The Fragmented State of Modern Enterprise Identity
Enterprise identity and access management (IAM) is nearing a critical threshold. As companies grow, identity data scatters across countless applications, independent teams, machine accounts, and automated systems.
This creates what’s known as Identity Dark Matter—identity-related actions that fall outside the oversight of centralized IAM systems and remain invisible to security teams.
Research from Orchid Security reveals that 46% of all enterprise identity activity happens beyond the reach of centralized IAM monitoring. Essentially, close to half of the identity landscape may be operating without oversight. This hidden segment includes unmanaged software, local user accounts, unclear authentication processes, and non-human identities with excessive permissions. The problem is worsened by disconnected tools, isolated ownership structures, and the rapid expansion of Agentic AI.
The outcome is a growing disconnect between what security teams believe they control and the actual access that exists across the organization. That blind spot is where today’s identity risks are concentrated.
Introducing the IVIP Category: The Visibility & Observability Layer
To address these blind spots, Gartner has defined the Identity Visibility and Intelligence Platform (IVIP) as a core “System of Systems.” Within the Identity Fabric model, IVIPs function at Layer 5—Visibility and Observability—serving as an independent oversight layer positioned above access management and governance.
By definition, an IVIP solution quickly collects and consolidates IAM data, using AI-powered analytics to deliver a unified view of identity events, user-to-resource connections, and overall security posture.
| Feature | Traditional IAM / IGA | IVIP / Observability |
| Visibility Scope | Only applications that are integrated and governed | Full coverage: managed, unmanaged, and disconnected systems |
| Data Source | Manual documentation and owner attestations | Ongoing runtime data and application-level telemetry |
| Analysis Method | Periodic configuration reviews and “Inference” | Ongoing discovery backed by concrete evidence |
| Intelligence | Simple rule-based logic | LLM-driven intent detection and behavioral analysis |
What an IVIP Must Actually Deliver
A legitimate IVIP cannot simply be another identity database. It needs to function as an active intelligence engine for the entire enterprise identity ecosystem.
First, it must enable ongoing discovery of both human and non-human identities across all relevant systems—including those never formally onboarded into IAM. Second, it must serve as an identity data platform, bringing together scattered data from directories, applications, and infrastructure into a single, reliable source of truth. Third, it must provide intelligence, applying analytics and AI to turn fragmented identity data into meaningful security insights.
From a technical perspective, this requires supporting features like automated remediation, so posture issues can be fixed directly across the IAM stack; real-time signal sharing, using standards such as CAEP to initiate immediate security responses; and intent-based intelligence, where LLMs help determine the purpose behind identity activity and distinguish routine operations from genuinely risky behavior.
This represents the evolution from simply seeing identity activity to understanding it—and ultimately, to controlling it.
Orchid Security: Powering the IVIP Control Plane
Orchid Security brings the Identity Visibility and Intelligence Platform (IVIP) model to life by converting scattered identity signals into continuous, application-level intelligence. Instead of depending exclusively on centralized IAM integrations, Orchid builds visibility directly from the application environment, enabling organizations to discover, consolidate, and analyze identity activity across systems that conventional tools cannot reach.
1. Visibility and Data Scope: Mapping the Full Application and Identity Landscape
A fundamental IVIP requirement is continuous discovery of identities and the systems they interact with. Orchid delivers this through binary analysis and dynamic instrumentation, allowing it to examine native authentication and authorization logic embedded within applications and infrastructure—without needing APIs, source-code modifications, or complex integrations.
This method offers a significant advantage in application estate discovery. Many organizations struggle to manage identities across applications that central security teams aren’t even aware of. Orchid identifies these systems first, because you can’t assess, govern, or protect what you can’t see. By uncovering the true application estate—including custom-built apps, commercial off-the-shelf software, legacy platforms, and shadow IT—Orchid exposes the identity dark matter hidden within them, such as local accounts, undocumented authentication methods, and unmanaged machine identities.
