TL;DR: Identity governance tools can only make accurate decisions when they see both access state and activity state, according to Hydden. Without raw activity data, dormant, active, and compromised accounts can look identical, which weakens PAM vaulting, IGA certification, and lifecycle decisions.
NHIMG editorial — based on content published by Hydden: Your Identity Tools Are Only as Good as the Data Behind Them
Questions worth separating out
Q: How should security teams use activity data in identity governance decisions?
A: Security teams should combine activity data with entitlement records before making PAM, IGA, or lifecycle decisions.
Q: Why do identity tools struggle when they only see access state?
A: Identity tools struggle because access state shows what an account is allowed to do, not what it is doing or whether its credentials are still trustworthy.
Q: What breaks when dormant accounts are reviewed without activity context?
A: Reviewers can approve or retain dormant accounts that appear harmless but have stale or exposed credentials.
Practitioner guidance
- Add activity telemetry to identity review inputs Require login history, last access, and credential status to appear alongside entitlement records in certification and PAM workflows so reviewers can see present behaviour, not just assigned access.
- Correlate breach exposure with dormant accounts Join identity records to exposure and breach datasets so dormant privileged accounts with compromised credentials are separated from dormant accounts that remain clean.
- Normalize activity data across source systems Collect activity directly from each application, then map it into a unified identity dataset so the same account can be evaluated consistently across IAM, PAM, and IGA tooling.
What's in the full article
Hydden's full article covers the operational detail this post intentionally leaves for the source:
- How its identity data layer collects activity directly from source systems in real time
- The enrichment and normalization approach used to correlate activity with entitlement records
- How Agent Studio turns the unified dataset into actions across existing PAM and IGA workflows
- Examples of decisions that change once dormant accounts and credential exposure are visible together
👉 Read Hydden's analysis of why identity tools need activity data →
Activity data gaps in IAM and PAM: what teams are missing?
Explore further
Identity security fails when tools are forced to decide from state alone. Snapshot data can show entitlements, group membership, and policy status, but it cannot show whether an identity is active, dormant, or compromised. That creates a structural blind spot in PAM and IGA because the same state can conceal very different risk conditions. The practical conclusion is that access governance is only as reliable as the evidence feeding it.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, which shows how quickly identity data becomes fragmented across systems.
A question worth separating out:
Q: How do teams know if their identity data layer is working?
A: A working identity data layer produces fewer ambiguous reviews, cleaner privileged access decisions, and better alignment between entitlement state and actual use. If PAM and IGA outputs change materially once activity telemetry is added, the data layer is doing useful governance work instead of just collecting logs.
👉 Read our full editorial: Identity tools fail when activity data is missing