There are now more machine identities inside the average enterprise than human ones. Bots, service accounts, API credentials, automation workloads — each a digital actor that can request access, execute commands, and move data, none of them capable of noticing if something has gone wrong. That is the security problem two French organisations decided, at VivaTech 2026 last week, to build AI to solve.
WALLIX, a European leader in identity and access management cybersecurity listed on Euronext since 2015, and Inria, France’s national research institute for digital science and technology, signed a strategic partnership on June 18, 2026 at VivaTech in Paris to accelerate the development of trusted, explainable AI for identity and access cybersecurity. The announcement marked Inria’s first framework partnership with a French SME and its first strategic collaboration in the cybersecurity sector — an institutional signal about how seriously France’s public research establishment is treating the intersection of artificial intelligence and digital sovereignty.
WALLIX chairman and CEO Jean-Noël de Galzain explicitly cited the shutdown of Anthropic’s Fable 5 and Mythos 5 models at the request of a foreign government as a concrete illustration of the European dependence on non-European technologies that the partnership is designed to address. The framing is not incidental: WALLIX has positioned itself for years as a European alternative to US cybersecurity vendors, and the VivaTech announcement connects that commercial positioning to a specific national security argument about what happens when critical AI infrastructure is controlled by companies outside European jurisdiction.
Key Developments
- WALLIX and Inria signed a strategic partnership on June 18, 2026 at VivaTech in Paris to develop trusted AI for identity and access cybersecurity — Inria’s first such framework agreement with a French SME and its first cybersecurity sector partnership.
- Focus areas: identity behavioral analytics, intelligent access governance, securing non-human identities (bots, service accounts, APIs, automation workloads), continuous compliance, and trusted/explainable/frugal AI models for sensitive environments.
- The partnership builds on the Malizen journey: a startup from Inria Rennes research that WALLIX acquired in November 2025 and is now integrating AI-driven behavioral analysis into its WALLIX One platform.
- France’s Minister Delegate for AI and Digital Affairs, Anne Le Hénanff, was present at the signing — signaling formal government endorsement of the initiative as a contribution to French digital sovereignty.
What Happened
According to WALLIX’s official press release, the partnership will be structured around research projects, technological challenges, demonstrators, and joint innovation initiatives, with five specific work streams identified: behavioral analysis of human and non-human identities to detect anomalies and weak signals of compromise; intelligent access governance and automated reduction of excessive privileges; securing non-human identities including technical accounts, APIs, services, and automation systems; continuous and automated compliance mechanisms with real-time generation of audit evidence; and developing trusted, robust, explainable, and frugal AI models adapted to sensitive or computationally constrained environments.
The French government’s presence at the signing was not ceremonial. France’s Minister Delegate for Artificial Intelligence and Digital Affairs, Anne Le Hénanff, was photographed at the announcement alongside Inria CEO Bruno Sportisse and WALLIX CEO de Galzain, signalling formal ministerial endorsement. Inria’s own announcement framed the partnership explicitly as a contribution to French and European digital sovereignty, noting that it continues the government’s Étincelles initiative, which connects innovative SMEs with public research organisations to build French digital leaders with genuine market traction.
The Mechanism: Why Non-Human Identity Is Now the Primary Attack Surface
The partnership’s technical focus on non-human identities reflects a shift in where cybersecurity risk is actually concentrating. In a traditional enterprise security model, the primary identity management challenge was governing human user access: which employee can access which systems, how access is provisioned and deprovisioned, and how authentication is enforced. Non-human identities — the service accounts, API credentials, bots, and automation workloads that modern enterprise software depends on — were managed as a subsidiary category with lighter governance.
That model no longer reflects the actual distribution of risk. As enterprises have adopted cloud-native architectures, microservices, automation platforms, and increasingly agentic AI systems, the volume of non-human identities in the average enterprise has grown faster than human headcount by several orders of magnitude. Unlike human users, non-human identities typically do not rotate credentials regularly, often have broader access permissions than any individual human would be granted, and do not generate the kind of contextual behavioral signals — unusual login hours, unexpected geographic locations, uncharacteristic access patterns — that traditional user behavior analytics systems are trained to flag. If a service account that normally queries a database every ten minutes begins exfiltrating data at high speed, the anomaly is detectable in principle but requires a behavioral baseline for that specific non-human identity, not just a generic model of what a human user looks like when compromised.
AI-driven identity behavioral analytics, which the WALLIX-Inria partnership is specifically targeting, addresses this by building per-identity baselines that can detect the subtle anomalies in how machine identities operate before they escalate to a breach. The Malizen technology WALLIX acquired in November 2025 provides a starting point for this capability, and the Inria partnership gives WALLIX access to the academic research expertise needed to extend it from a commercial product feature into a genuinely novel AI architecture designed for the specific constraints — interpretability, auditability, computational frugality — that regulated European enterprises require.
The Backstory
The WALLIX-Inria partnership has an unusually transparent origin story. Malizen, the startup at the heart of the collaboration’s prior work, was founded by Christopher Humphries, a Inria Centre at the University of Rennes researcher who built cybersecurity behavioral analytics as his doctoral research topic in partnership with the French defence procurement agency (DGA). Inria Startup Studio supported Humphries in commercialising that research as Malizen, which WALLIX then acquired in November 2025. The VivaTech partnership formalises the relationship between WALLIX and the Inria ecosystem that produced the technology WALLIX already owns, expanding it from a one-time acquisition into an ongoing research and development collaboration that both organisations expect to produce new intellectual property beyond what Malizen brought to the table.
The broader context the VivaTech announcement speaks to is the one de Galzain made explicit in the press release: the episode in which the US government’s export control directive forced Anthropic to suspend worldwide access to Claude Fable 5 and Mythos 5 provided European cybersecurity leaders with a concrete, recent illustration of the systemic risk of depending on AI infrastructure controlled by non-European entities operating under non-European law. That episode was cited by de Galzain not as a criticism of Anthropic but as evidence of a structural reality: when critical AI capabilities are concentrated in companies subject to a single foreign government’s jurisdiction, the organisations that depend on those capabilities have no control over whether access continues. The WALLIX-Inria collaboration is presented as one component of the European response to that reality.
Reactions
Inria CEO Bruno Sportisse described the partnership as “perfectly illustrating Inria’s mission: transforming scientific excellence into innovations with strong economic and societal impact,” and said it brings together public research and industrial expertise “at the crossroads of artificial intelligence and cybersecurity” in direct service of French and European digital sovereignty. De Galzain framed WALLIX’s position as a security company at the sovereignty-and-independence nexus explicitly: “Digital freedom rests on two inseparable pillars: security and independence.” That framing connects the practical business of identity and access management to the larger European political project of building technology infrastructure not governed by US or Chinese companies.
The Dispute: Research Partnership vs Deployed Product
The honest assessment of what the WALLIX-Inria partnership produces in the near term is research projects, technological challenges, demonstrators, and joint innovation initiatives rather than commercial products available to enterprise customers. The partnership announcement at VivaTech was made before any of the five work streams have produced deployable results, and Inria research collaborations, while capable of generating significant innovation, operate on academic timelines that are measured in years rather than product-release quarters. WALLIX’s existing WALLIX One platform already incorporates the Malizen behavioral analytics acquired in November 2025, which means the most immediately commercially relevant AI capability is already in the company’s product rather than in the pipeline from the new partnership.
There is also a competitive reality that the sovereign-AI framing can obscure. WALLIX’s main cybersecurity competitors in the IAM and PAM space include CyberArk, BeyondTrust, and Delinea, all US companies with significantly larger market capitalisations and broader enterprise customer bases. Whether a trusted-AI and sovereignty positioning creates a decisive commercial advantage with large European regulated-industry customers — banks, utilities, defence contractors — or whether those customers continue to select US vendors for their feature depth and global support infrastructure, is a market test the WALLIX-Inria partnership will take several years to produce evidence on. Attacks like the Miasma supply chain worm that targeted AI coding tools across Microsoft’s GitHub repositories underscored how urgently AI-driven identity threats are arriving in production environments — which shortens the timeline for WALLIX to convert its research partnership into deployable product improvements that can compete on feature parity, not just on sovereignty narrative.
What Happens Next
WALLIX has indicated that AI-driven behavioral analytics built on the Malizen foundation will be rolling out as part of the WALLIX One platform through 2026, with the Inria partnership expected to deepen the academic and scientific basis of that work rather than replace it. The research timelines for the five announced work streams are not publicly disclosed, but Inria collaborations typically produce demonstrators and publishable results on two-to-four-year cycles, meaning the partnership’s most significant outputs will likely mature around 2028-2029. The near-term signal to watch is whether WALLIX wins new enterprise customers in the regulated European sectors — financial services, defence supply chain, critical infrastructure — where sovereignty framing has the strongest purchasing decision leverage, and whether those wins can be attributed to the AI capabilities built on the Malizen-Inria foundation rather than WALLIX’s existing PAM product strengths.
Why It Matters
The WALLIX-Inria partnership matters at two levels simultaneously. At the product level, it targets a genuine and growing cybersecurity problem — the explosion of non-human machine identities that existing IAM governance frameworks were not designed to handle — with a research collaboration capable of producing novel AI approaches rather than simply repackaging existing commercial tools. At the policy level, it is one of the more concrete examples of France’s Étincelles initiative producing a partnership that directly connects the European digital sovereignty agenda to commercial cybersecurity infrastructure, rather than treating sovereignty as purely a government procurement or regulation question. Whether the combination — Inria’s scientific depth, WALLIX’s operational scale, and the French government’s explicit endorsement — produces tools capable of competing with US market leaders on the feature dimensions that actually drive enterprise purchasing decisions is the commercial question the next two to three years will answer. The AI Office of Ireland’s establishment as the EU’s most significant enforcement body for AI and the WALLIX-Inria partnership represent two different approaches to the same underlying European anxiety about AI sovereignty — one regulatory, one commercial — and the interaction between them will shape how European organisations think about AI-enabled cybersecurity for the rest of the decade.
Sources
WALLIX (wallix.com); Inria (inria.fr); Actusnews Wire; WebDisclosure; LinkedIn (Jean-Noël de Galzain).
