Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity visibility, observability and remediation: what changes now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: Gartner says disconnected tools and isolated silos create an unmonitored IAM attack surface, and predicts that by 2028, 70% of CISOs will use an identity visibility and intelligence platform to reduce risks including credential compromise, ATOs, session compromise, and unauthorized access. The governance problem is no longer discovery alone, but whether visibility can drive timely remediation across human, machine, and emerging AI identities.

NHIMG editorial — based on content published by Zluri: Zluri named in the Gartner report on reducing IAM attack surface using visibility, observability, and remediation

By the numbers:

Questions worth separating out

Q: How should security teams reduce IAM attack surface in fragmented environments?

A: Security teams should start by unifying identity, application, and access data so they can see where privilege persists outside normal control paths.

Q: Why do disconnected identity tools increase access risk?

A: Disconnected tools create blind spots across ownership, entitlement, and usage data, which means stale or excessive access can remain active unnoticed.

Q: How do organisations know whether identity visibility is actually working?

A: A working identity visibility programme shortens the time between finding a risky identity and removing or correcting the access.

Practitioner guidance

  • Map identity data sources end to end Inventory every system that contributes to identity state, including directories, SaaS platforms, cloud IAM, PAM, and application-level access stores.
  • Prioritise identities with the highest unobserved blast radius Focus first on dormant, orphaned, and overprivileged accounts because these are the identities most likely to persist outside normal review cycles.
  • Connect observability to enforced remediation Do not stop at dashboards or alerting.

What's in the full analysis

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • Gartner report excerpts on the data sources that make up the IAM attack surface
  • The report context behind visibility, observability, and remediation as a control sequence
  • Zluri's product mapping for unified identity visibility across connected and disconnected systems
  • The specific recommendations IAM leaders can use when comparing identity visibility approaches

👉 Read Zluri's summary of Gartner's IAM attack surface guidance →

Identity visibility, observability and remediation: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

Identity visibility is now a control prerequisite, not a reporting feature. Gartner’s framing reinforces what IAM teams already see in practice: if identity data is fragmented, risk decisions are delayed or wrong. An unmonitored attack surface is what emerges when ownership, entitlement, and activity data cannot be reconciled fast enough. The implication is that identity governance must be judged by decision speed, not by inventory volume.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control.

A question worth separating out:

Q: What is the difference between identity visibility and remediation?

A: Identity visibility identifies who and what is in scope, while remediation changes the actual access state. Both are needed, but they are not interchangeable. A programme that sees risk but cannot remove it still leaves the attack surface exposed, especially where access ownership is unclear or review cycles are slow.

👉 Read our full editorial: IAM attack surface visibility is now an operational requirement



   
ReplyQuote
Share: