ITDR vs ISPM: what should identity teams prioritise now?

TL;DR: ITDR focuses on detecting and responding to attacks against identity infrastructure, while ISPM measures identity risk posture across user, machine, and control surfaces, according to Axiad. The split is increasingly useful, but governance teams need both threat visibility and posture quantification to manage identity attack surface effectively.

NHIMG editorial — based on content published by Axiad: ITDR vs ISPM, which identity-first product should you explore?

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should security teams separate ITDR from ISPM in an identity programme?

A: Treat ITDR as the control set for detecting, containing, and recovering from attacks against identity infrastructure.

Q: Why do machine identities change the way identity risk should be measured?

A: Machine identities expand the attack surface beyond human login events because service accounts, API keys, and certificates can be overprivileged, poorly inventoried, and difficult to review.

Q: How do organisations know whether identity posture management is working?

A: Look for fewer unknown identities, better access inventory coverage, lower privileged-account concentration, and faster identification of risky exposure across the identity estate.

Practitioner guidance

• Define separate ITDR and ISPM control objectives Write one objective for active identity threat detection and another for identity posture measurement.
• Inventory machine identities and standing privilege Extend visibility beyond human accounts to service accounts, API keys, certificates, and cloud identities.
• Correlate identity telemetry with governance data Bring PAM, IGA, MFA, and cloud entitlement data into the same reporting layer as authentication and response signals.

What's in the full article

Axiad's full blog post covers the category distinctions and positioning detail this post intentionally leaves for the source:

• The article's full comparison of how analysts and vendors are defining ITDR versus ISPM in practice
• The positioning logic behind why one category is framed for SOC teams and the other for executive risk teams
• The vendor's view of how identity fabric should be interpreted across controls, permissions, and attack signals
• The forward-looking category discussion on where ISPM characteristics may be absorbed into ITDR

👉 Read Axiad's analysis of ITDR vs ISPM and identity risk posture →

ITDR vs ISPM: what should identity teams prioritise now?

Explore further

View Full Forum →  |  NHI Foundation Course →