Skip to main content
Cybersecurity

Identity Visibility Platforms Shrink IAM Attack Surface

Modern enterprise environment with multiple screens, laptops, and systems in use, conveying fragmentation and decentralized…

According to Orchid Security's analysis, 46% of enterprise identity activity occurs outside centralized IAM visibility.

Identity dark matter: nearly half of identity activity unseen

Orchid Security frames modern identity risk as "Identity Dark Matter" — the large body of identity activity that sits beyond the reach of centralized identity and access management (IAM). The company warns that as organizations scale, identities fragment across thousands of applications, decentralized teams, machine identities and autonomous systems. That fragmentation, amplified by disconnected tools, siloed ownership, and the rise of agentic AI, creates a widening gap between what security teams believe they control and the access that actually exists.

Gartner's IVIP (Layer 5) — the visibility and observability control plane

Gartner has positioned the Identity Visibility and Intelligence Platform (IVIP) as a "System of Systems" inside the Identity Fabric, occupying Layer 5: Visibility and Observability. By definition, an IVIP rapidly ingests and unifies IAM data and uses AI-driven analytics to provide a single window into identity events, user-resource relationships and posture. Orchid summarizes what an IVIP must do: continuous discovery of human and non-human identities; an identity data platform that consolidates directories, applications and infrastructure; and intelligence that translates scattered signals into actionable security insight.

What a working IVIP looks like in practice

An effective IVIP cannot be only another identity repository, Orchid argues. Technically, it must support automated remediation to correct posture gaps across the IAM stack; real-time signal sharing using standards like CAEP to trigger immediate security actions; and intent-based intelligence where large language models help distinguish normal operational behavior from risky patterns. The shift is designed to move organizations from visibility to understanding and, ultimately, to control.

Orchid Security's method: application-level discovery and Guardian Agent controls

Orchid operationalizes the IVIP model by building visibility from the application estate itself. The company uses binary analysis and dynamic instrumentation to inspect native authentication and authorization logic inside applications and infrastructure without requiring APIs or source-code changes. That approach seeks to surface custom apps, COTS, legacy systems and shadow IT — and the local accounts, undocumented authentication paths and unmanaged machine identities embedded within them.

Orchid combines proprietary audit telemetry from inside applications with logs from centralized IAM systems to create an evidence-based identity data layer. From cross-estate identity audits, Orchid reports several concrete observations: 85% of applications contain accounts from legacy or external domains, and 20% use consumer email domains; 70% of applications contain excessive privileges, with 60% granting broad administrative or API access to third parties; and 40% of all accounts are orphaned, rising to 60% in some legacy environments. Orchid presents these figures as telemetry observed directly inside applications rather than inferred from policy.

To address emerging agentic identities, Orchid extends IVIP with a Guardian Agent architecture. Five principles guide secure AI-agent adoption: Human-to-Agent Attribution; Activity Audit with a chain of custody; Context-Aware Guardrails; Least Privilege via just-in-time access; and Automated Remediation such as credential rotation or session termination.

Operational outcomes, remediation and a practical roadmap

Orchid urges a shift from counting deployed controls to measuring outcomes. The company proposes Outcome-Driven Metrics (ODMs) — for example, reducing unused or dormant entitlements from 70% to 10% within a fiscal quarter. Protection-Level Agreements (PLAs) are proposed as business-negotiated targets, such as revoking critical access within 24 hours for a leaver. Orchid also highlights business ROI: continuous observability can shrink audit preparation from months to minutes by automating compliance evidence generation.

For implementation, Orchid recommends a prioritized roadmap: form a cross-disciplinary task force aligning IT operations, app owners, IAM owners and GRC; begin risk-quantified gap analysis with machine identities; implement no-code remediation to close posture drift (for example, suspending orphaned accounts or weak passwords); leverage unified visibility during M&A and growth events to audit acquired assets before integration; and use continuous visibility to detect application-level violations missed by traditional tools.

What this means for IAM leaders, IT operations and CISOs

  • IAM leaders: Adopt an IVIP as an independent observability layer, prioritize ODMs over control counts, and negotiate PLAs to shrink attacker windows (for example, a 24-hour revocation SLA for leavers).
  • IT operations and app owners: Expect application-level discovery through binary analysis and instrumentation to surface unmanaged systems, local accounts and undocumented flows that traditional integrations miss; join cross-disciplinary task forces to reconcile operational access with policy.
  • CISOs and procurement/GRC: Use evidence-based identity telemetry to quantify risk (machine identities first), ask for no-code automated remediation, and demand audit-ready compliance evidence to reduce audit time from months to minutes.

Roy Katmor, CEO of Orchid Security, frames unified visibility as "the essential control plane" — a strategic move beyond the "locked front door" toward governing the dark matter where modern attackers hide. The prescriptions on offer are technical, operational and contractual: build continuous observability, measure outcomes, and automate remediation so that the invisible becomes governable.

Original story