TL;DR: Average confidence in knowing every self-hosted or disconnected app was 2.2 out of 5, while nearly 80% of participants said they do not know what they do not know, underscoring how unmanaged apps, orphaned tokens, and drifting service accounts are outrunning visibility, according to Orchid Security. The real issue is not more automation, but governance that can see and contextualise identity behaviour before drift becomes systemic.
NHIMG editorial — based on content published by Orchid Security: a Customer Advisory Board discussion of identity dark matter, visibility gaps, and drift
By the numbers:
- The average confidence score in knowing every self-hosted or disconnected app was just 2.2 out of 5.
- Nearly 80% admitted they don't know what they don't know.
- 62% said they would most want to detect identity drift and misconfigurations.
Questions worth separating out
Q: What should IAM teams do about identity dark matter in hybrid environments?
A: They should start by discovering identities that sit outside normal IAM visibility, including self-hosted apps, disconnected workloads, service accounts, and orphaned tokens.
Q: Why does unmanaged identity sprawl increase risk even when access reviews exist?
A: Access reviews only work for identities that are already visible, current, and mapped to an accountable owner.
Q: How can security teams decide which identities to onboard first?
A: Prioritise identities with active authentication paths, external exposure, and unclear ownership.
Practitioner guidance
- Map the hidden identity estate Inventory self-hosted apps, disconnected systems, service accounts, and tokens that are not represented in your core IAM records.
- Base onboarding on live authentication evidence Require application-layer telemetry before approving onboarding or policy assignment.
- Reframe privilege around blast radius Score identities by reachable systems, data exposure, and persistence rather than by role names alone.
What's in the full article
Orchid Security's full post covers the operational detail this post intentionally leaves for the source:
- Live CAB poll findings on identity confidence, visibility, and friction across hybrid environments
- Orchid Security's App DNA method for mapping authentication and authorisation paths at the application layer
- Specific examples of how identity drift appears between audits and how the vendor correlates telemetry to surface it
- The discussion notes and participant framing behind contextual privilege scoring and onboarding priorities
👉 Read Orchid Security's CAB discussion on identity dark matter and visibility gaps →
Identity dark matter: what IAM teams are missing right now?
Explore further
Identity dark matter is a governance failure, not a visibility bug: the programme assumption that all meaningful identities pass through central IAM is breaking down. Self-hosted apps, disconnected workloads, and orphaned tokens operate outside the review path, so the control model only governs what was already known. The implication is that identity architecture must be judged by how much of the estate remains governable, not by how polished the visible half looks.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: What is the difference between identity drift and normal change?
A: Normal change is intentional and recorded. Identity drift is the unplanned divergence between intended access and actual behaviour, such as a token persisting too long or a service account gaining reach outside its original use case. Drift matters because it turns small inconsistencies into lasting governance gaps.
👉 Read our full editorial: Identity dark matter is outpacing visibility in enterprise programs