By NHI Mgmt Group Editorial TeamPublished 2026-06-16Domain: Governance & RiskSource: Linx Security

TL;DR: BlackHat 2025 exposed a visibility crisis in enterprise identity management, with security teams unable to answer basic access questions and Gartner naming Identity Visibility and Intelligence Platforms as an emerging category, according to Linx Security. Traditional IAM is no longer keeping pace with machine identity sprawl, and visibility alone is now only the starting point.


At a glance

What this is: BlackHat 2025 surfaced a broad identity visibility and intelligence gap, with security leaders unable to answer basic access questions across sprawling human, machine, and AI-driven environments.

Why it matters: This matters because IAM, NHI, and autonomous governance programmes now need inventory, context, and actionability together, not separate tools that leave blind spots between review cycles.

By the numbers:

👉 Read Linx Security's analysis of BlackHat 2025 and identity intelligence


Context

Identity visibility is the ability to discover, classify, and understand who or what has access across an environment. BlackHat 2025 showed that most programmes still cannot answer basic questions about privileged access, especially when those identities are spread across cloud accounts, service accounts, and emerging AI-driven systems.

For identity teams, the problem is no longer just password policy or directory hygiene. The challenge is maintaining a usable inventory of non-human identities, understanding relationships between identities and systems, and turning identity data into decisions before risk accumulates across IAM and lifecycle processes.


Key questions

Q: How should security teams build visibility into non-human identities across cloud and SaaS?

A: Start by normalising identity data from directories, cloud platforms, SaaS tools, and workload sources into one inventory. Then add ownership, privilege level, and usage context so you can see which accounts matter most. Without that correlation, access review becomes a manual reporting exercise instead of a control.

Q: Why do machine identities make access governance harder than human IAM?

A: Machine identities are created in large numbers, change quickly, and often lack clear owners or lifecycle discipline. That combination breaks assumptions built into periodic review models for human users. As the population grows, the main challenge becomes tracking entitlement drift and hidden privilege paths before they are abused.

Q: What breaks when organisations rely on visibility tools without identity intelligence?

A: You can see more accounts without understanding which ones are risky. Raw visibility tells you what exists, but not which identities connect to production, which are dormant, or which can be abused to move laterally. The result is a long list of objects and too little decision-quality context.

Q: Which frameworks should teams use to govern identity visibility and machine access?

A: For non-human identities, OWASP NHI, Zero Trust, and NIST CSF are the most relevant starting points. If AI-driven decisioning is involved, add AI risk governance so you can bound autonomy, trace decisions, and keep human accountability intact across access workflows.


Technical breakdown

Why identity visibility breaks down across modern environments

Traditional IAM tools were built to manage directories and provision access, not to continuously reconcile identities across cloud services, SaaS, infrastructure, and machine workloads. As the identity estate grows, data fragments across consoles, logs, and admin domains, which makes basic questions about who can do what increasingly slow to answer. The result is not merely poor reporting. It is a structural inability to see entitlement relationships, standing privilege, and dormant access in time to act.

Practical implication: build a cross-domain identity inventory that can normalise data from cloud, SaaS, and workload sources before you try to automate reviews.

What identity intelligence platforms add beyond visibility

Identity Visibility and Intelligence Platforms are designed as an intelligence layer above scattered identity data. They gather, categorise, and visualise identities across multiple domains, then add context so teams can prioritise risk rather than stare at raw inventory. The real architectural shift is that the platform must understand identity relationships, not just count accounts. Without that context, access review remains manual, slow, and easy to game by sprawl.

Practical implication: evaluate whether your tools can correlate identity, privilege, and behaviour across systems, not just produce lists of accounts.

How autonomous identity actions change the control model

The most advanced discussions at BlackHat moved from dashboards to systems that can recommend or execute identity decisions. That changes the control model because the platform is no longer just informing humans, it is participating in access governance. Once automation starts acting on identity state, the design problem shifts to guardrails, approval boundaries, and traceability for machine-made decisions. Visibility is necessary, but decision quality and auditability become the real test.

Practical implication: define which identity decisions may be automated, which must remain human-approved, and what evidence each action must leave behind.


Threat narrative

Attacker objective: The attacker objective is to exploit invisible or poorly governed identities to gain privileged access that bypasses conventional perimeter and review processes.

  1. Entry begins when attackers target identity systems directly, taking advantage of environments where organisations cannot inventory all privileged accounts and machine identities.
  2. Escalation follows when unmanaged service accounts, API keys, or dormant privileges provide a path to high-impact access that traditional perimeter controls do not constrain.
  3. Impact occurs when compromised identity pathways let attackers move through cloud, SaaS, or AI-connected systems faster than teams can detect or certify the access changes.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity visibility has become a prerequisite for governance, not a governance outcome. BlackHat 2025 made clear that many teams still treat visibility as the finish line, when in fact it is the minimum condition for any meaningful access control programme. Without a defensible inventory of human, machine, and workload identities, certification and least privilege are operating on partial truth. The implication is that governance maturity now depends on discovery quality before policy sophistication can matter.

Machine identity sprawl has turned access review into a scale problem. The combination of cloud services, service accounts, API keys, and AI-driven workflows creates an access estate that grows faster than human review cycles can absorb. That is why programmes built around periodic recertification keep falling behind: the population changes between reviews. Security teams need to stop treating review cadence as the primary control signal and start treating identity churn as a risk indicator.

Identity intelligence platforms are the category answer to cross-domain identity fragmentation. Gartner's IVIP label reflects a real market need, but the important change is not the acronym. It is the recognition that identity data must be correlated across directories, SaaS, cloud, and workload contexts before it becomes actionable. Practitioners should expect buying decisions to shift from point controls toward platforms that can support continuous understanding across identity domains.

Identity blast radius is now the more useful metric than account count. A programme can have thousands of identities and still be manageable if privilege, lifecycle, and telemetry are tightly bounded. It becomes dangerous when a small number of over-privileged accounts can bridge into production or data platforms. That is the named concept BlackHat surfaced in practice: the challenge is not identity volume alone, but how far one identity can reach before controls notice.

From our research:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
  • That confidence gap is why practitioners should also review Ultimate Guide to NHIs for the governance baseline and Top 10 NHI Issues for the failure patterns driving programme urgency.

What this signals

Identity visibility is becoming the entry condition for any serious NHI programme. If teams cannot correlate who owns an account, what it can access, and whether it is still in use, they are already behind. The practical shift is toward inventory quality, ownership clarity, and entitlement context before any discussion of automation or optimisation.

Identity blast radius: this is the concept that will increasingly shape NHI prioritisation. The question is not how many identities exist, but how far a single compromised account can reach across production, data, and automation layers. That framing pushes teams toward control boundaries and access containment rather than account counting.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, third-party identity exposure is still being underestimated, according to The State of Non-Human Identity Security. Teams should prepare for lifecycle control and access review to become board-level topics as identity sprawl and AI adoption continue to converge.


For practitioners

  • Rebuild your identity inventory around actual privilege paths Map where administrative and machine identities really exist across cloud, SaaS, and infrastructure. Prioritise the identities that can reach production or data systems, not just the ones that are easiest to enumerate.
  • Treat service accounts and API keys as governed identities Bring non-human identities into the same lifecycle discipline as human access, including ownership, review, and offboarding. If an account or key has no accountable owner, it is already outside governance.
  • Add correlation before automation Do not automate access decisions until your tooling can correlate identity, entitlement, and behaviour across domains. Otherwise, automation simply accelerates bad decisions with better packaging.
  • Define human approval boundaries for autonomous actions If AI-driven systems are allowed to make or revoke access decisions, document exactly which decisions are eligible for machine handling and which require human review. Preserve evidence for every change in access state.

Key takeaways

  • BlackHat 2025 showed that the core identity problem is visibility plus context, not just provisioning volume.
  • The scale signal is clear: machine identities, AI-driven accounts, and fragmented access estates are outpacing manual review models.
  • Practitioners should move toward correlated identity intelligence and tighter lifecycle governance before automation compounds the blind spots.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01The article centers on visibility gaps across non-human identities.
NIST CSF 2.0PR.AC-1Identity governance depends on knowing who or what has access.
NIST Zero Trust (SP 800-207)SP 800-207Zero Trust assumes continuous verification across distributed identity estates.

Map identity data across environments and enforce access boundaries with continuous review.


Key terms

  • Identity Visibility and Intelligence Platform: A platform category that collects, correlates, and presents identity data across multiple systems so security teams can understand access in context. It goes beyond inventory by linking identities, entitlements, and behaviour into something usable for governance and investigation.
  • Machine Identity: A non-human identity used by software, workloads, services, or automation to authenticate and access resources. These identities often outnumber people and can become difficult to govern because they are created in bulk, change frequently, and are often weakly owned.
  • Identity Blast Radius: The amount of access or downstream reach a single identity can expose if it is compromised or misused. In practice, it is a measure of how far privilege can propagate through cloud, SaaS, and workload systems before controls limit the damage.
  • Identity Intelligence: The use of correlated identity data to support access decisions, risk prioritisation, and governance actions. It combines discovery, context, and analytics so teams can move from static reporting to decisions that reflect real access relationships and current behaviour.

What's in the full article

Linx Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • How Linx positions its conversational query workflow for identity investigations and access review tasks
  • The specific platform behaviours it describes for autonomous governance and predictive risk assessment
  • Examples of how the vendor frames identity intelligence as a replacement for fragmented reporting
  • The product-led narrative around identity lifecycle unification and access control automation

👉 Linx Security's full post covers the vendor's identity intelligence framing, capability descriptions, and market interpretation.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org