Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity attack surface visibility: what IAM teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9271
Topic starter  

TL;DR: Enterprises now have identity attack surfaces that extend far beyond what IAM, PAM and IGA tools can see, because shadow SaaS and AI tools are adopted outside IT control and can carry ungoverned access and data paths, according to Zluri. The central issue is not tool weakness but a visibility model built for a slower, centrally managed procurement era.

NHIMG editorial — based on content published by Zluri: All Your Identity Attack Surface Is Bigger Than Your IAM, PAM, IGA Tools Can See

By the numbers:

Questions worth separating out

Q: How should security teams reduce identity attack surface beyond SSO coverage?

A: Start by discovering all applications and access paths that exist outside the SSO catalogue, then map them to owners, data sensitivity, and offboarding status.

Q: Why do shadow SaaS and AI tools create a bigger identity risk than sanctioned apps?

A: Because they combine ungoverned identity creation with unreviewed permissions, and AI tools can also create persistent data access through OAuth grants.

Q: What breaks when identity reviews only cover managed applications?

A: Access reviews become incomplete the moment they ignore apps, accounts, or grants created outside IT workflows.

Practitioner guidance

  • Map identity scope beyond SSO coverage Inventory SaaS, AI, and collaboration tools that employees can adopt without IT approval, then reconcile them against directory, IAM, and IGA records.
  • Treat OAuth grants as revocable access paths Build a process to enumerate AI and SaaS OAuth connections, classify the data they can reach, and revoke dormant grants when the business need no longer exists.
  • Review entitlements inside applications, not just accounts Focus access reviews on delegated permissions, admin roles, and stale entitlements within the application itself.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • How its discovery model identifies shadow SaaS and AI tools that never entered SSO or IGA scope
  • The mechanics of mapping unmanaged applications to user accounts, entitlements, and offboarding gaps
  • The layered identity security architecture described for closing visibility gaps across the full attack surface
  • The article's treatment of why visibility is the prerequisite for identity intelligence and remediation

👉 Read Zluri's analysis of the expanding identity attack surface →

Identity attack surface visibility: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8712
 

Identity attack surface is a discovery problem before it is a governance problem. IAM, PAM, and IGA all assume the organisation knows which identities and applications are in scope. That assumption fails when employees self-provision SaaS or connect AI tools outside IT oversight. The implication is that visibility must precede governance, because controls cannot manage what they never discover.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to NHI Mgmt Group research.

A question worth separating out:

Q: How do organisations govern identity attack surface as a programme, not a one-off project?

A: Assign ownership for discovery, entitlement review, and offboarding across sanctioned and unsanctioned applications, then measure coverage continuously. The goal is to manage the full identity footprint, including shadow SaaS, shadow AI, and orphaned access, rather than treating each discovery as an isolated cleanup exercise.

👉 Read our full editorial: Identity attack surface visibility is outpacing IAM, PAM and IGA



   
ReplyQuote
Share: