ISPM and ITDR exposed the limits of fragmented identity governance

At a glance

What this is: This is an analysis of why identity security categories like ISPM and ITDR struggled to scale in fragmented enterprise environments.

Why it matters: It matters because IAM, NHI, and security teams still cannot govern what they cannot inventory, and posture or detection layers fail when ownership and data are split across systems.

👉 Read Hydden's analysis of why ISPM and ITDR struggled in fragmented identity environments

Context

Identity posture and threat detection break down when enterprises do not have a continuous, reliable view of who and what holds access. In large environments, the identity estate spans human accounts, service identities, cloud roles, SaaS grants, and shadow privileges that live outside any single control plane.

The article's core point is not that ISPM or ITDR were pointless. It is that they were layered onto fragmented identity governance, so the tools could expose problems but could not resolve the ownership, lifecycle, and data-quality gaps that created those problems in the first place.

For IAM and NHI teams, the real question is whether the identity inventory is trustworthy enough to support posture, detection, recertification, and least-privilege decisions. Without that foundation, every downstream control inherits the same blind spots.

Key questions

Q: What breaks when identity posture tools rely on incomplete inventories?

A: They surface real misconfigurations, but they cannot prove risk across identities they never see. Incomplete inventories create false confidence, because dormant accounts, shadow admins, service principals, and SaaS grants outside the dataset remain unassessed. The result is better reporting on a partial environment, not reliable governance.

Q: Why do fragmented identity systems make ITDR less effective?

A: ITDR depends on knowing which identity authenticated, what privilege it held, and whether the behaviour is abnormal. Fragmentation breaks that chain by scattering logs, ownership, and baselines across teams and platforms. When the identity estate is incomplete, the detection model is incomplete too, especially for short-lived or poorly catalogued identities.

Q: How can security teams know whether identity security data is trustworthy?

A: They should test whether every privileged identity is catalogued, owned, and tied to a lifecycle state that is updated continuously. If cloud roles, service accounts, and SaaS access are reconciled only in spreadsheets or quarterly exports, the dataset is not trustworthy enough for posture scoring or behavioural detection.

Q: Who should own remediation when posture findings cross AD, cloud, and SaaS?

A: Each identity class needs an accountable owner who can actually change the access state, but governance should sit above the platform teams. If no group is authorised to coordinate revocation, rotation, and recertification across systems, the findings will stall in review meetings and never reduce exposure.

Technical breakdown

Why identity posture management stalls on fragmented inventories

Identity Security Posture Management works by connecting to identity systems and surfacing misconfigurations such as stale accounts, dormant admin rights, orphaned service accounts, and excessive OAuth grants. The technical limitation is not the finding engine. It is data completeness. If the tool only sees a subset of AD, cloud IAM, SaaS, and automation credentials, its results reflect partial ground truth. That makes posture scoring useful for triage, but weak as a governance baseline when teams rely on disconnected exports and manual reconciliation.

Practical implication: establish a continuously updated identity inventory before treating posture findings as authoritative.

How identity threat detection inherits the same visibility gap

ITDR depends on behavioural baselines built from authentication and privilege context. A 3 AM login is only useful if the system knows which identity logged in, what privileges it held, and whether the access pattern is normal. In fragmented estates, many identities never enter the baseline at all, especially short-lived cloud roles, service principals, and local admin access created outside central governance. That means detections can be precise for known identities while remaining blind to the most exposed ones.

Practical implication: baseline only works when every privileged identity is catalogued and tied to an owner.

Why analytics cannot repair incomplete identity ground truth

The deeper issue is architectural. ISPM and ITDR were asked to solve governance problems with analytics, but analytics cannot invent missing identity records, ownership, or lifecycle state. If a service account was never catalogued, no posture engine can assess its risk and no detection platform can model its behaviour. The enterprise ends up with more sophisticated reporting over the same incomplete substrate. That is why identity governance has to precede posture and detection, not follow them.

Practical implication: move from dashboard-first security to inventory-first governance.

Threat narrative

Attacker objective: The attacker wants to exploit invisible identities and incomplete governance to gain durable access without triggering reliable detection.

1. Entry occurs through identity sprawl, where orphaned accounts, shadow administrators, or uncatalogued service identities exist outside central visibility.
2. Escalation follows when the attacker uses that unseen identity's standing rights or weakly monitored privileges to reach higher-value systems.
3. Impact lands as lateral movement, persistence, or unauthorised access that posture and detection tools may miss because the identity never had a trustworthy baseline.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ISPM and ITDR failed as standalone categories because they were built on the assumption that enterprise identity data was already complete. That assumption was designed for environments where identity records could be exported, reconciled, and trusted at reporting time. It fails in fragmented estates because the real identity surface includes cloud roles, SaaS grants, automation credentials, and local privileges that never enter the same inventory. The implication is that identity security cannot be organised around outputs from incomplete data feeds.

