Quest Software Buys Anetac to Secure AI Agent Identities

Quest Software, the identity and security platform backed by Clearlake Capital, has acquired Anetac, a Danish cybersecurity firm specializing in machine identity management. The deal — terms undisclosed — lands as enterprises confront a new security problem: autonomous AI agents are flooding corporate networks with non-human accounts that traditional identity tools weren't built to handle.

Anetac's platform discovers, catalogs, and governs service accounts, API keys, and other non-human credentials that AI agents use to execute tasks across cloud infrastructure. Quest will fold the technology into its One Identity suite, which already manages privileged access for more than 15,000 enterprise customers.

The timing isn't coincidental. Gartner estimates that by 2028, at least 15% of day-to-day work decisions will be made autonomously by agentic AI — up from zero today. Each agent spins up its own service accounts, API tokens, and machine credentials to interact with databases, SaaS platforms, and internal systems. Most organizations have no inventory of these accounts, let alone policies governing them.

"Identity infrastructure is about to break," said Darrell Long, president of Quest's One Identity division, in a statement. "The volume of non-human identities is already outpacing human users in most enterprises, and AI agents are accelerating that gap exponentially. Traditional PAM tools were designed for people logging into servers — not for autonomous systems provisioning their own credentials at scale."

Machine identities — service accounts, SSH keys, API tokens, certificates — have long been the neglected stepchild of enterprise security. Unlike human employees, they don't get onboarding, offboarding, or regular access reviews. They multiply silently, often outliving the engineers who created them.

Security teams have tolerated this sloppiness because machine accounts historically changed slowly. But AI agents flip that assumption. When a sales AI provisions its own Salesforce API key to pull lead data, or a procurement agent generates AWS credentials to check inventory across multiple accounts, these identities materialize without IT involvement — and often without logging.

CyberArk reported in December that non-human identities now outnumber human identities 45-to-1 in the average cloud environment. That ratio climbs to over 100-to-1 in organizations running heavy automation. The problem compounds when those credentials go stale: Anetac's telemetry from its customer base shows that roughly 30% of service accounts haven't been rotated in over a year, and 12% belong to applications or services that no longer exist.

Attackers know this. The 2024 Verizon Data Breach Investigations Report found that compromised credentials — not vulnerabilities — were the entry point in 49% of breaches. Machine credentials are particularly valuable because they're rarely monitored, often over-privileged, and almost never expire.

Quest's One Identity platform already handles privileged access management, identity governance, and Active Directory management for enterprises including Goldman Sachs, Boeing, and the U.S. Department of Defense. The Anetac acquisition plugs a gap: Quest could secure human access to privileged systems, but had limited visibility into the service accounts and API keys those systems themselves used.

Anetac's core product, launched in 2021, crawls cloud infrastructure — AWS, Azure, GCP, Kubernetes clusters, SaaS APIs — to discover every service account, bot credential, and machine identity in use. It then maps those identities to their associated workloads, ownership, and access patterns. The platform flags dormant accounts, over-privileged tokens, and credentials shared across multiple applications.

More importantly for Quest, Anetac automates remediation. When it detects a service account with admin rights that hasn't been used in six months, it can revoke access, rotate the credential, or trigger a workflow for human review — depending on policy. That's the piece Quest customers have been requesting: not just visibility, but automated governance at machine speed.

The Anetac team — roughly 35 employees, per LinkedIn data — will remain in Copenhagen and integrate into Quest's product engineering organization. Founder and CEO Martin Kjaersgaard will stay on in an advisory role through the integration period, expected to last through Q2 2025.

This marks Clearlake's fifth add-on acquisition for Quest since buying the company from Francisco Partners and Elliott Management in 2021 for an undisclosed sum. Quest itself was originally part of Dell, which spun out its software division in 2016. Under Clearlake's ownership, Quest has pursued a buy-and-build strategy focused on stitching together a full-stack identity platform.

AI agents differ from traditional automation in one critical way: they make decisions. An RPA bot follows a script. An AI agent interprets instructions, plans multi-step workflows, and adjusts tactics based on outcomes. That autonomy requires broader access — and creates messier identity footprints.

