TL;DR: Continuous discovery is becoming the baseline for identity hygiene because local accounts, tokens, certificates, and app-specific repositories routinely evade traditional IAM and PAM coverage, according to Hydden. That means inventory accuracy, not just control depth, is now the limiting factor for least privilege and audit readiness.
NHIMG editorial — based on content published by Hydden: continuous identity discovery and identity hygiene in dynamic environments
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams implement continuous identity discovery across hybrid environments?
A: Start by inventorying every place identities can exist, including directories, local application stores, databases, infrastructure accounts, and secret stores.
Q: Why do unmanaged service accounts and local credentials create such a large governance gap?
A: Because they often sit outside the joiner-mover-leaver, review, and vaulting processes that govern human access.
Q: What breaks when identity discovery is only run on a schedule?
A: The environment changes between runs, so dormant accounts can become active, new repositories can appear, and permissions can drift before the next scan.
Practitioner guidance
- Map every identity repository before automating discovery Start with a manual list of all systems that can issue, store, or authenticate accounts and credentials, including local application repositories, endpoints, databases, directories, and cloud services.
- Connect discovery output to entitlement remediation Route discovered accounts, excessive permissions, and orphaned identities directly into access review, ticketing, and revocation workflows so findings are not trapped in reports.
- Treat secrets as part of identity inventory Include API keys, OAuth client credentials, refresh tokens, SSH keys, and certificates in the same governance process as user and service accounts.
What's in the full article
Hydden's full post covers the operational detail this post intentionally leaves for the source:
- How Hydden structures continuous discovery across directories, endpoints, databases, and local application repositories
- The specific analytics pipeline it describes for anomaly detection, risk scoring, and threat-intelligence correlation
- How the workflow model links discovery findings into ticketing, alerting, and PAM vaulting
- The article's practical guidance on integrating discovery with IGA and broader control environments
👉 Read Hydden's analysis of continuous identity discovery and IAM hygiene →
Continuous identity discovery: what IAM teams need to fix first?
Explore further
Continuous discovery is not a tooling preference, it is the only credible answer to identity sprawl. Local application stores, standalone credentials, and unmanaged service accounts all create identity states that traditional governance workflows do not naturally see. Once those identities exist outside the governed inventory, IGA and PAM become partial controls rather than universal ones. The practitioner conclusion is simple: identity hygiene begins with discovering what the programme has never been tracking.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- In the same research, 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: Who is accountable when discovery finds an over-privileged account that no one owns?
A: Accountability should sit with the system owner, the identity governance team, and the control owners for PAM and access review, because no single process fixes orphaned access on its own. If ownership cannot be established quickly, the account should be isolated, investigated, and moved into the remediation workflow before exposure expands.
👉 Read our full editorial: Continuous identity discovery is now the baseline for IAM hygiene