TL;DR: Most identity programs govern what should happen, but very few can prove what actually happened inside applications, according to Orchid Security’s recap of its Identiverse session. The execution gap now matters more than certification cadence, because access reviews document intent while real risk lives in live identity behavior.
NHIMG editorial — based on content published by Orchid Security: Identity observability gap is widening beyond access reviews
Questions worth separating out
Q: How should security teams prove what identities are actually doing inside applications?
A: They should combine identity governance records with application-layer telemetry, then validate live actions against policy instead of relying on certification alone.
Q: Why do access reviews often fail to reflect real identity risk?
A: Access reviews document intended access, but they rarely capture whether an identity actually executed privileged actions, reused a token, or bypassed controls inside the application.
Q: What do security teams get wrong about non-human identity governance?
A: They often treat inventory, policy, and certification as if they cover the whole identity surface.
Practitioner guidance
- Correlate governance data with application telemetry Compare access review results, MFA state, and entitlement records with live application activity so you can see whether identity behavior matches policy in practice.
- Inventory execution-capable non-human identities separately Build a dedicated inventory for service accounts, tokens, local accounts, and application users so hidden identities do not disappear inside the human IAM workflow.
- Require action-level chain of custody Track who acted, what tool was used, what action occurred, and which target was touched for every high-risk workflow involving human users, service accounts, or agents.
What's in the full article
Orchid Security's full blog post covers the session framing and examples this analysis intentionally leaves out, including the live poll reactions and the rhetorical setup around identity observability.
- The exact Slido prompts and audience responses that illustrate how identity teams think about accountability and runtime visibility.
- Tal Herman's full framing of Identity Dark Matter and the role it plays in machine identity sprawl.
- The detailed observe, understand, govern model with the author’s explanation of how execution-layer telemetry changes identity operations.
- The session recap and slide context for practitioners who want the presentation narrative, not just the editorial interpretation.
👉 Read Orchid Security's recap of identity observability and execution risk →
Identity observability gap: are IAM controls proving execution or intent?
Explore further
Identity observability is now the missing control plane between IAM intent and application reality. IAM is still essential, but it proves what should be true, not what is actually happening at runtime. That distinction becomes decisive when identities can execute inside applications outside the cadence of access reviews. Practitioners should treat observability as the evidence layer that validates governance.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
A: They should define a chain of custody that links each action to an owner, a tool, and a target. Without that, accountability becomes ambiguous once multiple actor types can trigger the same application outcome, and no one can prove which identity actually performed the action.
👉 Read our full editorial: Identity observability gap is widening beyond access reviews