It’s exceptionally rare to find a company that’s been through a journey like the one SailPoint has been on over the course of 20 years. Their 2026 fiscal year was arguably their best one yet, full of major product launches and milestones — including over $1 billion of Annual Recurring Revenue (ARR).

I spoke with Matt Mills, SailPoint’s President, about a wide range of topics. We spent time reflecting on the journey to $1 billion ARR, then moved towards the future: authorization, business drivers, AI fear and progress, adaptive identity, application integrations, competition, and…mainframes?!

This was a candid discussion about what it takes to be an identity company serving the world’s largest customers as we enter the AI era. I hope you enjoy it as much as I did.

Note: This interview has been lightly edited for clarity.

The billion dollar milestone

Cole Grolmus: SailPoint just surpassed $1 billion ARR in its last fiscal year, so this discussion is coming at a perfect time. I'd love for you to reflect on that for a minute. It's such a significant milestone that's been building over the course of 20 years.

Matt Mills: If you haven't spent time in the startup world or these emerging markets, you might not fully appreciate the Mark McClain story: doing a startup, taking it from zero to $150-200 million, taking it public, taking it back private, and then taking it back out again. 

When you start looking at the odds, what percent of startups actually make it to a public market? It's really, really small. Then you start asking what percent actually make it to a billion dollars, and what percent of those actually have the same founder CEO for 20 years going through all of that. It's a pretty incredible story.

Breaking down our business at a billion dollars ARR: we typically do three-year contracts, so when you look at remaining purchase obligations and the size of the business, it's probably a $3 billion business. It's a big business.

I've only been here for six and a half years, so I've been here on Mark's coattails. It's a great story. 

We talked about being a billion-dollar company when I got here, but there's a ton of work by everybody that goes into it. It's a pretty nice thing for the company to rally around and celebrate. Everybody contributes because you don't get there any other way.

Authorization is having a moment

Cole Grolmus: The core thesis of an article I published recently was that authorization is about to have a moment.

As someone who's been doing this for a long time and has done several enterprise identity implementations, I think authorization (broadly) and SailPoint (specifically) are more relevant than ever, even after a 20-year run. 

What evidence or anecdotes have you seen from a customer perspective that make you believe this is happening?

Matt Mills: There are a lot of things happening that are all coming together and changing the context of what SailPoint is. 

If you go back even five years ago, we were still doing traditional identity governance. Having been in the business a while yourself, you understand that when you thought about governance originally, you were always thinking about compliance and audit. That was it.

With the acceleration of agentic AI, it's really accelerated the idea that governance is still important, but it's going to have to manifest itself very differently in this world.

We're moving to a real-time world. We've been authenticating and authorizing for a lot of years, but now it takes on a new meaning.

When you start talking about zero standing privilege, that's the operating model. But now we're talking about authorization in a different context: just in time, time-bound, purpose-bound. We're looking for immediate or real-time remediation. The permissions are revocable.

When companies are looking for a new solution, what's causing them to go down this path? A big chunk of it is still compliance, but a big chunk of it now is risk.

The conversation changes from "are we compliant?" to "is access justified right now?" Not just is it justified, but is it justified right now. 

If you listen to our CTO Chandra Gnanasambandam talk, he talks about context: When Cole is logging on, does he have access to this? 

The answer might be yes, Cole has access to that. But does he have access to it at 3:00 in the morning on an IP address I've never seen in China? I'm probably going to say no, I don't think he does right now. I'm going to poke at that and make sure he's authorized to do what he's doing, where he's doing it, when he's doing it.

Those are the things that bring this whole new perspective around authorization.

Compliance and security, not either/or

Cole Grolmus:  You probably have the broadest allocation of customer discussions of anybody at SailPoint. 

What percentage of customers are still coming in with regulation as a driver versus moving towards the risk and security end of the spectrum?

Matt Mills: I hate to say it, because the industry's been around this long, but there's a ton of regulation that we deal with already in regular business. Every time I turn around, there's another cottage industry coming up with their own level of certification or compliance regulations.

I think we're just on the cusp of a new set of regulations that are going to come at us from an AI perspective.

The auditors I talk with ask questions about when we are going to get to the point where AI agents are actually doing things on our behalf, making relevant and material decisions.

