Identity discovery and visibility: the governance gap teams miss

TL;DR: Discovery tools built into many PAM and IGA programmes still miss additions, removals, and permission changes between scans, leaving identity blind spots across cloud, on-premises, and hybrid estates, according to Hydden. Real-time identity visibility now sits at the centre of governance, because unmanaged accounts and stale privileges erode both control and compliance.

NHIMG editorial — based on content published by Hydden: Identity discovery in PAM and IGA

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams implement continuous identity discovery across hybrid environments?

A: Start by combining API-based inventory, log parsing, and event-driven collection so identity state changes are captured as they happen rather than at review time.

Q: Why do periodic access reviews miss real identity risk in modern estates?

A: Because the underlying identity data is often stale by the time the review happens.

Q: What do security teams get wrong about shadow accounts and unmanaged identities?

A: They often treat them as isolated exceptions when they are usually evidence of a broader visibility problem.

Practitioner guidance

• Build continuous identity discovery coverage Map every system that can create or hold identities, including cloud services, on-premises platforms, identity providers, and applications.
• Prioritise privileged accounts with the highest exposure Use discovery data to rank accounts by privilege level, system criticality, and change frequency before feeding them into PAM and review workflows.
• Tie discovery to access review decisions Do not let recertification rely on stale account lists.

What's in the full article

Hydden's full blog post covers the operational detail this post intentionally leaves for the source:

• How its discovery pipeline queries APIs, parses logs, and ingests events across identity systems
• The specific PAM and IGA use cases that benefit from discovered identity data in day-to-day operations
• How organisations can use identity visibility to identify privileged accounts, shadow accounts, and risky misconfigurations
• The product demo path for teams that want to see the discovery workflow in practice

👉 Read Hydden's analysis of why identity discovery is now central to PAM and IGA →

Identity discovery and visibility: the governance gap teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →