Activity data gaps in IAM and PAM: what teams are missing

TL;DR: Identity governance tools can only make accurate decisions when they see both access state and activity state, according to Hydden. Without raw activity data, dormant, active, and compromised accounts can look identical, which weakens PAM vaulting, IGA certification, and lifecycle decisions.

NHIMG editorial — based on content published by Hydden: Your Identity Tools Are Only as Good as the Data Behind Them

Questions worth separating out

Q: How should security teams use activity data in identity governance decisions?

A: Security teams should combine activity data with entitlement records before making PAM, IGA, or lifecycle decisions.

Q: Why do identity tools struggle when they only see access state?

A: Identity tools struggle because access state shows what an account is allowed to do, not what it is doing or whether its credentials are still trustworthy.

Q: What breaks when dormant accounts are reviewed without activity context?

A: Reviewers can approve or retain dormant accounts that appear harmless but have stale or exposed credentials.

Practitioner guidance

• Add activity telemetry to identity review inputs Require login history, last access, and credential status to appear alongside entitlement records in certification and PAM workflows so reviewers can see present behaviour, not just assigned access.
• Correlate breach exposure with dormant accounts Join identity records to exposure and breach datasets so dormant privileged accounts with compromised credentials are separated from dormant accounts that remain clean.
• Normalize activity data across source systems Collect activity directly from each application, then map it into a unified identity dataset so the same account can be evaluated consistently across IAM, PAM, and IGA tooling.

What's in the full article

Hydden's full article covers the operational detail this post intentionally leaves for the source:

• How its identity data layer collects activity directly from source systems in real time
• The enrichment and normalization approach used to correlate activity with entitlement records
• How Agent Studio turns the unified dataset into actions across existing PAM and IGA workflows
• Examples of decisions that change once dormant accounts and credential exposure are visible together

👉 Read Hydden's analysis of why identity tools need activity data →

Activity data gaps in IAM and PAM: what teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →