Everyone is buying the agent access graph
Zscaler bought Symmetry, Snowflake bought Natoma, Microsoft priced Agent 365. In five weeks, three infrastructure giants targeted one layer: the map of which agent touches which data.
Holding·reviewed8 Jun 2026·next+89dBottom line. In five weeks, three infrastructure giants bought or shipped the same capability: Zscaler agreed to acquire Symmetry Systems (21 May), Snowflake agreed to acquire Natoma (27 May), and Microsoft shipped Agent 365 to general availability (1 May, $15 per user per month). The common target is the layer that governs which AI agent can access which data, which means the contested ground in enterprise AI security has moved from the network to the agent-to-data access graph.
The clearest statement of the move came from Zscaler. On 21 May 2026 it agreed to acquire Symmetry Systems, whose access graph ingests access logs across SaaS, cloud, data stores and AI systems and correlates them into a map of which identities touch which data.
“As enterprises rapidly adopt AI, the old playbook for governing access built around users and directories cannot scale to millions of AI agents. With Symmetry Systems, we are adding the access graph that maps how every identity, application, and data source connects across the enterprise.”
— Jay Chaudhry, Chairman and CEO, Zscaler, on the 21 May 2026 acquisition.
Six days later, Snowflake agreed to acquire Natoma, an enterprise Model Context Protocol gateway that checks identity, policy and audit before an agent makes a tool call. Snowflake’s framing rhymed with Zscaler’s: intelligence without governance creates risk. And three weeks before either deal, Microsoft had brought Agent 365 to general availability at $15 per user per month, an agent control plane with a unified registry and shadow-agent detection that spans agents from Copilot Studio, AWS Bedrock and Google Vertex AI.
| Move (2026) | Vendor | Capability acquired or shipped |
|---|---|---|
| 1 May | Microsoft | Agent 365 control plane ($15 per user / month) |
| 21 May | Zscaler | Symmetry Systems, the agent access graph |
| 27 May | Snowflake | Natoma, an MCP identity-and-policy gateway |
Sources: Microsoft, Zscaler, Snowflake.
Three vendors, one layer
The observable pattern is that the network is no longer where AI security is decided. A network vendor, a data-cloud vendor and a productivity-suite vendor, each starting from a different edge of the enterprise, all converged on the same destination in the same month: the ability to see and govern what an agent touches, not just where its traffic flows. When three companies with that little in common make the same bet at once, the bet is about where the market is going, not about any one product roadmap.
What they are buying is the answer to a question agents make urgent and directories cannot answer: which identity reached which data, by what path, and was it allowed. This is the problem the non-human identity governance vacuum read frames from the identity side; the access graph is the artifact that makes it auditable.
What the buyer should evaluate
For a CIO or CISO, the signal is a change in the evaluation question. The thing to test a platform on is not whether it blocks traffic but whether it can produce the access graph for a real agent: which data it reached, by which route, and whether that was permitted. A platform that governs agents only at the network edge cannot answer the data-access question that incidents and audits turn on, and that question is the one regulators under regimes such as the EU AI Act and sector security rules will increasingly demand evidence for.
The vendor-comparison version of this sits in the Okta-versus-specialist NHI vendors read; the point here is narrower, that the capability itself, the graph, is now the deciding feature.
The consolidation has a lock-in cost
The catch is the one consolidation always carries. Buying the access graph from your data platform, your network vendor or your productivity suite each pulls agent governance toward that vendor’s gravity, and the graph is most valuable when it spans the whole estate rather than one vendor’s slice of it. That is the same lock-in calculus the Anthropic valuation read applies to the model layer and the Big Four model-concentration read applies to delivery: evaluate on portability and breadth of ingestion, not only on whether the vendor has a graph to show you.
Holding-up note
The primary claim of this piece (that the May 2026 wave of AI-security acquisitions signals the contested layer in enterprise AI security has moved from the network to the agent-to-data access graph, and that buyers should evaluate platforms on whether they can map agent data-access topology) is on a 90-day review cadence. Three kinds of evidence would move the verdict: the announced deals failing to close or failing to integrate the access-graph capability; a competing layer (for example, runtime network controls) proving to be the one incidents and audits actually turn on; or the access graph becoming a commodity feature, which would weaken its value as a deciding factor. The Holding-up record for AM-206 captures what changes, dated. Figures are from Zscaler, Snowflake and Microsoft as of 8 Jun 2026.
Cite this article
Pick a citation format. Click to copy.
Spotted an error? See corrections policy →
Reasoned disagreement is a first-class signal here. Every review cycle weighs documented dissent; material dissent becomes part of the article's change history. This is not a corrections form — use /corrections/ for factual errors.
Vendor trajectory →
Where the major agentic-AI platform vendors are heading — strategy, pricing-model shifts, and what their trajectory means for a multi-year procurement commitment. 11 other pieces in this pillar.