TL;DR: Discovery tools built into many PAM and IGA programmes still miss additions, removals, and permission changes between scans, leaving identity blind spots across cloud, on-premises, and hybrid estates, according to Hydden. Real-time identity visibility now sits at the centre of governance, because unmanaged accounts and stale privileges erode both control and compliance.
NHIMG editorial — based on content published by Hydden: Identity discovery in PAM and IGA
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams implement continuous identity discovery across hybrid environments?
A: Start by combining API-based inventory, log parsing, and event-driven collection so identity state changes are captured as they happen rather than at review time.
Q: Why do periodic access reviews miss real identity risk in modern estates?
A: Because the underlying identity data is often stale by the time the review happens.
Q: What do security teams get wrong about shadow accounts and unmanaged identities?
A: They often treat them as isolated exceptions when they are usually evidence of a broader visibility problem.
Practitioner guidance
- Build continuous identity discovery coverage Map every system that can create or hold identities, including cloud services, on-premises platforms, identity providers, and applications.
- Prioritise privileged accounts with the highest exposure Use discovery data to rank accounts by privilege level, system criticality, and change frequency before feeding them into PAM and review workflows.
- Tie discovery to access review decisions Do not let recertification rely on stale account lists.
What's in the full article
Hydden's full blog post covers the operational detail this post intentionally leaves for the source:
- How its discovery pipeline queries APIs, parses logs, and ingests events across identity systems
- The specific PAM and IGA use cases that benefit from discovered identity data in day-to-day operations
- How organisations can use identity visibility to identify privileged accounts, shadow accounts, and risky misconfigurations
- The product demo path for teams that want to see the discovery workflow in practice
👉 Read Hydden's analysis of why identity discovery is now central to PAM and IGA →
Identity discovery and visibility: the governance gap teams miss?
Explore further
Identity discovery has become the prerequisite control for modern governance. PAM and IGA cannot govern what they cannot see, and discovery gaps create stale evidence across the full identity estate. The field should treat visibility freshness as a control dependency, not a convenience metric. Practitioners should judge governance quality by how quickly unseen identities become visible and actionable.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which is why stale identity state persists after discovery finds it.
A question worth separating out:
Q: Who is accountable when discovery gaps lead to privileged access exposure?
A: Accountability should sit with the team that owns identity governance and control coverage, not with the scan tool itself. If discovery cannot see an account in time, the organisation still owns the risk, because the governance model failed to establish current-state visibility for access decisions.
👉 Read our full editorial: Identity discovery is the missing layer in PAM and IGA control