Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity posture and threat detection: where do they fail in practice?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: ISPM and ITDR solved real enterprise identity problems, but they struggled because most large organisations lacked complete, reliable identity inventories across AD, cloud, SaaS, and service accounts, according to Hydden. The core lesson is that posture and detection cannot fix fragmented ground truth, because incomplete identity data turns better analytics into better wrong answers.

NHIMG editorial — based on content published by Hydden: the analysis of why ISPM and ITDR struggled to scale

Questions worth separating out

Q: What breaks when identity posture tools rely on incomplete inventories?

A: They surface real misconfigurations, but they cannot prove risk across identities they never see.

Q: Why do fragmented identity systems make ITDR less effective?

A: ITDR depends on knowing which identity authenticated, what privilege it held, and whether the behaviour is abnormal.

Q: How can security teams know whether identity security data is trustworthy?

A: They should test whether every privileged identity is catalogued, owned, and tied to a lifecycle state that is updated continuously.

Practitioner guidance

  • Build a continuously updated identity inventory Map every human account, service account, cloud role, SaaS grant, and automation credential into one governed inventory with named ownership and lifecycle state.
  • Tie each finding to an accountable remediation owner Define who can revoke, rotate, disable, or recertify access for each identity class before deploying posture or detection tooling.
  • Validate detection coverage against uncatalogued identities Test whether your monitoring, baselines, and alerts still work when the identity was created outside central IAM, such as in a cloud console or SaaS admin panel.

What's in the full article

Hydden's full article covers the operational detail this post intentionally leaves for the source:

  • The article's longer breakdown of how ISPM and ITDR were positioned against fragmented enterprise identity estates.
  • The discussion of ownership friction across AD, PAM, IGA, cloud platform teams, and SaaS administrators.
  • The denominator problem analysis showing why incomplete identity inventories distort posture and detection outcomes.
  • The consulting and remediation backlog dynamics that determine whether these categories change operations or only reporting.

👉 Read Hydden's analysis of why ISPM and ITDR struggled in fragmented identity environments →

Identity posture and threat detection: where do they fail in practice?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

ISPM and ITDR failed as standalone categories because they were built on the assumption that enterprise identity data was already complete. That assumption was designed for environments where identity records could be exported, reconciled, and trusted at reporting time. It fails in fragmented estates because the real identity surface includes cloud roles, SaaS grants, automation credentials, and local privileges that never enter the same inventory. The implication is that identity security cannot be organised around outputs from incomplete data feeds.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who should own remediation when posture findings cross AD, cloud, and SaaS?

A: Each identity class needs an accountable owner who can actually change the access state, but governance should sit above the platform teams. If no group is authorised to coordinate revocation, rotation, and recertification across systems, the findings will stall in review meetings and never reduce exposure.

👉 Read our full editorial: ISPM and ITDR exposed the limits of fragmented identity governance



   
ReplyQuote
Share: