By NHI Mgmt Group Editorial TeamPublished 2026-07-07Domain: Governance & RiskSource: Orchid Security

TL;DR: Most identity programs govern what should happen, but very few can prove what actually happened inside applications, according to Orchid Security’s recap of its Identiverse session. The execution gap now matters more than certification cadence, because access reviews document intent while real risk lives in live identity behavior.


At a glance

What this is: This is an analysis of the identity observability gap, showing that IAM programs often certify intended access without proving what identities actually do in applications.

Why it matters: It matters because IAM, IGA, PAM, and NHI teams need evidence of execution, not just policy compliance, if they want to control human, non-human, and agent activity.

👉 Read Orchid Security's recap of identity observability and execution risk


Context

Identity observability is the gap between what identity policy says should happen and what identities actually do inside applications. For IAM and NHI programmes, that gap matters because access reviews, MFA enforcement, and provisioning records do not prove live execution behavior.

The article’s core claim is that governance tools are still strongest at documenting intent, while the operational risk has shifted into application-layer execution. That creates a blind spot for service accounts, tokens, and AI agents that can act faster than review cycles can catch up.


Key questions

Q: How should security teams prove what identities are actually doing inside applications?

A: They should combine identity governance records with application-layer telemetry, then validate live actions against policy instead of relying on certification alone. The key is to observe actual execution, not just stated entitlement, so the team can confirm who acted, what they did, and whether the behavior matched current intent.

Q: Why do access reviews often fail to reflect real identity risk?

A: Access reviews document intended access, but they rarely capture whether an identity actually executed privileged actions, reused a token, or bypassed controls inside the application. That makes them useful for governance evidence, but insufficient for proving runtime security.

Q: What do security teams get wrong about non-human identity governance?

A: They often treat inventory, policy, and certification as if they cover the whole identity surface. In reality, service accounts, tokens, and local accounts can execute outside review workflows, so unmanaged machine identities become part of the live attack surface.

Q: How should organisations assign accountability when humans, service accounts, and agents share workflows?

A: They should define a chain of custody that links each action to an owner, a tool, and a target. Without that, accountability becomes ambiguous once multiple actor types can trigger the same application outcome, and no one can prove which identity actually performed the action.


Technical breakdown

Why access reviews miss execution-layer identity risk

Access reviews are designed to attest entitlement, not to observe runtime behavior. They can confirm that an account is supposed to have access, but they do not reliably show whether MFA was enforced, whether a token was reused, or whether a supposedly removed identity still executed actions inside the application. That gap becomes more serious when non-human identities and agents inherit stale privileges and hidden execution paths. The technical problem is not simply incomplete logging. It is that identity governance data and application telemetry often live in separate control planes, so the organization can certify access without seeing behavior.

Practical implication: Treat access review outputs as intent evidence only, and correlate them with application-layer activity before declaring an identity safe.

Identity Dark Matter and the hidden non-human identity layer

Identity Dark Matter is the set of identities that authenticate and execute but never fully enter governance workflows. These include dormant service accounts, legacy application users, local accounts, tokens, and unmanaged non-human identities with no clear owner. They are technically present in the execution path even when they are absent from the IGA record. That matters because AI agents do not create this inventory gap, they inherit it. When agents operate in an environment with unmanaged machine identities, the agent’s effective permissions become the sum of every overlooked credential and every untracked entitlement.

Practical implication: Inventory execution-capable non-human identities separately from human accounts so hidden credentials do not become the default starting point for automation or agents.

Chain of custody for agentic and non-human actions

For agentic systems, the minimum audit path is not just who logged in. It is who acted, what tool was used, what action was taken, and which target was touched. That chain of custody is what turns raw telemetry into accountable identity evidence. Without it, the organization cannot distinguish human use, service account execution, and autonomous action, and it cannot prove whether the action aligned with current policy. This is where identity observability extends IAM, IGA, and PAM into the application execution layer rather than replacing them.

Practical implication: Require action-level attribution for every high-risk identity, especially where human users, service accounts, and agents can all touch the same workflow.


NHI Mgmt Group analysis

Identity observability is now the missing control plane between IAM intent and application reality. IAM is still essential, but it proves what should be true, not what is actually happening at runtime. That distinction becomes decisive when identities can execute inside applications outside the cadence of access reviews. Practitioners should treat observability as the evidence layer that validates governance.

