Palo Alto links identities across cloud

Identity security has a data-model problem. One employee can have an Okta login, a Microsoft directory account, three cloud roles, a handful of SaaS seats, and maybe a contractor credential that never got cleaned up. Security teams usually see those as separate objects. Palo Alto Networks is pushing a different idea — treat them as one person first, then analyze the risk. On May 11, the company rolled out “Unified Human Identities” for Cortex Cloud, making that person-level view a product feature. ### What is Palo Alto actually adding? It’s adding a virtual identity layer that groups scattered accounts into a single human record. Palo Alto says the feature pulls identity data from cloud platforms, SaaS apps, and on-prem directories, then presents one umbrella asset for that person’s total exposure instead of a pile of unrelated accounts. That means the analyst is looking at “Jane Doe” rather than separately inspecting AWS, Azure, Google Cloud, Okta, and Active Directory entries. (paloaltonetworks.com) ### Why was the old view broken? Because attackers do not care which console owns the credential. They care about the path. A low-drama SaaS account plus an over-permissioned cloud role plus a stale directory group can add up to real privilege, but those pieces often live in different tools and different teams. When risk is scored account by account, the dangerous combination can stay invisible even if every single account looks only moderately bad on its own. That is the gap Palo Alto is trying to close. (paloaltonetworks.com) ### How does the linking work? The key detail is simple: Palo Alto’s documentation says Cortex Cloud Identity Security uses user email as the primary identifier for correlation. From there, the platform creates and maintains a Unified Human Identity asset automatically when it detects a human identity in the Cortex Data Lake. In plain English, it is building an identity graph with the email address as the anchor point. That will not solve every edge case, but it gives the system a practical way to collapse fragmented records into one object. (paloaltonetworks.com) ### What does the analyst get from that? A combined view of metadata, source systems, and risk insights. Palo Alto’s docs describe identity metadata like title, department, and employment type, plus a list of providers feeding the record — things like Okta, Active Directory, or specific cloud platforms. More important, the unified record carries “identity insights,” meaning posture and behavior analytics tied to the person’s full footprint. Basically, the product is trying to answer one question faster: who is this human, and what can they really do right now? (docs-cortex.paloaltonetworks.com) ### Why does “human” matter so much? Because cloud identity has been drifting toward entitlement sprawl for years. One person picks up access in stages — a project role here, a temporary admin grant there, a contractor conversion that leaves old access behind. Seen separately, those are cleanup tasks. Seen together, they become a privilege-risk story. That is why Palo Alto frames the feature around “the person behind every account” rather than around another account inventory screen. (docs-cortex.paloaltonetworks.com) ### Where does this sit in Palo Alto’s product stack? Right now Palo Alto is positioning unified human identity security as part of Cortex Cloud 2.1, a release it announced on May 7 around expanded visibility, unified governance, and automated remediation. The identity feature also appears in product docs spanning Cortex Cloud Identity Security, Cortex ITDR, and Cortex SaaS Security, which tells you this is meant to be a shared identity layer, not a one-off dashboard. (paloaltonetworks.com) ### What is the bigger shift here? IAM used to be framed mostly as provisioning, deprovisioning, and least-privilege hygiene. That still matters, but the center of gravity is moving. The harder problem now is correlation — figuring out which accounts belong to the same human and what dangerous combinations emerge only after you connect them. Think of it like switching from a spreadsheet of usernames to a map of relationships. The rows mattered before. The edges matter now. (paloaltonetworks.com) ### Bottom line? Palo Alto is betting that identity risk is no longer an account-level problem. It is a graph problem — and the graph starts with the human. (paloaltonetworks.com)