Identity intelligence is the missing layer in zero trust

At a glance

What this is: This is an identity intelligence guide arguing that Zero Trust fails without continuous discovery, visibility, and remediation across human and machine identities.

Why it matters: It matters because IAM, PAM, IGA, and NHI programmes cannot enforce least privilege or reduce blast radius when large parts of the identity estate remain unseen.

By the numbers:

• 87% of organizations experienced multiple identity-related breaches last year despite having Zero Trust initiatives in place.
• Most organizations cannot see 56% of their machine identities.
• Machine identities now outnumber human identities 82 to 1.

👉 Read SPHERE Technology Solutions' guide to identity intelligence and Zero Trust

Context

Identity intelligence is the practice of continuously discovering, classifying, and remediating identities so security teams know what exists, who owns it, and what it can access. The source article argues that Zero Trust identity visibility is failing because traditional IAM, PAM, and IGA controls were built for partial inventories, not for environments where service accounts, API keys, tokens, and AI agents proliferate faster than teams can review them.

That gap is especially relevant to NHI governance because unmanaged machine identities can bypass controls that were designed around human login events and stable ownership records. The practical problem is not authentication alone, but whether the organisation can maintain an accurate identity inventory, verify privilege, and remove exposure before unmanaged access becomes a breach path.

Key questions

Q: How should security teams improve Zero Trust when machine identities are mostly invisible?

A: They should start with continuous discovery, ownership validation, and entitlement mapping before trying to automate remediation. Zero Trust cannot compensate for an incomplete identity inventory, because policy enforcement only works when the organisation knows what exists and who is responsible for it. The first objective is visibility, then privilege reduction, then continuous control.

Q: Why do unmanaged non-human identities undermine Zero Trust architectures?

A: Unmanaged non-human identities undermine Zero Trust because the model assumes every identity can be verified, classified, and constrained. If service accounts, tokens, or automation credentials are missing from governance, they can bypass normal review and revocation paths. That creates an access layer defenders cannot reliably observe or control.

Q: What breaks when ownership is missing for service accounts and API keys?

A: Access review, remediation, and accountability all break when ownership is missing. Without a validated owner, security teams cannot determine whether the identity is still needed, who can approve changes, or whether revocation would disrupt production. The result is that risky identities stay active because nobody is formally responsible for them.

Q: Who should be accountable for identity intelligence in a Zero Trust programme?

A: Accountability should sit across IAM, PAM, IGA, cloud operations, and security leadership, with clear ownership for discovery, classification, and remediation. The reason is simple: identity intelligence spans multiple control planes, so no single tool or team can govern it alone. Programmes work best when ownership, escalation, and reporting are explicitly assigned.

Technical breakdown

Continuous identity discovery and why point-in-time inventories fail

Point-in-time discovery gives teams a snapshot, but identity estates change continuously. New service accounts, cloud roles, API keys, and automation credentials appear outside formal workflows, so a weekly or monthly scan is obsolete almost as soon as it finishes. Identity intelligence platforms try to close that gap with agentless, continuous discovery across directories, cloud services, databases, and infrastructure. The technical shift is from reactive inventory to live detection plus classification. Without that, downstream controls like vaulting, recertification, and least privilege are operating on stale data.

Practical implication: treat continuous discovery as a prerequisite for every other identity control, not as a reporting exercise.

Identity visibility, ownership mapping, and entitlement chains

Visibility is more than counting accounts. Security teams need to correlate identity records across systems, map ownership, and trace entitlement chains that reveal nested or inherited access. That matters because many of the most dangerous identities are not obviously privileged until their cross-platform relationships are assembled. When ownership is missing or unvalidated, access review and remediation workflows cannot safely decide whether an account should remain active. In practice, identity intelligence is the connective layer that turns isolated IAM, PAM, and IGA datasets into an operational control plane.

Practical implication: require ownership validation and cross-system entitlement mapping before trusting any remediation decision.

Automated identity hygiene and risk-based remediation

Identity hygiene automation removes stale accounts, rotates credentials, reduces excessive privilege, and updates ownership at scale. The key technical point is that remediation must be policy-driven and context-aware, because indiscriminate cleanup can break production systems. Good programmes therefore combine risk scoring with impact modelling, so the platform can prioritise the identities most likely to widen blast radius. This is where identity intelligence becomes operational rather than descriptive: it feeds corrections back into PAM, IGA, SIEM, and ITSM workflows instead of leaving risk analysis in a dashboard.

Practical implication: connect discovery to risk scoring and safe remediation workflows, not to manual cleanup queues.

Threat narrative

Attacker objective: The attacker wants to use unmanaged identity pathways to bypass Zero Trust controls and expand access before defenders can detect the compromise.

