Identity visibility gaps in PAM and IGA: what teams are missing

TL;DR: Traditional PAM and IGA tools provide only partial identity coverage in hybrid-cloud environments, leaving blind spots for dormant, shadow, ephemeral, and cross-domain accounts while attacker paths remain hidden, according to Hydden. Complete visibility has become mission-critical because remediation decisions are only as good as the map they are based on.

NHIMG editorial — based on content published by Hydden: identity visibility gaps in PAM and IGA

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams reduce identity blind spots across hybrid environments?

A: Security teams should centralise identity discovery across directories, cloud platforms, CI/CD tools, SaaS, and legacy systems, then enrich that inventory with ownership, privilege, and relationship data.

Q: Why do service accounts and other non-human identities create hidden risk in IAM programmes?

A: Service accounts create hidden risk because they are often outside the review cadence used for human access, yet they can hold persistent privilege and connect multiple systems.

Q: What do security teams get wrong about access reviews in identity governance?

A: Teams often treat access reviews as a complete control, when they are really a delayed verification step.

Practitioner guidance

• Build a continuous identity inventory Collect identities from AD, cloud IAM, CI/CD systems, SaaS, and legacy applications into one operating view so the programme can see dormant, shadow, and orphaned accounts before attackers do.
• Map transitive access and trust paths Document how roles, groups, workloads, and service accounts connect across systems, then use that graph to identify toxic combinations and hidden lateral movement routes.
• Prioritise remediation by blast radius Rank exposures by the systems they can reach, not just by the identity type or privilege label, so limited resources go first to the paths with the widest downstream impact.

What's in the full article

Hydden's full post covers the operational detail this post intentionally leaves for the source:

• The IASM discovery model for finding identities across SaaS, cloud, CI/CD, and legacy systems.
• The unified identity relationship graph used to map hidden routes and effective permissions.
• The practical differences between privileged access observability and ordinary access review.
• The article’s examples of unmapped territory, hidden highways, and forgotten legacy systems.

👉 Read Hydden’s analysis of identity visibility gaps in PAM and IGA →

Identity visibility gaps in PAM and IGA: what teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →