Analyst(s): Fernando Montenegro
Publication Date: May 27, 2026
Zscaler’s acquisition of Symmetry Systems adds an access graph to the Zero Trust Exchange, providing the identity and data visibility needed to govern AI agent communication at scale. Directory-based models built for human users cannot keep pace with autonomous agents, and every major security platform vendor is now racing to fill that gap.
What is Covered in This Article:
- Zscaler announces intent to acquire Symmetry Systems, adding access graph technology to its Zero Trust Exchange to govern AI agent communication at scale.
- Directory-based identity governance models built for human users cannot scale to autonomous AI agents, creating a critical visibility gap across most enterprises.
- Symmetry’s access graph provides continuous identity and data lineage, giving Zscaler the context needed to enforce meaningful least-privilege policies for AI agents.
- The acquisition is Zscaler’s fourth in under a year, reflecting a deliberate strategy to extend Zero Trust coverage across the full enterprise AI security stack.
- The agentic identity governance space is now openly contested, with Palo Alto Networks, CrowdStrike, Okta, SailPoint, and Microsoft all staking positions.
The News: Zscaler (NASDAQ: ZS) announced its intent to acquire Symmetry Systems, Inc., a San Mateo, CA-based data and AI security startup. Financial terms were not disclosed. The transaction is expected to close within days. Founded in 2019 as a spinout from the DARPA-funded Spark Research Lab at the University of Texas at Austin, Symmetry raised approximately $36M across three funding rounds and employs roughly 20–50 people. Symmetry’s access graph technology maps how human and non-human identities connect to applications and data across the enterprise, forming the visibility layer Zscaler plans to use to govern AI agent communication at scale within its Zero Trust Exchange platform.
Can Zscaler Own the AI Agent Control Plane?
Analyst Take: Zscaler’s acquisition of Symmetry Systems is a targeted move to fill a specific gap, one that has become harder to ignore as enterprises accelerate AI agent deployments. The Zero Trust Exchange is a mature enforcement platform. What it has not had, until now, is the relational visibility layer needed to tell that platform what to enforce when the identity in question is an autonomous agent rather than a person. That is what this deal is about.
The Access Governance Model Wasn’t Built for This
Enterprise identity governance was designed around a relatively simple premise: organize people into groups, map those groups to the applications and data they need, and enforce the boundaries. It worked, mostly, because human identities are stable. They have job titles, managers, and defined roles that change slowly enough for policy to keep up.
AI agents break those assumptions. They operate with ephemeral credentials, frequently inherit permissions from whatever human or service account deployed them, and move across systems without a predictable access footprint. There is no natural role for an agent that queries a CRM, calls a financial API, and writes to a data lake within a single workflow. The industry broadly accepts that non-human identities already vastly outnumber human ones in the enterprise, and autonomous agents are accelerating that ratio further. Trying to govern them through directory-based models built for users is not a scaling challenge. It is a category error.
Visibility First, Policy Second
Zscaler has never lacked enforcement capability. The Zero Trust Exchange is built to intercept traffic, apply policy, and act. What has been missing is a better relational context to make that enforcement meaningful when the actor is an AI agent rather than a person logging in from a known device.
Symmetry’s access graph addresses that gap directly. It ingests access logs across SaaS applications, cloud services, data stores, and AI systems, then correlates them into a continuous map of which identities are touching which data and how. That lineage is what makes least-privilege policies for agents tractable. Without it, security teams are left writing broad, permissive rules because they cannot see what an agent actually needs access to versus what it has inherited. With it, the Zero Trust Exchange will offer the capability of enforcement based on observed behavior and defined relationships rather than approximations.
This is worth distinguishing from existing tooling. CIEM and DSPM products have made real progress on data and entitlement visibility, but they largely produce point-in-time snapshots. An agent mid-workflow does not wait for a scheduled scan. The access graph is designed to be continuous, which changes what kinds of policy enforcement are possible at runtime.
A Platform Being Assembled at Pace
Symmetry is the fourth Zscaler acquisition in less than a year. Red Canary brought a mature managed detection and response capability into the platform, adding operational SOC depth. SplxAI contributed shift-left AI asset discovery and automated red teaming. SquareX, closed in February 2026, extended Zero Trust enforcement into the browser for users on unmanaged devices. Symmetry now adds the identity and data visibility layer needed to govern AI agents. Taken individually, each deal fills a specific gap. Taken together, they trace a deliberate effort to build a platform capable of securing the full enterprise AI stack, from the browser to the agent to the data it touches.
The integration challenge varies by acquisition type. Red Canary brings not just technology but an established customer base, operational processes, and a large team that will need to find its place inside a larger organization. The smaller, research-oriented acquisitions like SplxAI, SquareX, and Symmetry carry different risks: retaining the technical talent and preserving the depth that made them worth acquiring in the first place. A pace of four deals in under a year sets expectations. The market will be watching whether the whole proves greater than the sum of its parts.