Consider a customer support AI agent tasked with resolving billing disputes. To do its job, it needs read/write access to the CRM, payment gateway APIs, internal ticketing systems, and possibly ERP databases. Each integration requires credentials. If the agent is part of a vendor-hosted service, those credentials might live outside the company's environment entirely.

Compound that across dozens of agents handling procurement, HR workflows, legal contract review, and financial reconciliation, and the credential sprawl becomes unmanageable. Worse, most enterprises can't answer basic questions: Which agents have production database access? Which credentials can be revoked without breaking critical workflows? Which third-party AI services are authenticating into our environment?

Quest's pitch is that Anetac solves this before it metastasizes into a compliance crisis. Its discovery engine doesn't require agents to install; it queries cloud provider APIs, SIEM logs, and IAM systems to reverse-engineer the identity graph. That matters because most AI agents aren't deployed by IT — they're shadow AI, spun up by business units who aren't thinking about credential lifecycle management.

But there's a harder problem lurking beneath the technical one. AI agents blur the lines of accountability. When a human misconfigures access, you revoke their credentials and retrain them. When an AI agent over-provisions itself, who's responsible? The engineer who deployed it? The business owner who requested it? The vendor who built it? Identity governance frameworks assume humans are in the loop. Agentic AI breaks that model.

The regulatory pressure is already building. The SEC's updated Cybersecurity Risk Management rules, effective since December 2023, require public companies to disclose material cybersecurity incidents and describe their risk management processes. Identity sprawl driven by ungoverned AI agents could easily trigger disclosure obligations if it leads to a breach.

Europe is moving faster. The EU's AI Act, which enters into force in stages through 2026, classifies certain AI systems as "high-risk" and mandates human oversight, logging, and accountability measures. If an AI agent operates with privileged access to sensitive data, it likely falls under those requirements — and companies need auditable records of what credentials it used and why.

Quest isn't the only player chasing this problem. CyberArk, the publicly traded leader in privileged access management, launched its Secrets Hub platform in 2023 to address machine credential sprawl. The product integrates with CI/CD pipelines and cloud environments to rotate secrets automatically — positioning it as infrastructure-layer security rather than a bolt-on governance tool.

Startups are swarming the space. Entro Security raised $18 million in Series A funding in 2023 to build secrets discovery and remediation specifically for non-human identities. Akeyless, which vaulted $65 million in Series B in 2022, offers a secrets management platform designed for dynamic cloud environments where credentials need sub-minute rotation cycles. Oasis Security, still in stealth, is reportedly building an identity threat detection platform focused on API abuse and machine account compromise.

The common thread: these companies are betting that non-human identity will become the dominant attack surface in the next three years, and that incumbents like Okta and Ping Identity — built for human SSO and MFA — aren't architected to handle it. Quest's acquisition of Anetac is a signal that thesis is gaining traction among PE-backed platforms with the capital to consolidate early movers.

What's less clear is whether enterprises will treat this as an urgent security gap or as technical debt they'll address eventually. Breaches tend to concentrate attention. If a high-profile incident traces back to a compromised AI agent credential in 2025, expect a procurement surge. Until then, adoption will likely cluster among financial services, healthcare, and defense contractors — sectors where regulatory pressure forces the issue.

The Anetac deal gives Quest immediate credibility in the machine identity space and a technical foundation to build on. But it also exposes how fragmented the identity stack has become. Quest now has privileged access management, identity governance, Active Directory management, and machine identity — each originally built by different companies for different use cases.

The challenge isn't just product integration. It's philosophical. Human identity governance is built around lifecycle events: hire, transfer, terminate. Machine identities don't have lifecycles — they have dependencies. A service account doesn't "retire." It becomes obsolete when the application it served gets decommissioned, but only if someone notices and cleans it up. That requires a fundamentally different governance model.

Quest will also need to navigate the AI trust problem. Enterprises are wary of AI tools that operate with privileged access — especially when those tools come from vendors who might be training models on customer data. Anetac's telemetry engine collects metadata about credentials, access patterns, and usage frequency. Quest will need to make ironclad guarantees about data residency, model training boundaries, and audit logging if it wants to land regulated industries.

