NewCore raises $66M for AI agent IDs

Show Notes

AI agents are rapidly becoming first-class actors inside enterprise environments, and identity systems are struggling to keep up. This episode looks at NewCore's $66 million bet on rebuilding identity for a world where agents outnumber employees, and why that shift is already underway. For security and IT leaders, this is not just a tooling change. It is a shift in what identity means. Unmanaged AI agents introduce invisible access, persistent permissions, and new attack paths. At the same time, moves like 1Password acquiring Apono show that the market is pivoting toward real-time access governance, not just credential storage. We also cover a critical Splunk vulnerability that demands immediate patching, and a major phishing network takedown that highlights how industrialized fraud now operates. Learn more at https://crestvale.io

Transcript

SPEAKER_00 0:00

AI agents are starting to outnumber employees, and your identity system is not built for that. The risk is not theoretical anymore. It is unmanaged access, multiplying faster than your controls can keep up. This is the Crestvale Newsroom Daily Podcast. The identity model most companies rely on is breaking under pressure from AI agents. A new company called Newcore just raised $66 million to rebuild identity infrastructure around that reality. Their core idea is simple but uncomfortable. AI agents should be treated like employees, not hidden inside service accounts. That sounds obvious. It is not how most environments are set up today. Right now, agents often inherit credentials, reuse tokens, or sit behind shared access paths. That works when you have a handful. It fails when you have thousands. And that scale is already here. One large enterprise is running 25,000 AI agents alongside 60,000 human employees. That is not edge usage. That is workforce-level identity. Nucor is betting that legacy IAM vendors cannot adapt fast enough. Their approach gives each agent its own life cycle. Creation, permissions, rotation, and revocation are all handled as first-class identity events. The architecture matters here. They are using split key credentials and hardware-bound authentication to remove single points of failure. That is a direct response to identity becoming the primary attack surface. Because that is what this really is. Identity is no longer about users logging in. It is about controlling what thousands of autonomous systems are allowed to do at any given moment across your environment. Here is why this matters. If your team is deploying AI agents without bringing them into your identity model, you are creating access you cannot see, cannot audit, and cannot reliably revoke. That becomes your largest risk surface very quickly. The shift here is not optional. Agent identity is becoming the dominant identity problem. Now, that shift shows up clearly in how vendors are moving. One password just acquired Ipono for an estimated $250 to $300 million. This is not about passwords. It is about access control. Ipono focuses on just in-time access. Instead of standing permissions, access is granted when needed and removed immediately after. That model is becoming the default expectation in cloud environments, because standing access is now the liability. What one password is really doing here is repositioning itself. It is moving from credential storage into active access governance. That puts it in competition with players like CyberArc and Wiz, not just traditional identity providers. Opono also brings deep integrations across cloud platforms and enterprise tools. That matters because access decisions now span AWS, Azure, Kubernetes, and data systems all at once. And again, AI agents accelerate this problem. Non-human identities do not log out. They do not forget access. They accumulate it. So the control point shifts from storing secrets to governing access in real time. If your strategy is still centered on vaults, you are missing where the market is going. Meanwhile, there is a more immediate issue that cannot wait. A critical vulnerability in Splunk Enterprise is now public, and it is as serious as it sounds. This is an unauthenticated remote code execution path. An external attacker can take control of your CIM without credentials. That means the system you rely on to detect threats can be turned against you. Researchers showed that exposed database recovery endpoints can be abused to write arbitrary files and execute code. No login required. Splunk has released patches. But anything unpatched and exposed is now a target, and this will get weaponized quickly. The impact is not just initial access, it is visibility. An attacker inside Splunk can tamper with logs, disable detections, and erase evidence. If you are running affected versions and have not patched, you should assume active scanning at minimum. This is one of those cases where delay is not neutral, it increases risk by the hour. Meanwhile, law enforcement took down a major phishing operation, and it tells you a lot about how attacks are scaling. The Federal Bureau of Investigation and Google disrupted a network called Outsider Enterprise. This was phishing as a service at industrial scale. Millions of victims, billions in losses, millions of messages sent in weeks. This was not a loose group of attackers. It was an organized supply chain. Kits, infrastructure, distribution channels, all packaged and sold. The takedown matters, but the model survives. These operations are designed to regenerate. Thousands of domains and sites can be recreated quickly, which means the defensive lesson stays the same. Blocking domains is not enough. Users remain the primary attack surface. Controls that reduce user decision making, like phishing resistant authentication, matter more than ever. Here is what else is worth knowing today. SailPoint acquired intro security, doubling down on non-human identity. API keys and tokens are now a central battleground. Microsoft had a certificate expire on a key Microsoft 365 domain. It caused a limited outage, but it highlights how fragile certificate lifecycle management still is. The UK government used advanced AI systems to uncover more than 400 vulnerabilities across departments. That is a real signal that AI-assisted discovery is delivering measurable results. Epomni launched Autonomous Response for SaaS security. The bet is that no human team can keep up with the number of applications in a typical environment. Novo Nordisk disclosed a breach involving clinical trial systems. Even pseudonymized data carries downstream identity and regulatory risk when exposed. Before we close out, here is a quick look at where markets landed. Equities finished higher, with both SPY and QQ moving up together, pointing to a broadly positive close. The 10-year yield moved lower, easing slightly from recent levels. In alternative assets, Bitcoin and gold both pushed higher. Oil moved down on the session, breaking from that trend. Here is the takeaway: if AI agents are not treated as identities with strict lifecycle control, they will become your fastest growing and least visible source of risk. Tomorrow we are watching how identity platforms respond as non human access becomes the dominant security problem. If this was useful, follow the Crestvale Newsroom Daily Podcast so you don't miss it. Thanks for listening.