TL;DR: Average confidence in knowing every self-hosted or disconnected app was 2.2 out of 5, while nearly 80% of participants said they do not know what they do not know, underscoring how unmanaged apps, orphaned tokens, and drifting service accounts are outrunning visibility, according to Orchid Security. The real issue is not more automation, but governance that can see and contextualise identity behaviour before drift becomes systemic.
At a glance
What this is: Orchid Security’s CAB session argues that identity dark matter is the fastest-growing governance blind spot, driven by unmanaged apps, orphaned tokens, and service accounts outside IAM oversight.
Why it matters: This matters because IAM, NHI, and identity lifecycle programmes cannot govern what they cannot see, and visibility gaps now affect apps, workloads, and machine identities as much as human accounts.
By the numbers:
- The average confidence score in knowing every self-hosted or disconnected app was just 2.2 out of 5.
- Nearly 80% admitted they don't know what they don't know.
- 62% said they would most want to detect identity drift and misconfigurations.
- App onboarding can cost $12-15K per app, not including the time spent documenting authentication paths.
👉 Read Orchid Security's CAB discussion on identity dark matter and visibility gaps
Context
Identity dark matter is the unmanaged part of the identity estate: applications, tokens, service accounts, and integrations that sit outside normal IAM visibility. The article argues that this hidden layer is growing faster than the controls built to manage it, which leaves organisations governing only the visible half of identity.
For IAM and NHI programmes, the problem is not merely discovery. It is that identity governance is being asked to absorb hybrid app sprawl, machine identity complexity, and drift between audits without enough telemetry to make decisions. That makes visibility the prerequisite for lifecycle control, privilege analysis, and access review.
The article's starting position is typical for modern enterprise environments rather than an edge case. Most identity teams now face some version of this gap, only the naming differs from one programme to the next.
Key questions
Q: What should IAM teams do about identity dark matter in hybrid environments?
A: They should start by discovering identities that sit outside normal IAM visibility, including self-hosted apps, disconnected workloads, service accounts, and orphaned tokens. The goal is not a perfect inventory on day one. It is to identify the highest-risk identities first, then anchor onboarding, review, and remediation to live authentication evidence rather than assumptions.
Q: Why does unmanaged identity sprawl increase risk even when access reviews exist?
A: Access reviews only work for identities that are already visible, current, and mapped to an accountable owner. Unmanaged sprawl creates identities that never enter the review cycle, so drift, excess privilege, and stale tokens can persist indefinitely. That is why governance must be tied to discovery, not to periodic certification alone.
Q: How can security teams decide which identities to onboard first?
A: Prioritise identities with active authentication paths, external exposure, and unclear ownership. Those are the identities most likely to create hidden blast radius if they drift or are compromised. Onboarding should begin with the systems that can already do the most damage, not with the ones that are easiest to document.
Q: What is the difference between identity drift and normal change?
A: Normal change is intentional and recorded. Identity drift is the unplanned divergence between intended access and actual behaviour, such as a token persisting too long or a service account gaining reach outside its original use case. Drift matters because it turns small inconsistencies into lasting governance gaps.
Technical breakdown
Identity dark matter and application-layer visibility
Identity dark matter is the set of identities and integrations that are present in the environment but absent from central governance records. In practice, that includes self-hosted apps, disconnected systems, unmanaged service accounts, and authentication paths created outside formal onboarding. Application-layer telemetry matters because it shows how an app authenticates, what it touches, and whether its behaviour matches the record the IAM team thinks it has. Without that evidence, discovery becomes an annual project instead of a continuous control.
Practical implication: build discovery from live authentication and access telemetry, not from inventories that assume the environment is static.
Identity drift, misconfiguration, and privilege context
Drift is the gradual divergence between intended identity state and operational reality. A token that survives too long, a service account that gains extra reach, or an app integration that changes without review can all turn into silent control failures. The article's key point is that privilege must be judged by impact potential, not by role title or permission count. That is a useful framing for NHI governance because machine identities often carry more reach than their labels suggest.
Practical implication: measure privilege by reachable systems and blast radius, then review drift as a control failure rather than as a housekeeping issue.
App onboarding and contextual governance
App onboarding is often treated as a documentation task, but the article shows that the real cost is understanding how the application actually authenticates and authorises. Contextual governance means linking identity behaviour to business and technical exposure so teams can prioritise what matters first. That approach is especially relevant in NHI programmes, where onboarding should establish the identity pattern before a connector or policy is approved. The aim is not more records, but better decision quality.
Practical implication: prioritise onboarding by exposure and authentication complexity, then use that evidence to drive policy and review order.
NHI Mgmt Group analysis
Identity dark matter is a governance failure, not a visibility bug: the programme assumption that all meaningful identities pass through central IAM is breaking down. Self-hosted apps, disconnected workloads, and orphaned tokens operate outside the review path, so the control model only governs what was already known. The implication is that identity architecture must be judged by how much of the estate remains governable, not by how polished the visible half looks.
Context has become the deciding factor in privilege management: titles and raw permission counts no longer describe risk well enough. A forgotten API key can create more exposure than a formally privileged human account, which is why contextual privilege scoring is emerging as a more realistic control lens. Practitioners should read this as a signal that identity risk is now determined by reach, behaviour, and persistence.
App onboarding is now a discovery and evidence problem: programmes that wait for app owners to self-report how systems authenticate will continue to overpay in time and undercount risk. The article's pricing anecdote is less important than the structural point that onboarding depends on understanding the authentication path first. That makes onboarding a governance function, not a ticket queue.
Machine identity complexity is now inseparable from human IAM outcomes: the same visibility gap that hides service accounts also weakens access review, recertification, and offboarding discipline. Once identity sprawl crosses human and non-human boundaries, lifecycle controls stop being category-specific and become programme-wide. The implication is that IAM and NHI governance now rise or fall together.
Identity dark matter: this is the hidden layer of unmanaged identities, integrations, and access paths that exist outside central control records. It matters because it shifts the security question from who is approved to who is actually operating in the environment, which is the real baseline for governance.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- For the broader trend line, review Ultimate Guide to NHIs , 2025 Outlook and Predictions for how NHI governance pressure is expected to evolve.
What this signals
Identity programmes should expect the next governance failure to come from what they do not catalogue, not from what they already review. Identity dark matter is the practical shorthand for that hidden layer, and it is a sign that discovery, onboarding, and entitlement governance now need to be connected as one control loop. The scale of the issue is already visible in our research, where 97% of NHIs carry excessive privileges, showing that hidden access is rarely benign.
This is where NHI governance and IAM stop being separate workstreams. If service accounts and application identities are not discoverable, then lifecycle controls, recertification, and privilege reduction all operate on partial truth. Teams should treat visibility as a programme dependency, not a reporting feature.
Forward-looking programmes will move from periodic inventory to continuous identity observation. That shift aligns with modern zero-trust expectations and with the practical direction described in the Ultimate Guide to NHIs , 2025 Outlook and Predictions, where identity control depends on maintaining evidence, not just recording ownership.
For practitioners
- Map the hidden identity estate Inventory self-hosted apps, disconnected systems, service accounts, and tokens that are not represented in your core IAM records. Prioritise the assets with active authentication paths and external reach first.
- Base onboarding on live authentication evidence Require application-layer telemetry before approving onboarding or policy assignment. Capture how the app authenticates, which credentials it uses, and which systems it can reach.
- Reframe privilege around blast radius Score identities by reachable systems, data exposure, and persistence rather than by role names alone. Use that score to determine review order and escalation thresholds.
- Treat drift as an identity control failure Track changes in tokens, access paths, and service account behaviour between audits, then route the findings into governance workflows instead of alert queues.
Key takeaways
- Identity dark matter is the hidden set of apps, service accounts, tokens, and integrations that fall outside central IAM visibility.
- The article shows that confidence in knowing the full identity estate is low, which turns drift and excess privilege into structural governance problems.
- Practitioners need discovery, contextual privilege analysis, and evidence-based onboarding before lifecycle controls can work reliably.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Drift and excessive privilege are central to the article's NHI governance gap. |
| NIST CSF 2.0 | PR.AC-4 | The article centres on access governance across visible and hidden identities. |
| NIST Zero Trust (SP 800-207) | SP 800-207 | Visibility and continuous verification are necessary for identity dark matter control. |
Apply continuous verification to every identity that can reach sensitive systems, not just humans.
Key terms
- Identity dark matter: The portion of an organisation's identity estate that exists outside normal governance visibility. It includes unmanaged applications, orphaned tokens, service accounts, and disconnected integrations that can still authenticate and act, even though they are missing from central records and review workflows.
- Identity drift: The gradual divergence between intended identity state and operational reality. It happens when privileges, tokens, ownership, or authentication paths change without the governance process keeping pace, leaving the environment harder to review and more exposed to silent risk.
- Contextual privilege scoring: A way of judging privilege by what an identity can reach, how it behaves, and how much damage it could cause if compromised. It shifts the focus away from role titles and raw permission counts, which often understate the real blast radius of machine identities.
- Application-layer telemetry: Telemetry collected from the application itself rather than only from perimeter or directory systems. It shows how an app authenticates, authorises, and behaves in practice, which makes it useful for discovering hidden identities and validating whether onboarding records are accurate.
What's in the full article
Orchid Security's full post covers the operational detail this post intentionally leaves for the source:
- Live CAB poll findings on identity confidence, visibility, and friction across hybrid environments
- Orchid Security's App DNA method for mapping authentication and authorisation paths at the application layer
- Specific examples of how identity drift appears between audits and how the vendor correlates telemetry to surface it
- The discussion notes and participant framing behind contextual privilege scoring and onboarding priorities
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-11-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org