One of the most common ways into a company today is the front door, opened with something that looks valid: a password, token, session, or key.

Attackers buy credentials, phish them, pull them from infostealer malware, and wait out multi-factor prompts until someone taps approve. Once inside with a real identity, they look less like an intruder and more like an employee.

The perimeter that security spent years hardening is no longer where the fight is. The fight is over identities: the accounts, sessions, tokens, keys, and permissions attached to them.

The problem has grown in two directions at once. There are more people to account for, working from more places and devices than ever. Then come machine identities: the non-human accounts, keys, tokens, and AI agents that software uses to reach other software.

They are not people, but they still get access, and that makes them targets. Security teams can usually name their employees. Machine identities are harder. They multiply quietly, often with more access than anyone remembers granting.

That is the frame for this year's identity winners: not just who gets access, but what happens when that access is stolen, abused, or left lying around long after the job ended.

Start with access sprawl: too many accounts, too many apps, and too many permissions nobody has cleaned up. Some apps were never built for basic modern controls like single sign-on, MFA, or central access rules.

Cerby won for bringing identity control to exactly those holdouts. Teleport handles the infrastructure side, controlling how engineers and machines prove who they are before reaching servers, databases, and other critical systems. Oasis Security checks whether access matches the actual task, not an old rule nobody updated.

Unixi extends that control across apps and cuts back access when it no longer matches the job. Saviynt, named one of the year's Most Innovative companies, brings that governance problem to enterprise scale.

Not all access is equal. The privileged accounts attackers want most are admin accounts, cloud roles, and service accounts that can change systems or reach sensitive data, so locking them down is its own category. Britive won for granting that powerful access only when it is needed and cutting it off when the work is done.

Xage Security covers privileged access across both IT and the operational technology behind physical systems like factories and power grids, where a stolen login reaches the real world. AutoElevate by CyberFOX brings privileged access management to managed-service providers, the outside teams that run security for thousands of smaller companies.

Access control only decides who gets in. Detection has to catch what happens after. Permiso Security won in Identity Threat Detection and Response for spotting identity abuse as it happens, accounts doing things they normally would not. Push Security catches identity attacks in the browser, where users enter credentials and phishing pages do their work. That also earned it an award for AI-powered threat detection.

The old model treated identity as an admin task: create the account, enforce MFA, move on. That does not hold when attackers can buy a password, steal a token, or abuse a service account nobody owns.

Identity now has to be watched like infrastructure. Attackers use it to move, change systems, and reach data. In many breaches, it is the infrastructure. The login is the new breach.

The complete list of 2026 Cybersecurity Stars Awards winners is live at awards.thehackernews.com/winners/2026.