Notifications
Clear all
Topic starter
07/06/2026 8:12 pm
TL;DR: A broader shift toward identity-first security is reflected in Gartner’s 2025 Cool Vendor recognition for Orchid Security, with continuous application discovery, flow analysis, and orchestration aimed at exposing blind spots in managed and unmanaged identity paths, according to Orchid Security and Gartner. The real issue is not tooling novelty, but whether IAM programmes can see and govern identity as coded and as used across modern estates.
NHIMG editorial — based on content published by Orchid Security: Gartner Cool Vendor recognition in identity-first security
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should IAM teams govern application identities that are hidden in code and runtime flows?
A: Start by discovering where identities actually exist inside applications, not just where they are recorded in IAM.
Q: Why do hidden application identities create risk for identity-first security programmes?
A: Because governance cannot control what it cannot see.
Q: What do security teams get wrong about identity visibility in modern environments?
A: They often treat directory completeness as the same thing as identity visibility.
Practitioner guidance
- Inventory application-generated identity paths Map secrets, service accounts, token exchanges, and embedded trust relationships that live outside the directory.
- Reconcile declared access with observed flows Compare IAM records against real authentication and authorisation behaviour in production.
- Treat hidden identity discovery as a recurring control Make coverage checks part of your governance cadence, not a one-time inventory exercise.
What's in the full analysis
Orchid Security's full blog covers the operational detail this post intentionally leaves for the source:
- How the platform continuously discovers enterprise applications and traces their authentication and authorisation flows.
- How the orchestration layer compares application behaviour against regulatory requirements and cybersecurity frameworks.
- How hidden identity paths are prioritised for remediation inside existing IAM and governance processes.
- How onboarding is simplified for teams that need to bring unmanaged application identities under control.
👉 Read Orchid Security’s perspective on identity-first security and Gartner recognition →
Identity-first security for enterprise apps: are IAM teams ready?
Explore further
07/06/2026 10:00 pm
Identity-dark-matter discovery is now a governance requirement, not a nice-to-have. Enterprises increasingly carry identity paths that are not represented cleanly in IAM inventories, especially inside applications, configs, and runtime integrations. That hidden layer creates blind spots in onboarding, review, and enforcement, and the result is governance based on incomplete evidence. Practitioners should treat discovery coverage as a control objective, not an observability bonus.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: How can organisations tell whether identity-first security is actually working?
A: Look for evidence that discovery feeds governance actions. If hidden accounts, embedded secrets, and application trust paths are being found but not remediated through onboarding, review, or offboarding, the programme is producing insight without control.
👉 Read our full editorial: Identity-first security for enterprise apps: what Gartner’s view means
