Over and over, I kept seeing the same dangerous pattern: organizations with sophisticated, best-in-class identity stacks yet still lacking a complete understanding of how many identities were actually running in their environment. Not because their teams weren’t skilled. Not because their tools were bad. But because the identity landscape had fundamentally changed and no discipline existed to keep pace with it.
That’s the identity blind spot problem. And it’s more pervasive than most security leaders realize.
The Visibility Gap Nobody Talks About
According to the Verizon 2025 Data Breach Investigations Report, stolen or compromised credentials are now the single most common initial attack vector present in 22% of all confirmed breaches, ahead of phishing and exploitation combined. When those breaches do occur, credential-based attacks take an average of 246 days to detect and contain. Yet in our assessments, we consistently find that organizations have 2–3 times more privileged accounts than they believe, accounts sitting unmanaged hybrid environments across Active Directory, servers, databases and cloud tenants, where existing tools don’t always have the depth of visibility required to fully account for them.
These aren’t just governance gaps. They’re direct attack paths. PAM solutions are highly effective at securing the accounts they vault. IGA platforms govern the identity lifecycle they’re designed to manage. CMDB systems provide important asset context. But none are designed to deliver a complete, continuously updated inventory of all identities across the environment. The result is a sprawling inventory of unprotected privileged accounts that attackers know exactly how to find and exploit.
The numbers alone should be alarming. In one healthcare organization, we uncovered 75,000 unknown privileged accounts, nearly triple what they assumed they had. In a global manufacturer’s breach response, we discovered an additional 70,000 service accounts beyond their known inventory. When you can’t see your accounts, you can’t protect them. Without visibility, breaches are a matter of when, not if.
Where Blind Spots Come From
Across hundreds of conversations with security teams, I consistently see the same three categories of blind spots:
Unowned privileged and non-human accounts. Service accounts embedded in applications, local admin accounts on servers, and database accounts created for specific projects often remain active and unmonitored long after those projects end. These accounts hold elevated access to critical systems but lack clear ownership and accountability. We regularly find that 67% of service accounts are orphaned—no one knows who’s responsible for them. Without ownership, these accounts are rarely reviewed, rarely rotated, and rarely removed, making them persistent and high-impact attack paths.
Broken identity lifecycle processes. Departed employees, contractors, and forgotten administrators often leave behind accounts that persist well beyond their tenure. Offboarding processes frequently fail to reach satellite systems, legacy applications, and hybrid environments, leaving identities active where they shouldn’t be. These accounts may still appear “valid” to systems, but in reality, they represent gaps in process execution, creating long-lived access that no one is actively managing or questioning.
Active Directory complexity and group sprawl. Most organizations treat Active Directory as a solved problem – it’s not. Years of growth leave behind deeply nested groups, accounts with excessive administrative rights, and stale objects that no one has reviewed in years. These AD blind spots are particularly dangerous because they’re invisible to standard tooling. A single over-permissioned group buried five levels deep can grant unintended access to hundreds of sensitive systems. Business teams request access; it gets granted. What almost never happens is a systematic review of whether that access should still exist.
The root cause is tool fragmentation and the absence of a continuous discipline. Even well-implemented PAM and IGA programs depend on accurate, complete identity data to be effective. Neither has visibility into the full account inventory across Active Directory, local servers, UNIX systems, and databases. New accounts get created, old ones go stale, AD groups accumulate complexity and no one has a unified view. That fragmentation guarantees blind spots, and attackers know exactly where to look.
What Closing the Gap Actually Requires
In every organization I’ve worked with that has made real progress, the shift is the same: they stopped treating identity hygiene as a project with a finish line and started treating it as an operational discipline. That shift sounds simple. It isn’t.
The first thing that has to happen is an honest inventory, not the inventory organizations think they have, but the one that actually exists. Every organization I’ve worked with has been surprised by what a real discovery surfaces. The identities nobody remembered creating. The admin credentials tied to an employee who left three years ago. The service accounts running critical processes with no documented owner and no one willing to touch them for fear of breaking something. Until you have that picture, every security decision you make is based on incomplete information.
Visibility alone isn’t enough. What consistently separates organizations that reduce risk from those that just produce Excel spreadsheets is ownership. Every account needs a human being who is accountable for it – someone who can validate whether it still needs to exist, approve what it has access to, and whether that access is still appropriate. When ownership is established, remediation decisions that used to take weeks happen in days. The identity isn’t a mystery anymore. It belongs to someone.
Getting started with remediation itself is also less daunting than organizations expect. In practice, roughly 30–40% of what discovery surfaces can be cleaned up quickly – accounts that are clearly stale, clearly orphaned, clearly serving no current purpose. The harder part is the middle ground: accounts that might be doing something important, tied to systems no one fully understands. That’s where ownership mapping pays off. Without it, teams freeze. With it, they move.
Finally, the last piece is what most organizations skip: making it continuous. A point-in-time cleanup is better than nothing, but the environment keeps moving. New identities get created. People leave. AD groups accumulate. One financial services organization we worked with reduced privileged access sprawl by 60% in the first month by addressing the obvious, high-impact issues. From there, continued progress came from establishing ongoing identification and remediation with new drift as it emerged—preventing risk from rebuilding over time. That’s what turns a one-time cleanup into sustained risk reduction.
What Sustainable Identity Security Looks Like
Identity Hygiene works best as a layer that complements and extends your existing security investments rather than replacing them. PAM and IGA tools have real value; they manage what they can see. The discipline of continuous discovery fills in what they can’t: the identities that exist between and beyond the boundaries of any single tool.
Consider what 246 days means in practice. That’s the average time it takes to identify and contain a credential-based breach, according to Verizon’s 2025 DBIR. Eight months of an attacker moving through your environment with valid account credentials, accessing systems, escalating privileges, and exfiltrating data—while every alert that fires looks like normal administrative activity. That dwell time isn’t a detection failure. It’s a visibility failure. You cannot detect movement through accounts you don’t know exist.
The identity security industry has spent two decades building better tools for managing what it can see. The harder problem and the one that keeps producing breaches is that no one has treated the unseen as a discipline. Privileged accounts accumulate. Ownership erodes. AD complexity compounds quietly in the background. None of that is a tool failure. It’s a focus failure. The organizations that close the gap aren’t necessarily the ones with the most sophisticated stacks. They’re the ones that decided visibility wasn’t optional.
Related news:
The Top 7 Identity Threat Detection & Response- ITDR Vendors in 2026
Netwrix Forecasts 2026–2029 Shift in Identity and Data Security
Sources
- Verizon 2025 Data Breach Investigations Report (DBIR) — Credential abuse as #1 initial access vector (22% of breaches); 246-day average time to identify and contain credential-based breaches. verizon.com/dbir
- SPHERE Identity Hygiene Research — 67% of service accounts are orphaned (no documented owner). Based on findings across SPHERE’s enterprise customer base. sphereco.com
- SPHERE Client Engagement Data — Discovery of 75,000 unknown privileged accounts (healthcare); 70,000 additional service accounts (global manufacturer breach response); 2–3x account inventory gap; 30–40% of discovered identities immediately disabled; 60% reduction in privileged account sprawl (financial services). All figures derived from anonymized SPHERE customer data.
