Full Report
The Invisible Half of the Identity Universe Identity used to live in one place - an LDAP directory, an HR system, a single IAM portal. Not anymore. Today, identity is fragmented across SaaS, on-prem, IaaS, PaaS, home-grown, and shadow applications. Each of these environments carries its own accounts, permissions, and authentication flows. Traditional IAM and IGA tools govern only the nearly
Analysis Summary
# Main Topic
The primary threat intelligence narrative revolves around **"Identity Dark Matter"**: the massive, ungoverned, and invisible portion of an organization's identity universe that resides outside the purview of traditional Identity and Access Management (IAM) and Identity Governance and Administration (IGA) tools. This fragmentation across SaaS, IaaS, PaaS, home-grown, and shadow applications exposes significant security risks due to unmanaged accounts and permissions.
## Key Points
- Identity is no longer centralized, living across a fragmented landscape of modern applications.
- Traditional IAM/IGA tools govern only the "managed half," leaving a significant blind spot.
- **Identity Dark Matter** comprises unverified, non-human, and unprotected identities.
- High-risk components include Unmanaged Shadow Apps, Non-Human Identities (NHIs), and Orphaned/Stale Accounts.
- Identity dark matter directly contributes to security incidents, with 27% of cloud breaches in 2024 involving the misuse of dormant credentials.
- Solving this requires shifting from configuration-based IAM to **Identity Observability** to gain continuous visibility across all identities.
## Threat Actors
- No specific named threat actors or campaigns were detailed in the provided context.
- The focus is on the *vulnerabilities inherent in organizational identity structure*, rather than a specific adversary group.
## TTPs
- **Credential Abuse:** Directly linked as a primary risk, with 22% of all breaches attributed to credential exploitation.
- **Misuse of Dormant Credentials:** Specifically cited as a factor in cloud breaches (27% of cloud breaches in 2024).
- **Lateral Movement/Privilege Escalation:** Dark matter environments serve to mask these activities.
- **Non-Human Identity (NHI) Exploitation:** Service accounts, bots, and APIs acting without oversight create systemic weaknesses.
## Affected Systems
- **Fragmented Ecosystems:** SaaS, on-prem, IaaS, PaaS environments.
- **Application Types:** Home-grown and shadow applications that bypass formal onboarding processes.
- **Identity Types:** Human accounts, Non-Human Identities (NHIs - APIs, bots, service accounts), Agent-AI entities.
- **Specific Metrics:** 44% of organizations report over 1,000 orphaned accounts; 26% of all accounts are stale (>90 days unused).
## Mitigations
- **Shift to Identity Observability:** Move from configuration-based IAM to evidence-based governance for continuous visibility.
- **Three-Pillar Approach (Orchid Perspective):**
1. **See Everything:** Collect telemetry directly from every application, not just standard IAM connectors.
2. **Prove Everything:** Build unified audit trails detailing *who*, *what*, *when*, and *why* of access.
3. **Govern Everywhere:** Extend controls to cover managed, unmanaged, and agent-AI identities.
- **Bridging the Gap:** Select tools designed to secure the unmanaged identity perimeter.
## Conclusion
Identity dark matter represents a critical, expanding security crisis driven by the proliferation of applications and unmanaged identities, particularly non-human identities. The current reliance on traditional IAM tools creates dangerous visibility gaps. Organizations must urgently adopt observability-focused strategies to continuously monitor, audit, and govern the entire identity landscape to prevent credential abuse and related breaches.