardrails are very active. Through our discovery and unified registry capabilities, we can instantly discover agents across all SaaS platforms, endpoints, and browser profiles. At the heart of this visibility is our unified identity graph, which connects the dots between human users, entitlements, machine identities, and active agents. To give a sense of our scale of customer zero, we are currently governing nearly 4,000 plus agents, almost 1,100 application machine accounts, and a couple of hundred service accounts. These capabilities allow us to aggressively mitigate shadow AI risk, steering our global force into secure Gen AI environments while completely shutting down any unauthorized access to the tools. Furthermore, our real-time governance and audit capabilities, we are establishing a new industry standard for lifecycle management, data access governance, and continuous compliance through human-in-the-loop certification. Looking ahead, I'm incredibly excited about our upcoming authorized protect and respond roadmap, which will bring the real-time, just-in-time security and the prompt-level protection, which Chandra talked this morning and then Mark was also mentioning, to the market. And we'll be the first one to test that, which is very exciting. And then we are actually working very closely with product and engineering teams around this. This internal expertise allowed us to precisely create the blueprint of our own customer zero journey and create the product odyssey by sharing our value, real world experience, along with we are helping our customers eliminate any deployment bottlenecks, accelerate the time to value, and drive faster adoption with our own ISC platform. Our leadership in this space is why we feel that we are kind of design partners working on validating all the key features, along with any incubating ideas, too. We do that. And the other thing, I think, is we are partnering with Google to see how we can connect that to ISC platform and govern Gemini AI agents, too. So we are able to do that as a design partner because of this. So thank you so much for your time today. I would like to pass it on to Abby now.
Abby Payne, Other
Anyway, thank you so much for, of course, spending some time with us today. I'm about to turn it over to Brian Carolyn, our chief financial officer, who's got lots of fun data, and then obviously before lunch. But thank you very much. Appreciate it.
Brian Carolin, CFO
Thanks, Abby, and thanks, Shree. This is what you've all been waiting for, patiently. So good afternoon, good morning. Thanks, everyone, for being here. We really appreciate you giving up your time. Hopefully you find this a very informative day. So it's a pleasure to be here to provide a detailed update on our financial strategy and the powerful momentum we're building in the business. Over the next few minutes, I'm going to walk you through our long-term vision, the clear and actionable paths we're taking to get there, and the financial discipline that underpins our entire strategy. We're incredibly excited about the future we are building, and my goal is to give you a clear view into why we are so confident. So let's start with that future view. We've set out four ambitious but achievable targets for fiscal year 2029 that serve as our North Star. First, we expect ARR growth to accelerate to over $2.1 billion by FY29. This acceleration is based off the FY27 ARR guidance we provided last week, which we are reiterating today. Secondly, we are targeting over $800 million in ARR from our AI solutions, cementing our position as an innovation leader in identity security. I'll get deeper into the definition shortly, but as Matt mentioned, we'll be landing humans and AI together. So you cannot isolate the $800 million of AI-driven ARR to drive insights into the remaining human-centric part of the business. Lastly, we are building this business for the long term with a focus on profitability and efficiency. That's why we're committed to achieving an adjusted operating margin of over 22% and generating over $400 million in free cash flow by FY29. We are focused on both growth and cash flow generation to deliver shareholder value. So how do we get there? Our strategy is straightforward and consistent with the growth algorithm that we've been executing against for the past several years, with half of our growth coming from new customers and half coming from existing customers. Within each of these go-to-market motions, we have multiple durable paths to achieving greater than $2.1 billion of ARR. With respect to new logo acquisition, there are three primary drivers. First, as Matt covered, we have a target account list of 15,000 enterprises, which includes many of the world's largest and most complex organizations. These are typically enterprises with more than 5,000 human identities and greater than $1 billion in revenue. In these accounts, we are actively displacing legacy homegrown or insufficient point solutions, and we would expect the non-human identities to far outpace human identities over time. Our SailPoint agentic fabric, also known as SAF, represents a large incremental go-to-market opportunity for us. It is designed to work everywhere to secure a customer's entire agentic footprint, even if they use a different platform for basic access management. We believe this provides an incremental avenue of growth to penetrate legacy environments without the upfront upgrade. But landing the customer is just the beginning. Our expand motion is equally powerful. We expect to grow with our customers by upgrading them to our agentic suites, migrating them from