If you're going to secure your enterprise, I don't think you can do it through human hands on a keyboard. You cannot keep up. 

At some point, somebody's going to have to make a call: do we trust what's happening here? Can we put the right constructs in place that allow us to have some level of confidence? Is there enough transparency?

The bad guys don't have to deal with that. They just use the technology and wreak havoc.

There's a balance we're going to have to get to. As providers of these solutions, we're going to have to be transparent. It's going to have to be auditable. I think that's coming. It’s not that far away.

Cole Grolmus: It sounds like an "and" not an "or." The reality is we're living in a world that's more regulated and there are more risks driving security. It's actually the combination of both things that's going to be a factor.

Matt Mills: I think so. There's a little bit of a fear factor that companies are dealing with. They don't want to go too far down this path until they understand exactly what they're dealing with — not only from a regulation perspective but from a security perspective.

I don't believe applications as we know them today are going to act and behave like they did five years ago. You're going to have embedded agents in virtually every off-the-shelf software product available. 

Companies are going to say, "I don't have a choice. I'm going to have to somehow certify and regulate these agents to make sure they're doing things like they're supposed to do and not causing problems with security or having access to the wrong data."

Having your foot on the gas and the brake simultaneously

Cole Grolmus: I covered this topic in my interview with Mark McClain, and he had an interesting take on it. He described it as: “I’ve never seen this many customers with their foot on both the gas and the brake at the same time.” 

There is so much upside with both AI and agents, and it gets more incredible by the week. But once you realize what's possible, you also become way more afraid. How do you reconcile that?

Matt Mills: He says it well. He and I sit on a number of investor calls, and we get a ton of questions because the investors and analysts want to understand how fast this is going to go.

At the end of the day, it's hard to understand how quickly the update will be on these technologies. You're seeing C-suite executives saying, "We need to take advantage of these efficiencies. We need to start being able to get the benefits of this in our business."

Meanwhile, the practitioners and security experts are saying this scares the heck out of them. It scares them that we're going to have the ability to build human-like digital agents that are going to go out and work under my guidance with permissions that maybe a human is going to pass through to them.

You hear these cornerstone cases that people repeat, like the story about so-and-so who had forty-six agents running in their business that nobody knew anything about. 

I've heard that story over and over. The numbers change, but it’s the same story. Nobody knew, then it did something bad, and everybody got in trouble. I hear a ton of those stories, and they scare the living daylights out of people.

I don't think you hear enough about how people are actually using this effectively today in very pointed solutions and starting to get those benefits. People will get more comfortable with AI and agents eventually. 

One of the big accelerators for companies like us is when we can get our product out and start getting people comfortable with the level of security and transparency we can provide around agents. Then you're going to see some acceleration.

The big next step is what we call the "base agents.” Those are the vendor agents that come from the Salesforces and the Workdays of the world, delivered in the products. If you can govern those — discover them, categorize them, assign ownership to them, certify them — then you can start making progress. It's the autonomous agents that give people pause.

Are security teams ready for adaptive identity?

Cole Grolmus: Another question I asked Mark was whether security teams are ready for adaptive identity. 

The reason I asked with some consternation is that, if I put my implementer hat back on and consider what an operational identity program is like most of the time, the median implementation is just trying to keep its head above water.

There's a lot to integrate, a lot to roll out. It's hard enough to manage human identities…and then we're talking about adding agents on top of that?!

Mark's answer, which I agree with, was: "Look, I get it, but I don't think we have a choice. It's going to happen whether we want it to or not. Better to get ready for it, and better to use tools like SailPoint to enable it instead of trying to make it stop."

Matt Mills: I'm with you 100%. We acquired Savvy to help with this, which is now our Accelerated Application Management solution. It's probably our fastest-scaling product. The pipeline is going through the roof because people are now starting to understand what it does.

It's not just about discovering all your apps. It's also being able to tell you that apps use embedded agents. 

When companies realize "I have 1,000 apps, and 900 of them are using agents," it's not like you can just disable them. They are probably running your business. You can't just turn them all off.

So what do you do? You discover them. You categorize them. You assign ownership to them. You give them human owners and certify them just like any other kind of identity. That's significant.

