Identity visibility gaps are undermining PAM and IGA controls

At a glance

What this is: This is an analysis of why PAM and IGA leave identity blind spots and how identity attack surface visibility changes the security model.

Why it matters: It matters because IAM, PAM, IGA, NHI, and human identity teams all depend on complete identity context to reduce privilege drift, hidden access paths, and remediation lag.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Hydden’s analysis of identity visibility gaps in PAM and IGA

Context

PAM and IGA are still built around partial visibility, periodic review, and static policy assumptions. That works poorly in hybrid-cloud environments where identities span AD, cloud platforms, CI/CD systems, serverless workloads, and legacy applications, creating identity visibility gaps that attackers can exploit before defenders even know the path exists.

Identity attack surface management addresses the missing layer: continuous discovery, relationship mapping, and behavioural context across both human and machine identities. The core problem is not that PAM and IGA are useless, but that they were designed for a narrower map than the one practitioners now have to defend.

When identity data is fragmented across tools, remediation becomes guesswork. Teams can see one account, one session, or one privilege set, but not the full attack path or blast radius, which is why the starting point for most mature programmes is incomplete rather than broken.

Key questions

Q: How should security teams reduce identity blind spots across hybrid environments?

A: Security teams should centralise identity discovery across directories, cloud platforms, CI/CD tools, SaaS, and legacy systems, then enrich that inventory with ownership, privilege, and relationship data. The goal is not just coverage, but a live view of how identities connect and where remediation will reduce real exposure fastest.

Q: Why do service accounts and other non-human identities create hidden risk in IAM programmes?

A: Service accounts create hidden risk because they are often outside the review cadence used for human access, yet they can hold persistent privilege and connect multiple systems. When those identities are not fully inventoried or lifecycle-managed, they become the shortest path to lateral movement and data exposure.

Q: What do security teams get wrong about access reviews in identity governance?

A: Teams often treat access reviews as a complete control, when they are really a delayed verification step. If identity state changes faster than the review cycle, the programme certifies stale access instead of governing current risk. Continuous telemetry is needed to make reviews actionable.

Q: Which frameworks are most relevant when building identity visibility and blast-radius controls?

A: NIST Cybersecurity Framework 2.0 and Zero Trust Architecture are the most useful starting points because both emphasize continuous identification, protection, and verification across systems. For non-human identities, the OWASP Non-Human Identity Top 10 adds control detail around visibility, secrets, and privilege.

Technical breakdown

Why periodic scans miss identity attack paths

Periodic discovery creates a time lag between when an identity appears, changes privilege, or becomes orphaned and when a control notices it. In hybrid environments, that lag is enough for short-lived workloads, temporary grants, and shadow accounts to slip outside the review window. Static policy checks also assume the identity landscape is stable, but cloud and CI/CD environments change continuously. The result is not just delayed visibility, but incorrect risk prioritisation because the attacker’s route is often more important than the account itself.

Practical implication: move from scheduled reviews to continuous discovery for all identity stores and execution environments.

How identity relationship graphs expose hidden blast radius

A unified identity relationship graph links accounts, roles, groups, entitlements, workloads, and trust relationships across systems. That matters because the security issue is rarely a single credential in isolation. It is the chain of effective permissions that turns one compromised identity into lateral movement. By visualising transitive access and toxic combinations, the graph shows how privilege in one platform can unlock access in another. This is where traditional IGA and PAM views usually fall short, because they are optimized for local control, not cross-domain exposure.

Practical implication: map transitive permissions and cross-system trust paths before deciding what to revoke or retain.

Why privilege drift turns reviews into stale maps

Privilege drift happens when access remains in place after the business need has changed, even if the original grant was valid at the time. Manual recertification often confirms what was true weeks earlier, not what is true now. That creates a governance gap where elevated access can persist long enough to be abused, especially in legacy applications and unmanaged service contexts. In practice, the issue is not the existence of access review, but the delay between privilege change and governance action.

Practical implication: pair recertification with live telemetry so stale entitlements can be identified before the next review cycle.

Threat narrative

Attacker objective: The attacker’s objective is to move through identity gaps that defenders cannot see and convert hidden access into broad operational reach.

1. Entry occurs through unmapped identities such as shadow workloads, temporary grants, or dormant accounts that standard tools never fully inventory.
2. Escalation follows when attackers exploit cross-domain trust, excessive privilege, or hardcoded credentials to move from one identity context into another.
3. Impact occurs when the attacker uses the hidden route to expand access, increase blast radius, and reach systems that the original control stack did not map.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity visibility, not control count, is now the real governance boundary. PAM and IGA can only enforce what they can see, and the article is correct that fragmented data creates a false sense of coverage. When identity state is spread across directories, clouds, pipelines, and legacy systems, the programme can be compliant in one domain and blind in another. The practitioner conclusion is straightforward: governance needs a complete identity map before it can claim control.

Blast radius has become the more useful unit of analysis than account status. A stale account matters less than the set of systems it can reach, directly or indirectly. This is why cross-domain relationship mapping is now central to identity security, especially where privileged entitlements and machine accounts overlap. The practitioner implication is that remediation priority should follow exposure pathways, not just individual account hygiene.

Identity attack surface management fills the gap between policy and reality. Traditional IAM tools answer who should have access, but they do not reliably answer how that access propagates through connected systems. That gap is exactly where attackers operate, especially in hybrid environments with legacy systems and ephemeral identities. The practitioner conclusion is that identity governance now needs an always-on inventory layer, not just point-in-time certification.

Hybrid identity programmes fail when human and machine identities are managed as separate maps. The article’s central insight is that the same visibility problem affects employees, service accounts, API keys, and workload identities. Once those domains are separated operationally, attackers only need the weakest and least visible route. The practitioner implication is that identity governance should be designed around relationships and reach, not only identity type.

Privilege drift is a map maintenance problem, not just an access review problem. Access reviews validate yesterday’s assumptions; drift changes today’s risk. That means the control failure is not simply that reviews happen too slowly, but that they are disconnected from live identity state. The practitioner conclusion is that recertification must be treated as one input to governance, not the whole governance model.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how far visibility still lags behind governance intent.
• The NHI Lifecycle Management Guide helps teams move from static inventory to lifecycle control, including provisioning, rotation, and offboarding discipline.

What this signals

Identity visibility will become a board-level governance metric, not just an IAM operational metric. As hybrid estates expand, teams that cannot answer where identities exist, who owns them, and what they can reach will keep discovering risk through incidents rather than controls. That shift makes continuous inventory and relationship mapping the new baseline for programme maturity.

The strongest programmes will stop treating human and machine identities as separate governance islands. Once service accounts, API keys, workloads, and user entitlements are analysed together, remediation can target the actual attack path instead of individual symptoms.

Blast-radius analysis is emerging as the practical control outcome. The question is no longer whether an account is privileged in isolation, but how far compromise can travel across connected systems. Teams that can quantify that reach will be better placed to prioritise remediation, recertification, and segmentation.

For practitioners

• Build a continuous identity inventory Collect identities from AD, cloud IAM, CI/CD systems, SaaS, and legacy applications into one operating view so the programme can see dormant, shadow, and orphaned accounts before attackers do.
• Map transitive access and trust paths Document how roles, groups, workloads, and service accounts connect across systems, then use that graph to identify toxic combinations and hidden lateral movement routes.
• Prioritise remediation by blast radius Rank exposures by the systems they can reach, not just by the identity type or privilege label, so limited resources go first to the paths with the widest downstream impact.
• Treat machine identities as first-class governance objects Apply the same visibility, ownership, and lifecycle discipline to service accounts, API keys, and workload identities that you already expect for human accounts.

Key takeaways

• PAM and IGA still matter, but they do not provide complete identity visibility across modern hybrid environments.
• Attackers benefit most from fragmented identity data because it hides dormant accounts, transitive trust, and privilege drift.
• Identity attack surface management changes the control model by connecting discovery, relationship mapping, and blast-radius analysis.

Key terms

• Identity Attack Surface Management: Identity Attack Surface Management is the practice of continuously discovering identities, relationships, and exposures across connected systems. It extends beyond static inventories by showing how accounts, privileges, and trust paths create real attack routes, especially in hybrid environments.
• Privilege Drift: Privilege drift is the gradual mismatch between an identity’s current access and the access it actually needs. It often appears after role changes, project completion, or system sprawl, and it becomes dangerous when reviews lag behind operational reality.
• Identity Relationship Graph: An identity relationship graph is a connected model of accounts, roles, groups, workloads, and trust links across systems. It helps practitioners understand transitive access and downstream blast radius, which are often invisible in isolated IAM or PAM views.
• Blast Radius: Blast radius is the scope of systems, data, and privileges an attacker can reach after compromising a single identity. For identity governance, it is often more useful than raw privilege labels because it translates access into operational impact.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.

This post draws on content published by Hydden: identity visibility gaps in PAM and IGA. Read the original.