Identity sprawl, unseen activity and risk are widening access gaps

At a glance

What this is: This is an analysis of how vendor sprawl, unseen user activity and fragmented controls weaken identity governance and raise security risk.

Why it matters: It matters because IAM teams need a unified view across human identities, NHI and automation to enforce access policy, detect misuse and de-provision cleanly.

By the numbers:

• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

👉 Read JumpCloud's analysis of identity sprawl, hidden activity and access risk

Context

Identity sprawl is what happens when access, devices and telemetry are spread across too many point solutions for anyone to see the full picture. In that environment, identity governance breaks first because the organisation cannot reliably trace who or what has access, where policy is enforced, or when access should be removed.

JumpCloud frames the problem as a combined operational and security gap: hidden user activity makes reporting weak, while fragmented controls make deprovisioning and oversight harder. For IAM, NHI and lifecycle programmes, the issue is not simply tool count. It is the loss of a coherent control plane across identities, secrets and access decisions.

Key questions

Q: How should security teams reduce identity sprawl across multiple platforms?

A: Start by identifying where identity, access and audit data are fragmented across the stack, then decide which system is authoritative for provisioning, review and deprovisioning. The goal is not fewer tools for its own sake. The goal is a single control plane that can support consistent policy and faster revocation.

Q: Why does hidden user activity create security risk for IAM programmes?

A: Because access decisions depend on evidence. When user activity is split across SaaS apps, devices and local admin paths, teams cannot reliably detect unusual behaviour, validate entitlement use, or remove access at the right time. Visibility gaps become governance gaps when they break the evidence chain needed for control.

Q: What breaks when identity governance is spread across too many vendor tools?

A: Lifecycle operations become inconsistent, audit trails become incomplete and deprovisioning becomes slower. That increases the chance that access remains active after it should have been removed, which is especially dangerous for high-value accounts, service identities and users with broad delegated access.

Q: What should organisations do when users create or onboard apps outside central IT?

A: Treat self-onboarded SaaS as an identity governance issue, not just a shadow IT problem. Discover those apps, assign ownership, review access paths and bring them into the same entitlement and offboarding process used for sanctioned systems.

Technical breakdown

Why vendor sprawl fragments identity control

Vendor sprawl creates separate policy planes, audit logs and administrative models. Each platform may solve one part of access management, but the lack of a shared control layer makes it harder to correlate entitlement data, enforce consistent rules, or investigate misuse across systems. The result is not just higher overhead. It is a governance model that depends on humans stitching together incomplete information after the fact. In identity programmes, that typically means slower access decisions, weaker auditability and more room for configuration drift.

Practical implication: reduce platform fragmentation where identity, access and audit data need to be governed together.

Hidden user activity and the limits of visibility

Hidden user activity includes actions that occur across apps, devices and sanctioned tools but are not captured in a single reporting plane. Once visibility is partial, basic IAM tasks become less reliable, from spotting unused access to identifying unusual behaviour that could signal insider risk or compromise. The challenge is especially acute when shadow IT or self-onboarded SaaS use sits outside normal provisioning flows. Without consolidated telemetry, teams end up managing access from snapshots rather than from continuous evidence.

Practical implication: treat visibility gaps as an access-control problem, not only a monitoring problem.

Unified identity governance for human, NHI and automation

A unified platform matters because identity governance now spans people, service accounts and increasingly autonomous software. The same structural issue appears across all three: if access lives in disconnected systems, lifecycle controls lose precision and revocation becomes reactive. For NHI, this means secrets and service identities can linger beyond their intended use. For human identity, it means leavers and movers are harder to reconcile. The architecture needs one place where entitlement, usage and removal can be judged together.

Practical implication: design lifecycle and access review processes around a shared identity view rather than around individual tools.

Threat narrative

Attacker objective: The objective is to exploit gaps in identity visibility and control to preserve access, evade oversight and widen the organisation’s attack surface.

1. Entry occurs through the accumulation of disconnected identities, SaaS sprawl and isolated access paths that are difficult to track centrally.
2. Escalation follows when hidden user activity, orphaned access or inconsistent deprovisioning leaves privileges in place longer than intended.
3. Impact is operational drift, slower incident response and a larger attack surface that is harder to govern or recover from.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity sprawl turns governance into reconciliation work: When access, audit and device data live in separate platforms, the organisation stops governing identity and starts reconciling fragments after the fact. That changes IAM from a control function into a cleanup function. The implication is that lifecycle and access review processes lose authority the moment the control plane is split across too many vendors.