on-premise to our modern SaaS platform, and cross-selling additional capabilities and capacity to meet their evolving needs. This balanced approach gives us confidence in our ability to execute year in and year out. Looking ahead, our agentic solutions will be our primary go-to-market engine. By the time we exit fiscal 29, we expect this AI-driven motion to represent greater than $800 million of ARR. So how do we define AI ARR? This category encompasses our agentic fabric, our agentic suites, and our agentic add-on modules. Whenever we land a new logo, win a competitive displacement, or upgrade an existing customer to our new AI solutions, we will count that full annual contract value as AI-ARR. Our agentic pipeline is strong, and we expect AI-ARR to be greater than $100 million by the end of this fiscal year. One important note for your models, because this AI metric captures both human and non-human identity revenue, any remaining non-AI ARR won't give you an accurate read-through on our human-centric offerings. We chose this specific methodology because it reflects underlying customer demand and preferences. Based on this new commercial model that Wendy presented earlier, we are effectively doubling our accessible budget pool. We are moving beyond the traditional IT budgets and tapping directly into net-new AI and cloud budgets owned by chief AI officers. As it relates to winning new customers, our SaaS platform is the engine driving our growth. As you can see, the green portion of these bars is growing significantly faster than the blue as customers leverage our latest innovations. While our total customer base is growing at a healthy mid-to-high single-digit rate, our SaaS customer base is growing in the mid to high teens year over year. And these are not small customers. The average ARR for a new SaaS logo is approximately $400,000, growing 20% year over year on a trailing 12-month basis. We believe this demonstrates the strategic importance and value of the problems we solve right from the start of the relationship. Now, I also want to spend a moment on the migration opportunity that is also accelerating. To date, we've migrated approximately 15% of our on-prem install base. The remaining 85% represents approximately $350 million of ARR. We expect to migrate at least 10% of this base each year, accelerating off our recent trajectory. There are several factors fueling this acceleration, including our commitment to innovation and the rapidly growing demand for AI security. As organizations adopt AI, they are recognizing a critical need for robust governance and security across all identities, human, machine, and agentic. Our platform provides the framework to secure this new frontier, and that is driving a clear sense of urgency. And we're making this easier with things like you saw, SailPoint agentic acceleration and our flex pricing offerings, which Matt discussed earlier. Migrating customers to our platform has become significantly faster and easier, helping us unlock a billion-dollar-plus opportunity. But this is not a one-time benefit. At the time of migration, we see an immediate 2 to 3x uplift in the customer's ARR. But what is really exciting is what happens next. Once on our SaaS platform, we have the opportunity to expand that relationship even further, leading to a 3 to 4x plus multiple on their original on-prem spend over time. In fact, we are seeing this expansion in our initial cohort of customers that have modernized with our SaaS platform. Our growth model is built on a foundation of exceptional customer retention. For several years running, we've maintained a gross retention rate of 97% or higher. This speaks directly to the mission-critical value of our platform. But we just don't retain customers. We grow alongside them. Our expand strategy is fueled by our core net retention rate drivers, migrations, suite upgrades, cross-selling, and capacity expansion. Let's look specifically at the upgrade opportunity with our new agentic suites. Currently, our existing suites represent approximately half a billion dollars of ARR. As we transition our customer base to these new agentic offerings, we anticipate a powerful upgrade motion driving a 25% to 50% uplift. Ultimately, our growth is intrinsically linked to delivering compounding value to a highly successful customer base. To understand our P&L dynamics, let's look at the ARR picture again, focusing on the SAS contribution. It's clear that SAS is our primary growth driver. In FY26, our SAS mix of net new ARR was 83%. And in fiscal 27, we expect this mix to increase to 90% to 95%. By FY29, we expect that to be near 100%. The transition to SAS is fueling incredible momentum with a projected SAS ARR compound annual growth rate of over 30% between now and fiscal year 29. This will result in our SAS ARR growing to greater than $1.7 billion by FY29, forming the vast majority of our total business. This is the definition of a durable, high-growth, recurring revenue business. Now, it's important to discuss how this transition to a SAS-first model impacts our revenue recognition. This is a critical point for understanding our financial trajectory. As our SAS mix increases, it creates a temporary headwind on our recognized revenue and adjusted operating income growth. This is due to the difference between upfront or point-in-time revenue recognition for term licenses versus ratable recognition for SAS. For example, a typical three-year term deal requires 60% of the revenue to be recognized up front in the period of sale. Conversely, the ratable recognition of a SAS deal would result in over 50% less revenue.