Identity security’s $25 billion market is built on a discovery gap

At a glance

What this is: This is an argument that identity security platforms only govern what has already been discovered and integrated, leaving a large upstream visibility gap.

Why it matters: It matters because IAM, NHI, and PAM programmes can look complete on paper while still missing shadow IT, SaaS admin access, and unmanaged non-human identities in practice.

By the numbers:

• The actual application landscape is typically 30 to 50 percent larger than the IT-maintained list, and growing.
• The directory shows 80 integrated applications.
• 180.

👉 Read Zluri’s analysis of why identity security coverage starts with discovery

Context

Identity security depends on knowing what is in scope before access, governance, or monitoring tools can do useful work. This article argues that the upstream problem is application visibility: mid-market environments often run far more software and identity activity than the IT-maintained inventory shows, which leaves identity governance controls covering only a partial estate.

That matters for NHI, human IAM, and PAM programmes alike because the control plane is only as complete as the inventory beneath it. If shadow SaaS, direct-auth applications, service accounts, and API integrations are missing from discovery, downstream tools can certify, vault, or detect only the connected portion of the environment.

Key questions

Q: How should security teams evaluate identity security coverage in a fragmented environment?

A: They should compare the platform’s connected scope with the actual application and identity estate, including SaaS, admin accounts, service accounts, and API integrations. If the real environment is larger than the integrated one, governance is partial even if reporting looks complete. Coverage has to be measured before controls can be trusted.

Q: Why do identity governance tools fail when discovery is incomplete?

A: They fail because governance tools only work on systems they can see and integrate. If applications sit outside the inventory, access reviews, provisioning, and compliance reporting certify an incomplete picture. The issue is not that the controls are broken, but that their input data is missing the live estate.

Q: What breaks when SaaS admin accounts and service accounts sit outside IAM scope?

A: What breaks is the assumption that central identity controls cover the whole environment. Unmanaged admin accounts and service accounts can retain high-risk access without appearing in certification, vaulting, or detection workflows. That leaves privileged paths open even when the organisation believes it has full governance in place.

Q: How can organisations keep zero trust aligned with actual identity scope?

A: They need authoritative discovery as a standing input to policy design, not a one-time project. Zero trust depends on knowing which users, systems, and non-human identities actually exist, where they connect, and which are still outside governance. Without that, least privilege and continuous verification are only partially enforceable.

Technical breakdown

Why identity security coverage stops at the integration boundary

Most identity security platforms are coverage-bound systems. MFA, IGA, PAM, ITDR, and IdP products all depend on applications, accounts, and permissions being connected to the platform before they can govern them. That means their effective scope is not the enterprise, but the enterprise that has already been discovered, integrated, and normalised. In a fragmented environment, the product may be functioning correctly while the governance outcome is still incomplete. This is the core sequencing problem in the article: the tools are downstream controls, but the prerequisite is upstream visibility.

Practical implication: measure coverage before you measure control effectiveness, because undiscovered systems are outside every downstream control.

Shadow IT, SaaS admin rights, and service account sprawl

The article distinguishes between what IT approves and what employees actually use. Direct SaaS sign-ups, unmanaged admin accounts, and non-human identities such as service accounts and API integrations expand the real identity surface far beyond the official directory. That creates a visibility mismatch, where access reviews and privileged controls can appear complete while substantial risk sits outside the enumerated scope. For practitioners, the architectural issue is not just lack of policy, but lack of authoritative discovery across human and machine identities.

Practical implication: build continuous discovery for SaaS, privileged admin accounts, and non-human identities before relying on certification or vaulting.

Identity visibility as the control plane for zero trust and NHI governance

The article’s central claim is that identity security tools cannot compensate for an incomplete picture of applications and identities. Zero trust, least privilege, and lifecycle governance all depend on knowing what exists, who or what can access it, and which systems are connected. Without that baseline, the organisation is operating with partial trust assumptions and partial enforcement. In practice, the visibility layer is not an extra feature. It is the foundation that determines whether governance, detection, and compliance are aligned to reality or to an outdated inventory.

Practical implication: treat discovery and normalisation as the first control in the identity stack, not an add-on to existing tooling.

NHI Mgmt Group analysis

Identity security has a prerequisite problem, not just a tooling problem. The market has optimised downstream controls for authentication, governance, privilege, and detection, but those controls only work on identities and applications already in scope. That means a platform can be technically correct and operationally incomplete at the same time. The practitioner conclusion is that scope completeness must be evaluated before control maturity.