Hidden activity is a visibility failure, not just a reporting gap: The article’s central problem is not that organisations lack dashboards. It is that important identity behaviour happens outside the unified evidence chain needed for policy enforcement. In NIST Cybersecurity Framework terms, detect and respond functions become weaker when entitlement and usage data are disconnected. Practitioners should treat this as a structural monitoring gap, not a cosmetic analytics issue.

Unified identity governance is now a cross-actor requirement: Human users, service accounts and automated workflows all fail differently when identity data is fragmented, but the governance consequence is the same: access outlives its intended context. That is why NHI governance and human lifecycle governance are converging around the same operational requirement, a single authoritative view of who or what has access and why. Practitioners need one lifecycle model that can govern all three without separate exceptions.

Identity blast radius expands when the control plane is scattered: Each additional platform creates another place where privilege can persist unseen, which increases the blast radius of mistakes and delays remediation. The named concept here is identity blast radius, the amount of access exposure created when governance is distributed across unjoined systems. The implication is that access sprawl is no longer a tooling inconvenience. It is a measurable security exposure.

From our research:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
• For the broader control-plane view, Ultimate Guide to NHIs , Key Challenges and Risks explains why fragmented governance creates sprawl, visibility loss and privilege creep.

What this signals

Identity sprawl is becoming a governance pattern, not just an operations nuisance: As organisations add more point solutions, the control plane fragments and policy enforcement becomes increasingly dependent on manual reconciliation. That raises the bar for identity programme maturity because access reviews, deprovisioning and audit evidence now need to work across human users, service accounts and automation.

With 7% of security leaders saying they do not know how often their AI systems make autonomous infrastructure changes, the evidence problem is already real: the same visibility gap that affects hidden user activity in traditional IAM now appears in agentic environments. Teams need a shared evidence model before autonomy, shadow automation and self-onboarded SaaS create permanent blind spots.

Organisations that need a broader control framework should anchor to the NIST Cybersecurity Framework 2.0 and the Ultimate Guide to NHIs: the first provides the governance functions, while the second clarifies how identity sprawl turns into exposure. Together they help teams move from fragmented reporting to an identity programme built around authoritative control and continuous verification.

For practitioners

• Map the identity control plane first Inventory where access decisions, entitlement records, audit logs and deprovisioning actions actually live, then identify the gaps created by separate vendor consoles.
• Correlate hidden activity with access reviews Use SaaS, device and identity telemetry together so access reviews reflect actual usage, not just what each platform reports in isolation.
• Shorten deprovisioning paths across systems Define a single offboarding sequence that removes human access, service account access and workflow access from every connected platform before closure.
• Reduce orphaned access created by self-onboarded tools Require discovery and approval for SaaS or automation that bypasses central provisioning so hidden user activity does not become permanent access.

Key takeaways

• Identity sprawl weakens governance because fragmented platforms break the connection between access, usage and revocation.
• Hidden user activity creates security risk when organisations cannot reconstruct who accessed what, where and why across the stack.
• Practitioners need a unified identity control plane so human, NHI and automation lifecycles can be governed from the same evidence base.

Key terms

• Identity sprawl: Identity sprawl is the accumulation of disconnected access systems, accounts and governance processes across multiple platforms. It weakens assurance because no single team can easily see who or what has access, where policy is enforced, or whether access should still exist.
• Hidden user activity: Hidden user activity is identity behaviour that occurs across applications, devices or delegated tools but is not captured in one authoritative view. It matters because access reviews, anomaly detection and deprovisioning depend on complete evidence, not partial reporting from isolated systems.
• Identity control plane: The identity control plane is the operational layer where provisioning, policy, audit and revocation decisions are coordinated. When that layer is split across many vendors, governance becomes slower, less consistent and more dependent on manual reconciliation after issues are already visible.
• Identity blast radius: Identity blast radius is the amount of exposure created when access, privilege or governance failures spread across multiple systems. The bigger the blast radius, the harder it is to contain misuse, remove access cleanly, or prove that control has been restored.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by JumpCloud: Navigating the world of IT today feels less like mapping a clear path and more like finding your way through a maze. Read the original.