Identity posture and threat detection: where do they fail in practice?

TL;DR: ISPM and ITDR solved real enterprise identity problems, but they struggled because most large organisations lacked complete, reliable identity inventories across AD, cloud, SaaS, and service accounts, according to Hydden. The core lesson is that posture and detection cannot fix fragmented ground truth, because incomplete identity data turns better analytics into better wrong answers.

NHIMG editorial — based on content published by Hydden: the analysis of why ISPM and ITDR struggled to scale

Questions worth separating out

Q: What breaks when identity posture tools rely on incomplete inventories?

A: They surface real misconfigurations, but they cannot prove risk across identities they never see.

Q: Why do fragmented identity systems make ITDR less effective?

A: ITDR depends on knowing which identity authenticated, what privilege it held, and whether the behaviour is abnormal.

Q: How can security teams know whether identity security data is trustworthy?

A: They should test whether every privileged identity is catalogued, owned, and tied to a lifecycle state that is updated continuously.

Practitioner guidance

• Build a continuously updated identity inventory Map every human account, service account, cloud role, SaaS grant, and automation credential into one governed inventory with named ownership and lifecycle state.
• Tie each finding to an accountable remediation owner Define who can revoke, rotate, disable, or recertify access for each identity class before deploying posture or detection tooling.
• Validate detection coverage against uncatalogued identities Test whether your monitoring, baselines, and alerts still work when the identity was created outside central IAM, such as in a cloud console or SaaS admin panel.

What's in the full article

Hydden's full article covers the operational detail this post intentionally leaves for the source:

• The article's longer breakdown of how ISPM and ITDR were positioned against fragmented enterprise identity estates.
• The discussion of ownership friction across AD, PAM, IGA, cloud platform teams, and SaaS administrators.
• The denominator problem analysis showing why incomplete identity inventories distort posture and detection outcomes.
• The consulting and remediation backlog dynamics that determine whether these categories change operations or only reporting.

👉 Read Hydden's analysis of why ISPM and ITDR struggled in fragmented identity environments →

Identity posture and threat detection: where do they fail in practice?

Explore further

View Full Forum →  |  NHI Foundation Course →