1. Entry occurs through an identity the organisation did not fully inventory, such as a service account, API key, or cloud role that existed outside effective governance.
2. Escalation follows when excessive privilege, unknown ownership, or stale entitlements let the attacker move from initial access to broader identity control.
3. Impact lands in lateral movement, data exposure, or operational disruption because the organisation could not verify, contain, or revoke the compromised identity quickly enough.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity intelligence is now the control layer that determines whether Zero Trust is real or rhetorical. Zero Trust was designed for environments where the organisation could verify identities before granting access, but that assumption fails when the identity estate is incomplete. If 56% of machine identities are invisible, access decisions are being made against partial truth. The implication is that Zero Trust maturity now depends on identity completeness, not just policy language.

Identity blind spots create a governance failure, not just a detection gap. When IAM teams can only control 44% of non-human identities, the remainder sits outside normal ownership, certification, and remediation cycles. That means service accounts and automation credentials are not merely under-monitored, they are structurally under-governed. Practitioners should treat unmanaged identity as a control-plane defect that invalidates downstream assurance.

Identity hygiene is the practical expression of least privilege at enterprise scale. The article’s framework is strongest when it treats discovery, ownership, privilege mapping, and remediation as one continuous system. That aligns with NIST CSF and ZT-NIST-207 thinking, but the operational lesson is sharper: if identities cannot be classified and linked to accountable owners, least privilege cannot be enforced consistently. The practitioner conclusion is that inventory quality is a security outcome, not an admin task.

Machine identity risk now overwhelms human-centric IAM assumptions. Machine identities outnumber human identities 82 to 1, so a programme that still optimises around human login events will miss the bulk of the attack surface. This is where NHI governance, PAM, and IGA must converge on continuous visibility rather than periodic certification. The practitioner conclusion is that machine identity scale changes what “complete” governance means.

Identity visibility and intelligence is a named operational gap, not a marketing category. The useful concept here is the identity visibility gap: the distance between what security tools can authenticate and what they can actually account for. Once that gap exists, remediation speed, audit readiness, and Zero Trust enforcement all degrade together. The practitioner conclusion is to measure governance by coverage and ownership quality, not by tool count.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• For a broader baseline on identity governance and breach patterns, see 52 NHI Breaches Analysis for the incidents behind the control gaps.

What this signals

Identity intelligence will become the measurement layer for Zero Trust programmes. Teams that still judge maturity by policy adoption will miss the real signal, which is whether every identity can be discovered, owned, and remediated quickly enough to matter. With 91.6% of secrets still valid five days after notification, according to Ultimate Guide to NHIs, the operational gap is not theoretical.

The next wave of governance will likely shift from periodic certification toward continuous control validation. That means IAM, PAM, and IGA teams will need shared telemetry on ownership, privilege decay, and remediation latency rather than isolated reports from separate tools.

Identity visibility gap: the difference between identities a programme can authenticate and identities it can actually govern. Once that gap exists, audit confidence, containment speed, and least privilege enforcement all weaken together.

For practitioners

• Establish continuous identity discovery across all identity stores Scan directories, cloud platforms, databases, infrastructure, and application-layer identity sources continuously so new service accounts and secrets do not sit unnoticed between review cycles.
• Map ownership for every non-human identity Require a validated owner for service accounts, API keys, tokens, and automation identities, then block remediation workflows from acting on unowned accounts without escalation.
• Correlate entitlement chains before approving access changes Trace inherited and nested permissions across PAM, IGA, cloud IAM, and directory services so privilege decisions are based on the full access path rather than a single account record.
• Automate safe remediation for stale and over-privileged identities Tie policy-based cleanup to impact modelling, then remove stale accounts, reduce excessive privilege, and rotate credentials only after validating business-critical dependencies.

Key takeaways

• Zero Trust fails when identity visibility is incomplete, because policy enforcement cannot compensate for identities that security teams cannot see or own.
• The scale problem is already established, with machine identities vastly outnumbering human identities and many organisations leaving non-human access unmanaged.
• Continuous discovery, validated ownership, and safe remediation are the controls that turn identity intelligence from a reporting layer into a governance capability.

Key terms

• Identity intelligence: Identity intelligence is the continuous discovery, classification, and risk analysis of identities across an environment. It goes beyond provisioning by connecting ownership, privilege, and usage data so teams can see what exists, judge what is risky, and trigger remediation before access becomes an incident.
• Machine identity: A machine identity is any non-human credential or account used by software, infrastructure, or automation, including service accounts, API keys, tokens, and certificates. In practice, these identities are often numerous, privileged, and difficult to govern because they are created and consumed outside human login workflows.
• Identity hygiene: Identity hygiene is the condition of an organisation’s identity estate when accounts are owned, classified, appropriately privileged, and kept current. It is not a one-time cleanup but an operating state, maintained through discovery, review, and automated remediation across human and non-human identities.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SPHERE Technology Solutions: Identity Intelligence and Zero Trust. Read the original.