Identity governance is the missing control plane, not another dashboard. Posture and detection can surface symptoms, but they do not create ownership, lifecycle authority, or a single source of truth. In practice, the issue is not that teams lacked alerts, but that no operating model could absorb findings across AD, cloud, SaaS, and service accounts quickly enough to change risk. Practitioners should read this as a governance failure, not a tooling shortfall.

Continuous identity inventory is the named concept this category collapse exposes. A continuously updated view of every identity, entitlement, and service principal was the condition ISPM and ITDR quietly depended on. Once that inventory is incomplete, posture becomes descriptive and detection becomes partial. The practitioner takeaway is that inventory accuracy is the prerequisite control, not an afterthought.

Fragmented ownership is what turns technically correct findings into operational inertia. The article shows that AD teams, PAM teams, IGA teams, cloud platform groups, and SaaS owners each hold pieces of the problem, but none hold the full remediation mandate. That means identity security maturity is limited less by visibility tools than by who is authorised to act on them. Practitioners should treat accountability design as part of the control surface.

The market is moving from identity analytics toward identity ground truth. As posture and detection categories mature, buyers will need to ask whether a product improves decision quality or merely reports on bad data faster. The strategic shift is toward platforms and operating models that unify identity state before layering governance. Practitioners should evaluate every identity security investment against that sequencing problem.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• Read Ultimate Guide to NHIs for the identity inventory and governance model that posture tools assume exists.

What this signals

When identity programmes cannot maintain a continuous view of every account, entitlement, and service principal, posture and threat detection become downstream analytics rather than control foundations. That is why identity ground truth, not dashboard count, is becoming the real maturity marker for IAM and NHI teams.

Continuous identity inventory: the next programme differentiator is not who has the best alerting stack, but who can keep identity state current across AD, cloud, SaaS, and automation. Without that baseline, recertification, PAM, and least-privilege decisions are all arguing over different versions of reality.

With 45% of organisations citing lack of credential rotation as the top cause of NHI-related attacks, according to The State of Non-Human Identity Security, visibility alone is not enough. Teams need lifecycle control and accountable ownership to turn discovery into risk reduction.

For practitioners

• Build a continuously updated identity inventory Map every human account, service account, cloud role, SaaS grant, and automation credential into one governed inventory with named ownership and lifecycle state.
• Tie each finding to an accountable remediation owner Define who can revoke, rotate, disable, or recertify access for each identity class before deploying posture or detection tooling.
• Validate detection coverage against uncatalogued identities Test whether your monitoring, baselines, and alerts still work when the identity was created outside central IAM, such as in a cloud console or SaaS admin panel.
• Use posture results as remediation inputs, not governance proof Treat ISPM-style findings as a prioritisation layer only after inventory quality, ownership, and lifecycle data have been validated.

Key takeaways

• ISPM and ITDR were technically useful, but they failed to solve the governance problem underneath fragmented identity estates.
• The limiting factor is incomplete identity ground truth, not a shortage of alerts or posture scores.
• IAM teams should prioritise inventory accuracy, accountable ownership, and lifecycle state before relying on analytics-driven identity security.

Key terms

• Identity Security Posture Management: A control approach that continuously inspects identity systems for misconfiguration, excess privilege, dormant access, and policy drift. Its value depends on complete inventory coverage, because posture findings are only as trustworthy as the identities, entitlements, and ownership data feeding them.
• Identity Threat Detection and Response: A detection discipline that looks for abnormal authentication, privilege use, and access behaviour across identity systems. It works best when every privileged identity has a baseline and an owner, otherwise the platform can only detect anomalies in the subset of access it can already see.
• Identity ground truth: The continuously current record of which identities exist, what they can access, who owns them, and what lifecycle state they are in. In practice, it is the reference layer that posture, detection, recertification, and least-privilege decisions all depend on, and it is often the part enterprises have not fully built.
• Shadow administrator: An administrative identity that has effective privileged access but is not properly governed, owned, or visible in the central identity programme. Shadow administrators are dangerous because they can persist outside normal review cycles and create attack paths that monitoring and recertification processes never fully capture.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.

This post draws on content published by Hydden: the analysis of why ISPM and ITDR struggled to scale. Read the original.