Identity coverage is being overestimated wherever discovery is fragmented. The article describes a common mid-market pattern in which the approved application list is materially smaller than actual usage. That creates a false sense of governance because access reviews, SSO enforcement, and authorization graphs all inherit the same incomplete inventory. The implication is that incomplete discovery is not an edge case, it is a structural blind spot.

Continuous visibility is the named concept this market keeps skipping. Identity security only becomes reliable when discovery is continuous rather than periodic, because SaaS adoption, shadow tools, and non-human identities change faster than quarterly governance cycles. Static inventory models were designed for a slower environment and now fail to capture the live estate. The implication is that practitioners should stop treating visibility as a one-time project and start treating it as a standing control.

Zero trust cannot be operationalised against identities you have not found. The article’s sequence is explicit: find the full environment first, then govern it. That is the right order because least privilege, lifecycle management, and privileged access controls all depend on the same authoritative scope. The practitioner conclusion is that zero trust programmes should be judged by discovery completeness as much as by policy design.

Machine identities inherit the same visibility problem as human identities, but at higher speed. Service accounts, API integrations, and AI agents multiply the number of identities that can sit outside governance when discovery is incomplete. That widens the gap between policy intent and enforceable reality. The implication is that IAM, NHI, and PAM teams need a shared scope model rather than separate inventories that disagree.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
• For the broader governance baseline, read the NHI Lifecycle Management Guide for lifecycle, offboarding, and rotation controls.

What this signals

Continuous visibility is becoming the dividing line between identity programmes that can prove coverage and those that can only report on integrated systems. The operational question is no longer whether tools exist, but whether they are being fed a complete, current estate.

A growing number of identity teams will find that their biggest gap is not policy design but inventory drift. As shadow SaaS and machine identities accumulate, governance, PAM, and IGA all inherit the same blind spot unless discovery is treated as a standing control.

That is why the maturity conversation is shifting from point-in-time certification to live scope management. Practitioners who can connect discovery, access control, and lifecycle governance into one operating model will have a more defensible programme than teams relying on disconnected tool coverage.

For practitioners

• Measure identity coverage before control coverage Compare the IT-maintained application inventory with actual SaaS usage, admin accounts, service accounts, and API integrations. Do not treat a successful tool deployment as proof of complete governance until you can show what percentage of the live environment is connected.
• Build continuous discovery into the identity programme Use discovery processes that update as new applications, shadow tools, and machine identities appear, rather than relying on quarterly reviews. This is the only way to keep access reviews, PAM scope, and governance reporting aligned to the real environment.
• Re-scope IGA and PAM against the real estate Identify which applications, privileged accounts, and non-human identities are outside current integrations, then prioritise bringing those systems into the governance boundary. The goal is to remove the gap between what the platform can see and what the business actually uses.
• Align zero trust with authoritative discovery Use the discovery layer as the input to least-privilege design, access certification, and anomaly detection. If the inventory is stale, every downstream policy inherits that staleness and zero trust becomes an assertion rather than an operating model.

Key takeaways

• Identity security fails fastest when the inventory is incomplete, because downstream controls can only govern what discovery has surfaced.
• Mid-market environments often have materially more applications and identity activity than their IT lists show, which makes coverage claims look stronger than they are.
• Practitioners should treat continuous discovery as the first control in the identity stack, then measure governance against the real estate rather than the approved one.

Key terms

• Application visibility: The ability to know which applications, accounts, and integrations actually exist and are in use across the environment. In identity security, visibility is the prerequisite for governance because controls cannot protect systems they have not discovered.
• Identity coverage: The portion of the live identity estate that a control platform can actually see, manage, or monitor. Coverage is often smaller than the approved inventory, especially where shadow IT, unmanaged SaaS, and machine identities sit outside integrations.
• Non-human identity: A non-human identity is any digital identity used by software or systems, such as service accounts, API keys, tokens, certificates, bots, or AI agents. These identities often have broad access and move faster than manual governance cycles can track.
• Continuous discovery: A persistent process for finding new applications, identities, and integrations as they appear rather than relying on periodic audits. For modern identity programmes, continuous discovery is what keeps governance aligned to the real estate instead of last quarter’s inventory.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: All The Identity Security Industry Has Built a $25 Billion Market on a Faulty Assumption. Read the original.