When executives for identity security startup
Orchid Security started to do the leg work for creating an auditing capability for their platform, a key step was looking into thousands of applications to see how things worked.
What they found surprised them.
“Identity activity was everywhere,”
Tal Herman, chief product officer for the Israeli company,
wrote in a blog post. “Inside application code. Inside custom auth flows. Inside service accounts no one remembered creating. Behavior that never touched centralized IAM [identity and access management], yet still showed up during audits. Still mattered during incidents. Still got referenced in board decks.”
About 85% of applications have accounts from legacy or external domains, 70% of applications had excessive privileges, 60% granted administrator or API access to third parties, and 40% of all accounts were orphaned – abandoned but still active. Such data changed their thinking. Typically, when auditors ask a question, the answer they get is inferred, based on integrations or policy – essentially what should be true rather than what is.
“This wasn’t about helping teams prepare for audits,” she wrote. “It was about enabling them to stop guessing. We stopped treating identity as configuration and started treating it as behavior. Something that happens. Something observable. Something you can prove.”
Enter Identity Audit
What came out of it was Identity Audit, introduced this month by Orchid and which uses proprietary audit data found inside unmanaged applications with audit logs from governed IAM systems to give users and auditors a complete view of identity behavior and business context. It creates a provable understanding of how identities are used, their intent, and the risks that come with managed and unmanaged applications.
“Organizations today run two identity systems,” Orchid co-founder and CEO
Roy Katmor told MSSP Alert. “The ones they think they have and the ones that actually exist. The gap between the two is
identity dark matter: app-local users, service identities, API keys and long-lived tokens, legacy directories, external domains, ad hoc auth paths, embedded credentials, and access that still works but isn’t consistently governed.”
The gap is only widening with the rapid growth of
non-human identities (NHIs) and agentic AI, which by design aren’t governed and operate beyond the reach of traditional IAM controls.
It’s the “lowest-friction path to real access,” which makes it dangerous, Katmor said.
Protections, Risks Converge on Identities
Identity has become a priority both for threat actors – which see identities as the easiest way to gain access into corporate systems – and security teams, which are trying to protect them.
“Attackers don’t need to break IAM or trigger noisy alerts if they can route around it through an orphaned local admin, a dormant app account, or an over-scoped service token,” he said. “And as AI shifts from advisor to operator, efficiency drives behavior: agents take the shortest path, and dark-matter identities are shortcuts. Do organizations understand this? Conceptually, yes. Practically, no.”
With Identity Audit, organizations will be able to answer what had been unprovable questions, such as whether least privilege is enforced in practice or only documented in policy, if human and non-human identities are removed, rotate, or suspended as needed, and whether identity is governed end-to-end.
“Orchid makes identity dark matter observable, explainable, governable, and fixable without replacing IAM,” Katmor said. “We operate as identity infrastructure: a control plane that surfaces applications – managed and unmanaged – their identities, and their access paths, and makes them something security and IAM teams can act on with minimal effort.”
Lighting the Way for MSSPs
This also is important to MSSPs and MSPs, which are becoming increasingly important to organizations facing increasingly complex cyber threats that and which don’t have to the talent or tools to adequately protect themselves, the CEO said.
“MSSPs matter in identity for one reason: identity is an ongoing program,” he said. “It’s not ‘deploy SSO and move on.’ It’s drift, exceptions, M and A, contractors, app sprawl, automation, tokens, and app-local users. Most organizations don’t have the internal expertise or bandwidth to manage that across dozens or hundreds of systems.”
Security services providers bring the operational rigor, scale and pattern recognition, and response muscle – “rapid scoping and containment, especially for non-human identities where the blast radius is large and unclear,” Katmor said – that enterprises and SMBs need.
In addition, identity dark matter tends to be where multi-tenant environments amass the most risk, with many apps and exceptions, along with constant drift. Orchid’s tool aligns with the way MSSPs and MSPs operate.
That includes offering identity hygiene as a managed service – including continuous discovery, cleaning up orphan and dormant accounts, and reducing local accounts – improving detection and incident response, and building a repeatable identity program that can work across clients without forcing each into the same IAM stack.
In addition, MSSPs and MSPs can use Identity Audit internally, Katmor said.
“Service identities, automation accounts, and third-party integrations generate dark matter inside service providers just as often as they do in customers,” he said.
