Post by Francis Odum

We're actively tracking an emerging new category within identity security that solves an old problem. This concept around Identity dark matter is analogous to a "Crowdstrike EDR" for Identity apps. Here are the facts Most identity breaches don’t start at SSO. They start everywhere around it. Enterprises have invested heavily in IAM Infra: SSO, IDP, MFA, IGA, PAM. Many identities are built around the policy and compliance layer to pass audits, etc. Yet it appears attackers are still moving laterally and escalating privileges. Why? Because together with all the other issues we have in identity, the risk is still at the implementation and app layer. In our latest research published by Lawrence Pingree, we define Identity Security Dark Matter: the unmanaged identity artifacts and access paths that operate outside centralized IAM controls. These use cases are gaps that fall around:  • Apps that are not fully onboarding to IGA systems • Fallback and local accounts that bypass MFA • Orphaned service accounts and API keys • Managing legacy protocols like NTLM • App-specific RBAC and hard-coded credentials • Partial SSO adoption and shadow identities  • How attackers exploit the unhappy paths that IAM doesn’t see, monitor, or govern. The result is a dangerous gap between intended policy and effective access, and that gap is where lateral movement lives. We worked with Orchid Security to unpack these challenges in depth! Our firm's conclusion: Traditional IAM manages policy. We need a new control plane to provide deep visibility and control for identity items across apps, hosts, and runtime environments. To close this gap, security leaders must move beyond dashboards toward an Identity control plane; one that delivers real-world visibility, correlates identity with runtime telemetry, surfaces bypasses, and enables audit-ready remediation. If you’re a CISO or IAM leader and this feels familiar, you’re not alone. 📄 Full research: https://lnkd.in/gYtVmjXD