You’ve probably been in touch with one Lumos team member and that’s how you got here. For those of you who are new, I am Andrej, CEO and co-founder of Lumos, and I like to send out a thoughts, updates & surprises to amazing people (that’s you!).
Today’s post is all the agentic movement in software. We just relaunched www.lumos.com to reflect our vision: identity governed the Agentic Way.
If you want to build real, enterprise-grade agents, this is your place. Lumos is the first AI-native identity company. We apply autonomous software to one of the hardest problems in cybersecurity.
The last few months have been exciting. I wrote this to show how autonomy will change software, what we are building, and how you can plug in. Hope you enjoy it!
About Cybersecurity and Identity
Let’s start with the market. Cybersecurity is growing because crime is moving online. Thieves no longer need to break into a building. They infiltrate your digital systems. The spammy texts that ask you for gift cards are the cartoon version. The real danger is attackers getting access to corporate accounts that open the doors to a company’s most valuable data.
And the numbers back it up. In Q2 2025, the 18 largest cybersecurity vendors grew 14.6%, outpacing overall IT spend at 8% and GDP at 2% [link]. Cyber matters. Boards know it, and data shows it.
Within cybersecurity you have several markets: email security, network security, endpoint security, … Identity is one of its core markets. Identity makes sure people and services can access software and data successfully. It gives people the access they need for productivity, while keeping it to the minimum for security. And because identity is the key, it’s also where most modern attacks begin.
Take the MGM breach last year. Attackers impersonated an employee, called the help desk, and got a reset. With those credentials they signed in to SSO, escalated to high-privilege access, and spread across systems. MGM later told regulators the incident would cost about $100 million. More than 70% of breaches use identity techniques! That’s why identity protection matters.
Identity protection is one of the biggest opportunities in cybersecurity. Among those top 18 cyber vendors, three companies are focused on identity: Okta, SailPoint, and CyberArk. Each now generates over $1B in ARR, focused on different jobs:
Okta (Access Management): Helping users log in - like the key to your hotel room.
SailPoint (Identity Governance): Controlling who gets which permissions across apps - like the front desk deciding which keys to hand out.
CyberArk (Privileged Access Management): Securing the most sensitive resources, like secrets and API keys - the in-room safe and all-access keys.
These companies built serious products. They all were founded in the 2000s, in a world with fewer apps, fewer identities, slower change, and no AI. That is why identity is so interesting right now. It has become far more critical, and the incumbents weren’t designed for this new reality.
What’s the Problem in Identity?
Identity has many problems, but the one Lumos is tackling first is governance: deciding who gets access to what, and for how long. The demand for stronger governance began with the SaaS revolution, when teams started buying their own tools and “shadow IT” spread across companies. Suddenly, every app came with its own identities and permissions. Now the AI wave has made it worse: it’s not just humans who need access anymore, but bots, agents, and service accounts. The access surface didn’t just grow, it has 10x’d.
However, IT and Security did not grow at the same pace. IT is still drowning in access tickets. New hires need accounts. Developers need short-term access to sensitive AWS permissions. ServiceNow and Jira queues are always full.
Security faces a different fire. Every quarter they review who has access to which accounts and permissions. They try to spot the dangerous ones like broad admin rights, then remove them. Auditors ask for proof with screenshots and logs while everything keeps changing.
So, organizations turned to Identity Governance. On paper, it promised order. Control over who gets access, why, and for how long. In practice though, it added overhead. Identity Governance projects became some of the most complex and costly identity initiatives for companies to implement. The proof is that even Gartner issued a “do not attempt without significant support” warning.
The root challenge is simple. Most platforms still expects humans to do the heavy lifting. A tiny team of one or two people must decide who should have access to what across thousands of employees and contractors. This same team must then review tens of thousands of accounts to ensure compliance and that no one is over-privileged. It’s fascinating how they do it. Rules in spreadsheets. Manual updates. Emails to chase approvals. Screenshots to support audits. A decade ago that was hard but possible. Today the scale and speed make it impossible to brute force.
Identity needs to shift. It needs to move from manual routing to intelligent control. From tickets and spreadsheets to autonomy.
How Do Agents Change the Future of Software Beyond Cyber?
Cybersecurity challenges are growing faster than traditional solutions can keep up. While I could go on forever about the opportunity in Cybersecurity and Identity - let’s talk about today’s hot topic: Agents. Nearly every week, another major player announces their own. To understand why this matters, we need to look at how we got here and what this shift means for the future of software as a whole.
The LLM wave started for most people in 2022 with ChatGPT. The next real shift arrived in September 2024 when OpenAI introduced o1, a model built to reason through problems instead of guessing the next word. This unlocked a new class of software that can plan, evaluate its own steps, and improve with feedback. In short, agentic software.
Unlike cloud software that digitized work people were already doing, the agentic transition is different. It moves tasks people once owned end-to-end into flows that software can now fully handle on its own. Think about today’s e-commerce support. An AI agent greets the customer, verifies identity, pulls the last order, checks warranty and policy, asks a clarifying question, triggers the refund through the payments API, and sends a confirmation email. No handoffs. The loop closes itself.
This is why “AI-powered” is not the same as agentic. Most AI in products today is either ML or a copilot. In cybersecurity, this might look like flagging anomalies, assigning a risk score, or answering questions in text. Useful, but still requires a human to act. Agentic software on the other hand completes the action. It understands context, learns from feedback, and adapts when reality changes. It runs a workflow from intent to outcome. That’s the difference. A generic LLM wrapped around an MCP server will not do that. You need a domain brain that knows the goal, the tools it can call, and the rules it must follow. That is how you move from an answer in chat to a finished outcome.
I find the evolution of automobiles to be a helpful mental model. Over the past century, what we can expect from your standard car has evolved steadily. We’ve gone from manual shifting to automatic transmission. Added lane centering and self-parking. Then supervised highway driving. And now, fully driverless rides in geo-fenced zones. Each step handed more of the task to the system, with clearer rules and stronger safety checks. Software will follow the same path. More sensing. Better planning. Less human routing. More human judgment where it matters.
This is the path Lumos is taking in Identity. We started with assist. Have already graduated to autonomy in low-risk cases, like approving or denying whether a user needs a certain permission. And will expand into real time dynamic decisions as our technology learns a given customer’s patterns and objectives. The destination is Autonomous Identity. We are building the platform to continuously manage access so teams can focus on building.
Let’s talk Lumos - The First Autonomous Identity Company
From the beginning, Lumos applied machine learning to identity. When Agents became a reality, we evolved. Enter Albus, the world’s first Identity AI Agent. Albus supports IT and Security leaders in reasoning through tough access decisions and then taking action with confidence. With Albus, we brought agency to identity.
We’re building toward end-to-end agentic workflows. Most “AI-powered” tools today are just a thin chat layer on top of data. Helpful, but they stop at a recommendation. Agentic software goes further by delivering outcomes.
To do that, you need an architecture built for autonomy. The incumbents from the 2000s, and even many “next-gen” SaaS vendors, were not designed that way. Lumos was built AI first, which makes the platform flexible enough to layer in reasoning, actions, and feedback loops. So when a user has risky access, Albus checks the user’s background, tests it against company policy, calls the right APIs, logs the evidence, and learns from the outcome.
Customers across industries, from Grow Therapy in healthcare to Cava in food & hospitality to Pinterest in tech, are all leaning into this new way of building.
To bring this to life, let’s look at a common use case: Role-Based Access Control (RBAC).
As a reminder, the goal of Identity Governance is simple: give people the right access at the right time. Most companies try to do this through RBAC, where 1-3 person IAM teams write “rules” that define what access someone with certain HR attributes should get by default. On paper, it sounds straightforward. In practice, it’s slow, expensive, and always a step behind. Teams hire consultants, interview business partners, and map access by hand. Months pass, the business changes, and the rules already reflect the reality of six months ago.
Large enterprises can spend seven figures a year just maintaining RBAC, while smaller ones struggle to absorb the cost. Take Netskope, one of our customers with ~3,000 employees (who recently filed their S1!). How should a team of one or two engineers decide what hundreds of teams should get by default?
That’s where Albus comes in. It analyzes usage patterns, understands the purpose of app permissions, and learns from admin feedback to propose role definitions. Admins edit, Albus learns, and the result is a living rulebook that stays current.
The result is scale + speed. We worked with a large tech company and built their full role architecture in under three weeks. Their team told us it would have taken twelve months without Lumos, and by then it would already be stale. Albus helped them move fast, saved millions, and gave every employee a better first day. And, RBAC is but one one of many agentic workflows for identity use cases.
To celebrate the new launch of lumos.com, our design team also gave Albus its own brand. Albus isn’t just “the Lumos Agent.” It has its own name, identity and even a logo that evolves from the Lumos logo. Why? Because Albus is more than a set of features. It’s truly a teammate. I’ll make sure the design team does a longer post on how they built the Albus brand.
Join the Autonomous Movement
It’s a privilege to be building right now. We are living through a new software moment, and we get to help shape it. When it comes to agents, there is no handbook. The smartest people are still debating single agent versus multi agent, how to evaluate them, and what “good” looks like in production. It is truly Day 1.
Every platform shift creates new leaders. Salesforce replaced Siebel. Workday replaced PeopleSoft. The next wave of autonomous software is already coming. Teams like Sierra and Decagon are rethinking support. Gong is reshaping sales. Cursor and Cognition are redefining how developers build. And, Lumos is doing the same for Cybersecurity. We want to prove that autonomous systems can secure a world that grows more complex every day.
Someone asked me yesterday why I’m so fired up. Of course, the opportunity is massive. The cloud era created dozens of billion dollar companies by moving work to a better model. The agentic era has started and it will do the same. Building in cybersecurity is meaningful work and the stakes are real. You protect from crime and keep businesses running. But the truth is bigger than opportunity or security. Henry David Thoreau once said that humans became tools of their tools. I feel that every time I open Instagram or Twitter. Agents give us a chance to flip that script. With agents, software finally seems to be serving us, not the other way around.
This is a rare window. Be part of it! We are hiring across product, platform, and AI. If you want to build autonomous software with us, check out our new careers page or send me a note on LinkedIn. Welcome to Lumos.