Then there's the sales motion. Quest's One Identity platform typically sells into IT operations and security teams through six- to nine-month enterprise cycles. Machine identity governance, by contrast, is increasingly a DevOps purchase — driven by engineering teams managing cloud infrastructure and CI/CD pipelines. Quest will need to either build new go-to-market muscle or risk watching startups win the developer-first buyers while Quest grinds through procurement with CISOs.

This deal fits a larger pattern. Over the past 18 months, PE-backed cybersecurity platforms have been aggressively buying point solutions to assemble full-stack offerings. Thoma Bravo's Everbridge acquired Nixle and Konexus to stitch together a crisis communications platform. Francisco Partners' Fortra absorbed Cobalt Strike, Beyond Security, and Digital Defense to build an offensive security suite. Insight Partners' Rapid7 bought IntSights and Velociraptor to expand from vulnerability management into threat intelligence and EDR.

The logic is consistent: enterprises are tired of managing 40-tool security stacks with overlapping capabilities and integration headaches. They'll pay a premium for consolidated platforms — even if individual components aren't best-of-breed — because operational simplicity has value. That's especially true in identity, where fragmentation creates security gaps. If your PAM tool doesn't talk to your IGA system, and neither integrates with your secrets vault, you're managing three different credential inventories. Attackers only need to compromise one.

Clearlake is betting Quest can be the identity platform that wins that consolidation race. The firm has deployed over $85 billion across 600+ investments since inception, with a heavy tilt toward software and tech-enabled services. Its playbook is operational: buy mature software companies with sticky customer bases, bolt on complementary acquisitions, streamline the product portfolio, and either take the company public or sell to a strategic at a meaningful multiple.

Quest fits the archetype. It has 15,000+ enterprise customers, many locked in through Active Directory integrations that would be painful to rip out. The One Identity brand has name recognition among Fortune 500 CISOs. And it generates recurring revenue through maintenance contracts and SaaS subscriptions. Anetac adds a high-growth category — machine identity — while leveraging Quest's existing sales relationships.

If you're a CISO or IT leader watching this deal, the subtext matters more than the press release. The fact that a PE-backed incumbent like Quest felt compelled to acquire machine identity capabilities — rather than build them in-house — signals that the problem is both urgent and technically non-trivial.

It also suggests that the identity tools you already own probably aren't equipped for what's coming. If your PAM platform was deployed before 2020, it almost certainly doesn't handle ephemeral credentials, API token rotation, or agent-to-agent authentication gracefully. If your IGA system can't auto-discover service accounts across cloud environments, you're flying blind.

The immediate playbook: start with visibility. Before you govern machine identities, you need to know they exist. Run discovery across your AWS, Azure, and GCP environments. Query your CI/CD systems for secrets in environment variables. Check SaaS admin consoles for API keys and service accounts you didn't know were provisioned. Most organizations find 3-5x more machine credentials than they expected.

Next, implement basic hygiene. Rotate long-lived credentials. Deactivate unused service accounts. Enforce least-privilege policies for API tokens — if a service only needs read access to S3, don't give it admin rights to EC2. These aren't novel recommendations, but they're rarely enforced for non-human identities because there's no easy tooling to do it at scale. That's the gap tools like Anetac (now Quest) are filling.

What happens when AI agents start provisioning their own sub-agents? Current identity models assume a mostly static topology — users, applications, infrastructure. Agentic AI introduces recursive delegation: an HR agent spawns a compliance sub-agent, which spawns a document parsing sub-agent, each with its own credentials and access requirements. Existing IAM systems don't model that kind of dynamic, hierarchical identity.

And what's the policy framework when an agent acts on ambiguous instructions? If a procurement AI interprets "expedite this order" as justification to approve an invoice that bypasses dual controls, who's liable — the employee who gave the instruction, the developer who trained the model, or the company that deployed it? Identity governance has always been about enforcement, but enforcement assumes clarity. Autonomous systems introduce ambiguity that traditional access controls weren't designed to handle.

Quest and Anetac are solving the immediate problem: discovering and governing the machine credentials that already exist. But the harder problem — how to architect identity systems for a world where most workers are autonomous software — is still unsolved. That's not a criticism of this deal. It's a reminder that the first wave of solutions in any new security category addresses the symptoms, not the root cause. The real innovation will come from whoever figures out how to build identity infrastructure natively for agents, not retrofitted from human models.