Why identity belongs at the center of preemptive exposure management

The exposure management market just redrew its own map

For the better part of a decade, exposure management meant one thing: find more stuff, faster. Scanners proliferated, dashboards multiplied, and security teams ended up drowning in findings they could see but couldn't act on. The gap between knowing a risk existed and neutralizing it became the defining failure mode of the category.

That era is ending.

In April 2026, Gartner published Emerging Tech: Top Funded Startups for Preemptive Exposure Management, an examination of 148 startups that collectively attracted roughly $4.19 billion in venture funding between March 2023 and March 2026. The research lays out a clear thesis: preemptive exposure management (PEM) is shifting toward autonomous validation and mobilization, away from passive exposure discovery, fundamentally disrupting established exposure management approaches.

At Oleria, we read this as a confirmation of where identity security is going, and why we built the company the way we did.

Four profiles, one direction of travel

Gartner segments the funded startup landscape into four technology profiles:

• Preemptive Exposure Assessment (PEA): Technologies that continuously discover and map attack surfaces and prioritize findings by enriching them with deep business context
• Preemptive Exposure Validation (PEV): Technologies that perform automated or autonomous penetration testing, active attack simulations, or predictive validation capabilities (such as intelligent simulation, attack path validation or modeling) to technically or functionally confirm the exploitability of an exposure
• Unified Exposure Management Platforms (UEMP): Solutions that unify the functions of discovery and contextual prioritization (exposure assessment), adversarial or predictive validation (exposure validation), and automated or orchestrated risk mitigation (mobilization action) within a single platform.
• Domain Specialized Exposure Management (DSEM): Platforms that provide deep, context-rich discovery, validation, and mobilization within a focused area such as AI security, nonhuman identities (NHI), cloud infrastructure, or software supply chains.

DSEM is the largest funded segment by capital, with the 69 vendors Gartner examined raising approximately $2.1 billion. That concentration of capital is not an accident. Generalist platforms, however well-instrumented, cannot encode the domain logic required to reason about probabilistic AI behavior, machine-to-machine identity sprawl, or reachability in modern software supply chains. The risks are different in kind, not just in degree.

Gartner identifies critical trends shaping where capital is flowing within this rapidly evolving sector:

The shift from observation to action: Investment trends reveal a decisive shift from passive visibility toward active mobilization. While foundational assessment remains essential, capital is increasingly directed toward solutions that close the loop on remediation or mitigation of exposures to significantly reduce the critical window between identifying an exposure and neutralizing the risk

The rise of agentic AI: A significant share of funding is now concentrated on exposure management technologies that incorporate “agentic AI” systems capable of reasoning and autonomously executing complex tasks without human intervention. This trend spans all technology profiles but is most pronounced in validation and mobilization capabilities, where AI agents are leveraged to simulate attack scenarios or emulate adversaries (e.g., autonomous penetration testing) or to automatically plan and implement neutralization actions. This marks a tangible step toward the “agentic breakthrough” phase of the autonomous cyber-immune system roadmap.

‍Why identity is a DSEM category, not a UEMP feature

The most consequential argument in the Gartner research, from where we sit, is the case for treating identity as a domain‑specialized problem rather than a checkbox inside a broader exposure platform.

The reasoning is structural. Machine identities such as API keys, tokens, service accounts, and now AI agents have exploded in volume, and the relationships between them form a graph, not a list. Generalist IAM tools and broad‑scope exposure platforms tend to treat identities as inventory: enumerate them, attach a risk score, route a ticket. That model breaks down the moment you ask the question that actually matters in a breach: if this token is compromised, where can it reach, and what can it touch?

Answering that question requires graph‑based validation of access paths, not a flat table of permissions. Gartner recognizes Oleria as a vendor for DSEM platforms. We’re proud to be mentioned in the report, and the work we’ve done on activity‑aware access validation is precisely the kind of capability that we believe the research argues is missing from generalist tools.

The distinction Oleria makes is between theoretical entitlements and exploitable over‑privilege. Most identity governance systems can tell you what an identity could do. The harder, more useful question is what an identity actually does and what unused privilege is sitting there as latent blast radius. That activity‑grounded view is what turns identity from a compliance artifact into a preemptive control.

What product and security leaders should take from this research

‍
A few implications stand out for anyone building or buying in this space.

If your exposure strategy depends on a single broad platform, you are likely under‑covered in the domains where attackers are now spending most of their effort: AI systems, machine identity, and the software supply chain. DSEM tools are not optional add‑ons; they are becoming the layer where the actual risk reduction happens.

If you are evaluating identity tooling, the question to ask is not “can it inventory my service accounts?” but “can it model reachability across human, nonhuman, and AI identities, and can it act on what it finds without breaking production?” Inventory without graph context is a 2020 product. Graph context without autonomous mitigation is a 2023 product. The bar in 2026 is closed‑loop neutralization with the safety guarantees to actually deploy it.

If you are a product leader at a security vendor, we believe the research is unambiguous about where capital is flowing: toward platforms that validate exploitability and trigger mitigation, not platforms that surface alerts.

Read the full Gartner research

‍
We're making the full Gartner report available as a complimentary download. It includes the complete vendor analysis across all four PEM categories, the underlying capability model, and the Gartner strategic planning assumptions for how the market will evolve through 2030.
‍

Download the report