Notifications
Clear all
Topic starter
27/06/2026 1:33 pm
TL;DR: Identity security vendors collectively address governance, privilege, detection, and authentication, but their coverage is only as complete as the applications already discovered and integrated, according to Zluri. Mid-market environments are especially exposed because shadow IT and unmanaged SaaS sit outside the control plane, making visibility the real prerequisite.
NHIMG editorial — based on content published by Zluri: All The Identity Security Industry Has Built a $25 Billion Market on a Faulty Assumption
By the numbers:
- The actual application landscape is typically 30 to 50 percent larger than the IT-maintained list, and growing.
- The directory shows 80 integrated applications.
- 180., s actively use 180.
Questions worth separating out
Q: How should security teams evaluate identity security coverage in a fragmented environment?
A: They should compare the platform’s connected scope with the actual application and identity estate, including SaaS, admin accounts, service accounts, and API integrations.
Q: Why do identity governance tools fail when discovery is incomplete?
A: They fail because governance tools only work on systems they can see and integrate.
Q: What breaks when SaaS admin accounts and service accounts sit outside IAM scope?
A: What breaks is the assumption that central identity controls cover the whole environment.
Practitioner guidance
- Measure identity coverage before control coverage Compare the IT-maintained application inventory with actual SaaS usage, admin accounts, service accounts, and API integrations.
- Build continuous discovery into the identity programme Use discovery processes that update as new applications, shadow tools, and machine identities appear, rather than relying on quarterly reviews.
- Re-scope IGA and PAM against the real estate Identify which applications, privileged accounts, and non-human identities are outside current integrations, then prioritise bringing those systems into the governance boundary.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The five-category breakdown of identity security tooling and how each category depends on upstream discovery
- The mid-market deployment pattern showing why integrated scope is often smaller than the real application estate
- The architecture behind Zluri's IVIP, Unified Data Fabric, and IRIS layers
- The full FAQ section on coverage gaps, SSO limits, and visibility-first identity security
👉 Read Zluri’s analysis of why identity security coverage starts with discovery →
Identity security’s discovery gap: what IAM teams are missing?
Explore further
27/06/2026 2:56 pm
Identity security has a prerequisite problem, not just a tooling problem. The market has optimised downstream controls for authentication, governance, privilege, and detection, but those controls only work on identities and applications already in scope. That means a platform can be technically correct and operationally incomplete at the same time. The practitioner conclusion is that scope completeness must be evaluated before control maturity.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
A question worth separating out:
Q: How can organisations keep zero trust aligned with actual identity scope?
A: They need authoritative discovery as a standing input to policy design, not a one-time project. Zero trust depends on knowing which users, systems, and non-human identities actually exist, where they connect, and which are still outside governance. Without that, least privilege and continuous verification are only partially enforceable.
👉 Read our full editorial: Identity security’s $25 billion market is built on a discovery gap