When we look at Tier 1, Tier 2, Tier 3 connectors, the Tier 3s are probably 15-20% of your total applications. The Tier 2s were always at 20-25%. It's quite possible the Tier 2s may end up being 80-90% of all your applications now because they're all using agents.

To Mark's point, I don't think agent adoption is going to go backwards. Agents are coming down the tracks. You're going to have to deal with it as a company because agents are not going away.

Your other choice is to not manage them, not assign ownership, leave them orphaned and therefore not certified and not governed. We'd all agree this is a really bad idea.

The under-appreciated shift to managing every app

Cole Grolmus: Let's go to the topic of integrations — or in SailPoint terms, accelerated application management. This is a major product strategy shift, which I believe is underappreciated. 

Some historical context: SailPoint has historically focused on helping customers manage regulated and high-risk applications. That’s an important slice, but still only a slice of the application portfolio. 

With Savvy and accelerated application management, we're headed towards a place where customers can manage every app at some degree of depth.

Tell me more about the shift from your point of view.

Matt Mills: It's hugely underappreciated. One of the biggest challenges we have is that identity governance has gone from a back-office solution stuck somewhere down in IT operations to showing up front and center on the threat vector. Especially over the last five years, it turns out identity is the path where 80-90% of all these breaches are actually occurring. We've got to think about this differently.

We always get criticized because "these guys are only governing 10-15%, like 100 applications out of 5,000." Nobody's doing anything with the other 4,900. That's why we went out and acquired Savvy. 

I think of Savvy as a bit of posture management. It's the discovery component saying, "I'm going to go out and not only identify the applications, but keep the pulse on them — ones coming in, ones going out, and changes to them."

When you start looking at the complexity of what we're trying to solve in Tier 2 and Tier 3 apps, this is where we get a little high and mighty. Our competitors say they can do this, but they don't have the depth. 

We always say they don't have the ability to handle this complexity, and people say, "Well, what's the complexity?"

You've got thousands of identities: humans, machines, services. You've got millions of access relationships. You've got roles, groups, permissions. All of this adds complexity, especially in a large company. 

We'll go down to 30 or 40 levels deep of nested entitlements. That's not abnormal for our world. We go over 250 levels deep sometimes. 

People hear that and they're like, "That's got to be one in a million." It's not. There's a lot of complexity out there. If you don't have those levels of capability to handle the complexity in a Tier 3 fully governed auto-provisioning environment, you have no hope.

I've said this a hundred times to analysts: people can't handle the complexity that we handle. That's why we do well in the 5,000+ employee segment. Nobody there says, "Explain the complexity." They just don't. 

If somebody says, "Well, it's because of your fine-grained entitlements" — of course, but nobody wants to get under the hood because if they did, they'd really start to understand the differentiation between us and the others.

You'll hear Mark try to be humble about the Veza (ServiceNow), Zilla (CyberArk), even Okta (Identity Governance) that say, "We're coming up to enterprise." They’re really not. It's going to take more than just newer technology or newer architecture. I'm not suggesting there's not a place for them. There is. It's just not up here. Not today. Maybe down the road.

One of our customers has 50 million entitlements. My reaction when I heard that was somebody ought to get fired over there. But then we find out we've got a bunch of customers out there with 10, 20, and 30 million entitlements. It's just a fact of life in enterprises. We can sit here and debate if that's smart or not, but it's there.

This is where we get a little indignant when you've got 200+ companies out there today saying, "We do identity security." If you go to the Gartner event, if there are 200 vendor suites, they all say identity security on them. "We do identity security. We do agent security."

Maybe there are cursory-level things they can do. But to secure an agent, you've got to secure the data. You've got to take identity context, tie it with the data, and drive it into the entitlement level all the way down. It gets pretty hard.

Competitive dynamics

Cole Grolmus: Give me some thoughts on the competitive dynamics in the identity market today. Obviously there's been a lot of market activity, probably in some ways starting with SailPoint going private a few years ago. Even if you look at the last few months, it was one of the most interesting periods in the history of the identity market.

You've got a billion-dollar acquisition with ServiceNow and Veza, Saviynt raising $700 million, Palo Alto Networks closing the acquisition of CyberArk…plus all of the major product announcements and earlier stage startups raising capital. 

What are your thoughts on the competitive landscape as it stands in 2026?

Matt Mills: We're all competitive, and I think it's in our nature. If you've ever heard Mark, he talks about being humble, hungry, and proud. We try to stay humble. It's not our nature to sling mud.

When I look at this market, I segment it between what I'll call the broader market (3,000-4,000 employees and under) and the enterprise. That broader space is really noisy. That's where everybody is at. You've got Zilla, Veza, Lumos, Oasis, and others. That's where Okta lives. That's where a lot of Microsoft Entra’s customers are, too. 

They bang heads down there. We're not down there much. We've done a good job of understanding where we're differentiated and trying to stay there. 

When you look at the progress we've made over the last number of years, we now own 50% of the Fortune 500 and 26-27% of the Global 2000. We live off this thing we call our target account list. We've got a bunch of companies we've done our first line of qualifying on. They look like SailPoint customers, and we've only converted about 15% of those so far. We've got a ton of runway ahead of us.

I fight this battle all the time about people wanting to go down-market. Over time, that happens naturally. Gravity gets a hold of your company. If you don't stay up and stay relevant and continue to innovate, you get sucked into it.

Down-market is competitive, noisy, with less sophisticated buyers. When everybody says they do everything, I think it's a terrible place to be if you're trying to buy something because it's really confusing.

When you get up into the market where we really live, it's not that noisy. We see Saviynt the most. They show up everywhere because nobody wants to run a process with a single source. They want to see multiple players.

We'll get the occasional deal where somebody on the board says, "We own Microsoft, why aren't we using those guys?," and we'll get into a little bake-off with them. It doesn't really end well for them because they can't execute with the level of complexity that we can.

When we stay in our 5,000+ employee segment, we win 82-83% of the time. We have a rigorous methodology and good products that solve the problems and handle the complexity.

We'll lose some to Saviynt, to be fair. They're pretty good marketers. They realize our goal is to get high and get strategic. Their goal is the battle down in the trenches. In the trenches they can say, "I can make this do whatever you want to do." It's literally a bespoke solution — they say it's not, but that's what it is.

Time and time again, I'll read our win-loss reports and they'll say, "Oh, we lost on price." I'm like, we didn't lose on price. We lost because we ran a subpar sales campaign and got sucked into their methodology. It'll happen on occasion with Okta where somebody maybe hasn't gotten the value out of our stuff.

We just did a deal with a large enterprise customer. On an investor call, they said they heard about several big companies, including that one, who are now Okta customers. We responded and said, “We just did a deal with them. Where does this come from?” 

Okta actually does their access management, but not identity governance. If I was sitting here trying to make sense of it, they probably threw in all their other stuff in the renewal. That happens quite a bit.

What many of our competitors are continuing to do is salt the renewal with other products to keep it from going negative. They can say "hey, we just did a pretty big deal with this product" even if it’s not being used.

We compete and get challenged every day by competitors. There are things they do well. But when you look at things holistically, we continue to beat them pretty handsomely.

Cole Grolmus: A couple quick things to tidy up that thought:

First, I'd bet your ideal accounts that aren’t SailPoint customers yet are probably running legacy identity systems, right? Most of them aren’t using your current competitors. They're using Oracle, IBM, or something really old. 

That's a completely different animal from a competition standpoint. It’s not like you’ve lost those accounts — it’s that nobody has won them yet.

Also, the entitlement depth and variety of connectors is a major factor that gets an aspiring competitor out of the downmarket group and into SailPoint’s enterprise-level group. 

That's why there isn't much competition at the enterprise level. It's way different to manage a bunch of cloud apps than it is to manage my gnarly mainframe.

Matt Mills: 100%. That's something Mark always goes to. You're not going to find a Fortune 100 company that doesn't have a bunch of 40-year-old IBM stuff in it. It's not a cloud app. It's something far more sophisticated to build a connector for and manage and govern.

There's way more of that out there than you would ever imagine. There are still tens of millions of lines of COBOL. 

Believe it or not, I was an old COBOL programmer. When I hear that, it makes me smile because I potentially could have another gig in semi-retirement.

Cole Grolmus: If AI doesn't take your job first. I haven't tried writing any COBOL with Claude Code yet, so your semi-retirement gig might be safe!