2. Data Unification: Creating the Identity Evidence Layer
IVIP platforms must consolidate fragmented identity data into a coherent operational view. Orchid achieves this by gathering proprietary audit telemetry generated inside applications and merging it with logs and signals from centralized IAM systems.
The outcome is an evidence-based identity data layer that reflects how identities truly behave across the environment. Rather than depending on configuration assumptions or partial integrations, organizations gain a unified perspective on:
- Identities spanning applications and infrastructure
- Authentication and authorization processes
- Privilege relationships and external access routes
This consolidated evidence enables security teams to bridge the gap between documented policies and actual operational access.
3. Intelligence: Turning Telemetry into Actionable Insights
An IVIP must convert identity telemetry into practical intelligence. Orchid’s cross-estate identity audits illustrate the power of this layer when identity activity is analyzed directly at the application level.
Across enterprise environments, Orchid’s findings show that:
- 85% of applications contain accounts from legacy or external domains, with 20% using consumer email domains, posing significant data-exfiltration risks.
- 70% of applications have excessive privileges, with 60% granting broad administrative or API access to third parties.
- 40% of all accounts are orphaned, climbing to 60% in certain legacy environments.
These insights are not inferred from policy; they are observed directly from identity behavior inside applications. This moves organizations from a posture of configuration-based inference to evidence-driven identity intelligence.
Extending IVIP to the Next Identity Frontier: AI Agents
Autonomous AI agents represent the next wave of identity dark matter, often operating with independent identities and permissions that fall outside traditional governance models. Orchid extends the IVIP framework to these emerging identities through its Guardian Agent architecture, enabling organizations to apply Zero Trust governance to AI-driven activity.
Secure AI-agent adoption is guided by five principles:
- Human-to-Agent Attribution: Every agent action is linked to a responsible human owner.
- Activity Audit: A complete chain of custody is recorded (Agent → Tool/API → Action → Target).
- Context-Aware Guardrails: Access decisions are evaluated dynamically based on the sensitivity of the resource and the human owner’s entitlements.
- Least Privilege: Just-in-Time access replaces persistent privileged credentials.
- Automated Remediation: Risky behavior can trigger automated responses such as credential rotation or session termination.
By combining application estate discovery, identity telemetry, and AI-driven intelligence, Orchid fulfills the core IVIP mission: turning invisible identity activity into a governed, observable, and controllable security surface.
Measuring Success: Outcome-Driven Metrics (ODMs) and Remediation
Identity decisions are only as good as the data behind them. CISOs must pivot from “deployed controls” to Outcome-Driven Metrics (ODMs).
- ODM Example: Instead of counting IGA licenses, measure the reduction of unused (dormant) entitlements from 70% to 10% within a fiscal quarter.
- Protection-Level Agreements (PLAs): Negotiate target outcomes with the business. A PLA might mandate the revocation of critical access within 24 hours for a leaver, significantly shrinking the attacker’s window of opportunity.
- Business ROI: By moving to continuous observability, organizations can shrink audit preparation from months to minutes through automated compliance evidence generation.
Strategic Implementation Roadmap for IAM Leaders
To reduce the attack surface, we recommend the following prioritized actions:
- Form a Cross-Disciplinary Task Force: Align IT operations, app owners, IAM owners and GRC to break down technical silos.
- Perform Risk-Quantified Gap Analysis: Begin with machine identities, as these often represent the highest risk and lowest visibility.
- Implement No-Code Remediation: Close posture drift (e.g., suspending orphaned accounts, weak password complexity) automatically as it is discovered.
- Leverage Unified Visibility for High-Stakes Events: Utilize IVIP telemetry during M&A or growth events to audit the identity posture of acquired assets before they are integrated into the primary network.
- Audit for Business Risk: Use continuous visibility to detect violations at the application level that traditional tools miss.
Final Statement Unified visibility is no longer a secondary feature; it is the essential control plane. Organizations must move beyond the “locked front door” and implement identity observability to govern the dark matter where modern attackers hide.
Note: This article was written and contributed by Roy Katmor, CEO of Orchid Security.