A Crowded Race With Powerful Incumbents
Zscaler is not the only platform vendor moving aggressively here. Palo Alto Networks completed its roughly $25 billion acquisition of CyberArk on February 11, 2026, making identity security a named pillar of its platformization strategy. CrowdStrike acquired SGNL for approximately $740 million in January 2026, targeting continuous dynamic authorization for human, non-human, and AI agent identities. Both deals signal that the major security platform vendors have concluded the same thing: whoever controls the identity and data control plane in an agentic enterprise controls a significant portion of the security stack.
The competition does not stop there. Traditional identity vendors are extending their governance platforms directly into agentic territory. Okta made its AI Agents offering generally available in April 2026. SailPoint launched its Agentic Fabric and, in March 2026, signed a strategic collaboration with AWS to establish a unified governance layer for AI workloads. These are not peripheral moves. Identity governance is the core business for both companies, and AI agents are the next major surface they need to cover to remain relevant.
Then there are the hyperscalers themselves. Microsoft’s Entra Agent ID is the most immediately consequential, given how deeply Microsoft’s identity infrastructure is embedded in enterprise environments. Zscaler itself is an early adopter of Entra Agent ID, which is both a validation and a reminder of the leverage the hyperscalers hold in this space. Google and AWS are pursuing comparable positions. Infrastructure vendors like Cisco are also framing agentic identity as a natural extension of their security portfolios.
Zscaler’s angle is distinct. It is approaching agent governance from the network enforcement layer outward, using the access graph to inform policy rather than starting from the identity provider inward. Whether that architectural difference translates into a durable competitive advantage or becomes one input among many in a market that consolidates around a handful of platforms remains an open question.
Integration and Ecosystem Questions Remain
Symmetry is a small, research-oriented team being absorbed into a large platform organization. The access graph technology has real depth, rooted in DARPA-funded work at UT Austin, and that kind of focused expertise can be difficult to preserve through an acquisition transition. Roadmap continuity and talent retention are worth watching.
Equally relevant for prospective buyers is the question of ecosystem reach. Symmetry currently ingests logs across cloud environments, SaaS applications, and data stores, independent of whether Zscaler sits in the traffic path. How that broad connectivity evolves after integration will matter to enterprises running multi-vendor security stacks. Those currently evaluating DSPM or NHI governance tools should factor the change in ownership into their assessment.
What to Watch:
- Will the access graph stay open? How Symmetry’s cross-environment connector coverage evolves post-acquisition will signal whether Zscaler is building a broadly compatible visibility layer or a platform-native feature.
- How will identity vendors respond? Okta, SailPoint, and Palo Alto Networks/CyberArk are all moving into agentic governance. Their next product moves will clarify where the primary enterprise control point lands.
- Does the Microsoft partnership hold? Zscaler is already an Entra Agent ID early adoption partner. Whether that relationship stays complementary as both companies deepen their agentic security offerings is worth watching.
- When do agent deployments hit real scale? Most enterprises are still early in production AI agent rollouts. The access graph’s true test comes when agent volumes are large enough to stress-test policy enforcement in practice.
- Can Zscaler absorb four acquisitions at once? Red Canary, SplxAI, SquareX, and Symmetry all closed within a year. Talent retention and roadmap coherence across all four will determine whether the platform strategy delivers.
See the press release on the Zscaler website.
Disclosure: Futurum is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum as a whole.
Other Insights From Futurum:
Does Cisco Put an Astrix on the Agentic Identity Race?
Securing Agentic AI Is the Multi-Level Challenge for Security Teams
Futurum Agent Control Plane Framework: A Reference Model for Production AI Agents
Author Information
Fernando Montenegro serves as the Vice President & Practice Lead for Cybersecurity & Resilience at The Futurum Group. In this role, he leads the development and execution of the Cybersecurity research agenda, working closely with the team to drive the practice's growth. His research focuses on addressing critical topics in modern cybersecurity. These include the multifaceted role of AI in cybersecurity, strategies for managing an ever-expanding attack surface, and the evolution of cybersecurity architectures toward more platform-oriented solutions.
Before joining The Futurum Group, Fernando held senior industry analyst roles at Omdia, S&P Global, and 451 Research. His career also includes diverse roles in customer support, security, IT operations, professional services, and sales engineering. He has worked with pioneering Internet Service Providers, established security vendors, and startups across North and South America.
Fernando holds a Bachelor’s degree in Computer Science from Universidade Federal do Rio Grande do Sul in Brazil and various industry certifications. Although he is originally from Brazil, he has been based in Toronto, Canada, for many years.