Identity Dark Matter is the structural reason access governance keeps failing in practice. Service accounts, tokens, local accounts, and orphaned application identities can execute without ever being cleanly represented in review workflows. AI agents inherit that hidden inventory rather than creating a new problem from scratch. The implication is that blind spots in machine identity governance directly expand the execution surface for every other actor type.

Chain of custody, not just authentication, is the real accountability boundary. Once an identity can act through tools and application calls, the question is no longer whether it authenticated. The question is whether the organization can attribute each action to an owner, a tool, and a target. That is the minimum standard for governance across human, non-human, and agentic execution.

Execution observability: the control gap is not missing policy, it is missing proof of live behavior. Policy-based governance assumes the system of record is close enough to the system of action. In modern application environments, that assumption is fragile. Practitioners should reframe identity governance around validated runtime behavior rather than certified entitlement alone.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
  • That confidence gap points to a broader execution problem, which is why the Ultimate Guide to NHIs , The NHI Market is a useful next stop for programme planning.

What this signals

Identity programmes that still centre quarterly certification will continue to miss the layer where risk is actually expressed. The next maturity jump is not more policy, but better evidence of runtime behavior across human, non-human, and agentic identities.

Execution observability: the practical goal is to see identity action, not just identity permission. When teams can attribute each application action to a traceable actor, they can close the gap between governance intent and operational reality.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, the governance problem is no longer isolated to privileged humans or service accounts. It is becoming a cross-domain identity management issue that demands shared telemetry and shared accountability.


For practitioners

  • Correlate governance data with application telemetry Compare access review results, MFA state, and entitlement records with live application activity so you can see whether identity behavior matches policy in practice.
  • Inventory execution-capable non-human identities separately Build a dedicated inventory for service accounts, tokens, local accounts, and application users so hidden identities do not disappear inside the human IAM workflow.
  • Require action-level chain of custody Track who acted, what tool was used, what action occurred, and which target was touched for every high-risk workflow involving human users, service accounts, or agents.
  • Extend PAM and IGA into the application execution layer Use runtime evidence to validate whether privileged identities still need their access, then tie enforcement to actual behavior instead of quarterly certification alone.

Key takeaways

  • The central risk is not excess access alone, but the inability to prove what identities actually did inside applications.
  • Identity Dark Matter, especially unmanaged non-human identities, creates the hidden execution layer that conventional governance misses.
  • Runtime attribution and chain of custody are becoming the practical controls that separate identity intent from identity reality.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-08The post centers on visibility and governance gaps across non-human identities.
NIST CSF 2.0DE.CM-1Continuous monitoring is central to proving identity execution, not just policy intent.
NIST SP 800-53 Rev 5AU-6Audit review and analysis are needed to turn raw logs into accountable identity evidence.
NIST Zero Trust (SP 800-207)Zero trust depends on verifying current context, which this post argues identity programs still lack.

Correlate identity events with runtime telemetry to detect activity that diverges from expected behavior.


Key terms

  • Identity Observability: Identity observability is the ability to see what identities actually do inside systems, not just what access they were given. It combines governance records with runtime telemetry so teams can validate behavior, attribute actions, and spot execution that diverges from policy.
  • Identity Dark Matter: Identity Dark Matter refers to identities that authenticate and execute but are missing from normal governance workflows. These are often service accounts, tokens, local accounts, or unmanaged application identities that can still affect production even when they are invisible to access review processes.
  • Chain Of Custody: Chain of custody is the trace that ties an action to a specific actor, tool, and target. In identity security, it is what turns application activity into evidence that can be investigated, governed, and attributed across human, non-human, and agentic workflows.

What's in the full article

Orchid Security's full blog post covers the session framing and examples this analysis intentionally leaves out, including the live poll reactions and the rhetorical setup around identity observability.

  • The exact Slido prompts and audience responses that illustrate how identity teams think about accountability and runtime visibility.
  • Tal Herman's full framing of Identity Dark Matter and the role it plays in machine identity sprawl.
  • The detailed observe, understand, govern model with the author’s explanation of how execution-layer telemetry changes identity operations.
  • The session recap and slide context for practitioners who want the presentation narrative, not just the editorial interpretation.

👉 Orchid Security's full blog post includes the live session questions, audience reactions, and complete observability framework.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity governance programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org