
Broken Identity Creates Unmanaged Spaces – Managing the Dark Matter
The identity security space has been broken for years, largely because organisations overestimate how well they understand their application landscape. Gaps between perception and reality give rise to “identity dark matter”: unknown applications, orphaned accounts, and unmanaged identities operating with unclear privileges and behaviours.
These blind spots create fertile ground for risk, especially as discovery and onboarding processes can take years while exposure quietly increases.
Vulnerabilities also thrive where teams believe their environments are under control, but activity at the application layer tells a different story. Incomplete logging and unknown applications connecting to identity providers can quietly scrape data or introduce attack paths without detection. This friction between assumed visibility and actual behaviour is where attackers often gain a foothold.
At the same time, identity is no longer just an access problem; it underpins productivity, resilience, and business continuity – pressures that are only intensifying with the rise of agentic AI systems that act autonomously based on identity context.
High-profile incidents in 2025 highlighted the consequences of failing to rethink identity. Without a clearer, more accurate view, organisations will struggle to safely build, deploy, and operate modern systems. This discussion focuses on how to repair the broken identity model and equip security leaders with a more realistic and actionable understanding of identity.
In a week when it was disclosed that AI agents are driving a 76% increase in non-human identities, a discussion was held on whether the broken identity space can be repaired, or whether it is a case of finding a clearer, more grounded view of identity that better supports security leaders.
Non-Humans and Agents
In the opening comments, panellists spoke about the renewed focus on non-human identities (NHIs) and their growing importance. Matt from Orchid noted that identity is a common challenge for all organisations, and the rise of agentic systems only increases complexity.
Ben from Orchid explained that, after more than a decade in the identity space, he is now working on a platform that supports identity governance, risk, and compliance, while also helping organisations address audit challenges. He described the “death of visibility” as closely tied to identity, which is a “constantly changing” and increasingly complex domain.
The chair highlighted that organisations follow different identity journeys. Many begin with Active Directory, with non-human accounts and agents accumulating over time. This sprawl includes tools such as Copilot, where accounts may be created without central oversight. As these systems allow users significant freedom, visibility becomes extremely limited. While some tools attempt to consolidate identities, the challenge remains: how do you “control the uncontrollable,” and how do you respond once an incident has already occurred?
Time to Identify Identities
As the discussion progressed, one panellist noted that guest accounts can hold significant permissions, including access to SharePoint and other advanced capabilities, yet organisations often lack the time to properly review these risks. This creates a growing attack surface, particularly when supplier integrations are not fully understood and AI access is enabled without sufficient awareness.
On the question of controlling the uncontrollable, one attendee argued that complete visibility is unrealistic. Instead, organisations should aim for high-confidence coverage (e.g. above 95%) and rely on constant monitoring. Shadow accounts, continuous system evolution, and new products make this an ongoing challenge. A full 360-degree view of both legacy and modern applications is essential to maintaining control.
Others noted that the problem worsens as more agents are introduced, making identity management increasingly difficult. To regain control, organisations must prioritise what matters most and focus on the areas of greatest impact.
Another contributor added that while improved visibility is possible through better controls, organisations must also be able to clearly articulate gaps in control to boards and regulators – and defend their position reasonably.
Ben from Orchid agreed: you cannot control what you do not know exists. He referenced Articles 9 and 13 of the EU AI Act, which require risk management systems for high-risk AI and mandate sufficient transparency so users can interpret system outputs.
The Greatest Challenge
A recent survey highlighted identity as the top challenge among respondents. Referencing Orchid CEO Roy Katmor, one speaker suggested that identity is not broken, but incomplete. He argued that the only way to achieve true visibility is through observability, including the use of agents capable of deep analysis.
The chair posed a hypothetical question: if you could see everything, what would you do next? This shifted the conversation toward attacker priorities. Adversaries are increasingly targeting tokens rather than passwords, prompting questions around which applications are most critical, who holds domain administrator privileges, and how frequently permissions are reviewed.
Participants also discussed alerting strategies, noting the difficulty of identifying genuinely suspicious behaviour among large volumes of alerts. The key challenge is understanding which identities have excessive permissions and where they are being applied. The chair asked what meaningful alerts would look like once full visibility is achieved, particularly in scenarios where identities are at risk of takeover.
Zero Trust
The concept of zero trust prompted debate. One attendee argued that it is not a practical strategy, claiming that once an alert reaches the SIEM, “it’s already too late.” Others disagreed, suggesting that zero trust is both practical and necessary, as it introduces greater granularity and layered controls.
While defence-in-depth and behavioural detection improve security, participants acknowledged that no approach offers complete protection. Zero trust was ultimately described as a logical extension of modern security, enabling continuous verification across multiple layers.
Ben from Orchid added that data security posture management tools also require access and governance. He emphasised the importance of first achieving visibility, followed by analysis. By correlating identities with entitlements, organisations can better understand privileged and dormant accounts—what he referred to as “dark matter” and shadow IT.
Closing Comments
In closing, the chair emphasised that visibility and control are essential for managing identity effectively. Organisations must prioritise what matters most and focus on actionable insights. Even when large volumes of data are available, the ability to distil that information is key to improving governance and visibility.
A final comment from Ben from Orchid highlighted the importance of connected systems, enabling organisations to view all identities within an environment, understand their permissions, and analyse their historical activity – providing a clearer picture of how identities operate within the organisation.
Ultimately, organisations that confront identity blind spots head-on – by prioritising visibility, continuous monitoring, and realistic control frameworks – will be far better positioned to manage risk in an increasingly complex, AI-driven landscape.