SentinelOne unveils identity tools for human & AI use

SentinelOne has launched a new identity portfolio aimed at securing both human user accounts and non-human identities, such as autonomous AI agents, as security teams face a growing number of attacks that rely on legitimate access.

The strategy is built on the view that authentication and permissions checks are no longer sufficient on their own. Instead, access needs ongoing validation during activity, with the option to revoke it when behaviour suggests misuse.

Identity-led intrusions remain a persistent problem because attackers can obtain or abuse authorised credentials and then operate inside normal workflows. Once logged in, they can use approved tools and services for lateral movement and data theft while blending into routine activity.

The challenge is expanding as businesses experiment with or deploy agentic AI systems. These agents may be granted access to corporate data, applications, and infrastructure, then take actions without direct human intervention. Their ability to appear and disappear quickly-and execute tasks at high speed-changes how identity risk shows up inside an enterprise.

Beyond Authentication

SentinelOne's approach focuses on what it calls execution-based controls across the environments where identities operate, including endpoints, browsers, AI tools, and automated workloads. The framework centres on continuous validation of actions, applying behavioural controls as activity occurs.

This shifts the emphasis from deciding whether a login is valid to determining whether a sequence of actions remains appropriate after authentication. It targets a common scenario: attackers do not need to defeat authentication again after initial access because the abuse happens within sessions that appear legitimate.

Jeff Reed, SentinelOne's chief technology officer, linked the direction to the growing presence of machine identities in the workplace.

"The rise of AI as autonomous, non-human identities is expanding the attack surface and creating new governance challenges. Identity risk no longer begins and ends at authentication, and attackers are increasingly operating within authorized workflows," said Reed. "SentinelOne is uniquely positioned to lead this evolution with our AI-native platform that was built to correlate identity, endpoint, and workload signals, enabling security teams to analyze behavioral intent and autonomously contain both human and machine-driven misuse as it unfolds."

Product Components

The new portfolio centres on Singularity Identity, positioned as a source of context about who or what is acting in an environment. SentinelOne also highlighted Prompt Security, which it says identifies misuse in the browser and within AI tools. Singularity Endpoint provides the system-level component, with behaviour validation occurring on endpoints.

The portfolio sits within the broader Singularity platform, which already spans endpoint security and related detection and response tools. The identity additions signal a push toward a more unified view of activity, assessing identity and endpoint signals together rather than across separate products.

In enterprise environments, identity systems have historically focused on user accounts and fixed service accounts. SentinelOne draws a distinction between validating human identity and validating non-human intent, framing the latter as a behavioural question rather than a static permissions check. It points to the risk of AI agents deviating from defined functions or being manipulated through authorised workflows.

Market Context

The launch comes as security and identity vendors respond to a broader trend: organisations increasingly rely on software-driven identities, including service accounts, application identities, and machine-to-machine credentials. Attackers, meanwhile, have focused on identity paths because they can provide a direct route into sensitive systems without needing to exploit software vulnerabilities.

Browser activity has also become a key battleground. Many corporate workflows now run in web applications and software-as-a-service tools, creating opportunities for misuse through session hijacking, credential theft, and abuse of authorised access to cloud data. Products that can observe browser activity are becoming more common as security teams try to map user actions to data movement and policy violations.

SentinelOne's emphasis on runtime validation and access revocation reflects a broader move toward continuous assessment models in cybersecurity, including zero trust frameworks and behaviour-based detection. In practice, this approach relies on telemetry collection and analysis across endpoints and application layers, along with response mechanisms that can act quickly without disrupting legitimate work.

SentinelOne framed the identity expansion as a way to address attackers' use of sanctioned tools after obtaining valid credentials, and to reduce the time an intruder can operate before detection and response.

It expects identity risk management to extend beyond login controls to ongoing monitoring of actions by both human users and autonomous agents as automation and machine-driven activity increase.