Executive Summary
Identity has become the primary attack surface of the modern enterprise. According to the Verizon Data Breach Investigations Report 2025, 74% of data breaches involve an identity element — stolen credentials, over-privileged accounts, or abused service accounts. Yet most organizations still rely on point-in-time access reviews and manual audits to understand their identity risk.
Identity Security Posture Management (ISPM) changes that equation. It is the emerging discipline of continuously discovering, assessing, and remediating identity-related security risks across an organization's entire identity fabric — human and non-human, on-premises and cloud, known and unknown.
In 2025, Gartner formally recognized ISPM as a distinct evaluation category. In 2026, it is rapidly becoming a board-level requirement, driven by cyber insurance mandates, Zero Trust adoption, and an explosion of non-human identities (NHIs) that traditional tools were never designed to govern.
This article explains what ISPM is, how it differs from IGA and PAM, why identity dark matter is your biggest unknown risk, and how to build an ISPM program from the ground up.
What Is ISPM — And Why Traditional IAM Falls Short
Traditional IAM tools were built to Enforce Access Policy: provision users, authenticate sessions, and grant or deny requests. They are excellent at execution. What they cannot answer is a deceptively simple question:
"What is the actual security state of our identity infrastructure right now?"
Consider a typical enterprise:
- Thousands of service accounts created for projects that have since ended
- Federated identities from acquisitions that were never fully deprovisioned
- Cloud IAM roles with wildcard permissions attached to Lambda functions no one remembers deploying
- Contractors who left six months ago but whose accounts remain active in a legacy ERP system
IGA can tell you who should have access. PAM can control how privileged accounts are used. But neither tool was designed to continuously map the full identity landscape and score the risk it represents.
ISPM fills this gap. It operates as an observability and risk quantification layer that sits above your existing identity infrastructure — consuming data from IdPs, IGA systems, PAM tools, HR systems, and cloud providers — and turns that data into actionable risk intelligence.
NOTE
In 2025, Gartner confirmed ISPM as a standalone evaluation category, distinct from IGA, PAM, and ITDR. Analysts also use the term Identity Visibility and Intelligence Platforms (IVIP) to describe the same space. Some vendors position their offerings as "Identity Security Scoring" to emphasize the quantification angle. Regardless of branding, all refer to the same core discipline: continuous identity risk assessment.
The Four Pillars of ISPM
ISPM capabilities cluster around four interdependent functions. No single pillar is sufficient alone — the power of ISPM comes from integrating all four into a continuous feedback loop.
Pillar 1: Identity Discovery
You cannot secure what you cannot see. ISPM begins with comprehensive discovery across every identity store in the organization:
- Human identities: employees, contractors, partners, customers
- Non-human identities (NHIs): service accounts, API keys, OAuth tokens, machine certificates, CI/CD pipeline identities
- Federated identities: SAML assertions, OIDC tokens, cross-tenant trust relationships
- Dormant identities: accounts that haven't authenticated in 90+ days but remain active
Modern ISPM platforms build a unified identity graph that maps not just the identities themselves, but all their entitlements, group memberships, role assignments, and trust relationships. This graph becomes the foundation for all downstream risk analysis.
Pillar 2: Risk Assessment
With a complete identity inventory, ISPM evaluates each identity and entitlement against a set of risk signals:
- Excessive permissions: principals with access far beyond their job function, or wildcard IAM policies in cloud environments
- Credential weaknesses: accounts using static passwords, accounts missing MFA, long-lived API keys that have never been rotated
- Stale access: entitlements that have not been used in months but remain assigned
- Lateral movement paths: combinations of entitlements that could allow an attacker to escalate privileges or pivot across systems
- Policy violations: identities that fail to meet regulatory or internal compliance requirements (e.g., SOD conflicts, Principle of Least Privilege drift)
Pillar 3: Posture Scoring
Risk findings are aggregated into a quantifiable Identity Security Score — a single metric (typically 0–100 or letter-graded) that expresses the overall health of the identity security posture. This score:
- Can be tracked over time to show trend improvement or degradation
- Can be benchmarked against industry peers
- Is broken down by domain (cloud IAM, on-prem AD, SaaS applications, NHIs) to identify weak spots
- Serves as input for cyber insurance applications and board reporting
Pillar 4: Continuous Monitoring and Remediation
Unlike point-in-time access reviews, ISPM operates continuously. When a new risk is detected — a new over-privileged role created, an MFA exception granted, a dormant account suddenly activated — ISPM surfaces it in near real-time.
Remediation can be:
- Automated: low-risk fixes (disabling truly dormant accounts, revoking unused OAuth tokens) executed directly
- Recommended: ISPM proposes the fix and creates a ticket in ServiceNow or Jira for the appropriate team
- Escalated: high-impact changes flagged for security team review before any action is taken
Identity Dark Matter: Your Biggest Unknown Risk
One of the most important concepts ISPM introduces is Identity Dark Matter — identities that exist within your organization but are not actively monitored, governed, or even known to the identity team.
Research consistently finds that the average enterprise has 30–40% of its identity population in this category:
- Orphaned accounts: user accounts whose owners have left the organization but were never deprovisioned — often because the offboarding process failed to cover every connected system
- Shadow IT identities: accounts created directly in SaaS applications without going through IT provisioning, invisible to the IdP
- Forgotten service accounts: accounts created for a specific project or integration that outlived their purpose by years
- Acquired company identities: users and service accounts from M&A targets that were never fully integrated or cleaned up
- Stale machine identities: certificates, API keys, and tokens that have long since exceeded their intended lifecycle
Dark matter identities are the most dangerous class of identity risk precisely because no one is watching them. They don't trigger anomaly alerts because the baseline for "normal" was never established. They don't appear in access reviews because reviewers don't know they exist. And because they often retain the same entitlements they had when they were created — sometimes elevated ones — they represent a ready-made attack path for any adversary who discovers them.
ISPM platforms specifically scan for dark matter patterns: accounts that appear in subsidiary systems but not the authoritative IdP, service accounts with no associated owner, API keys created by users who have since been offboarded.
ISPM vs IGA vs PAM: How They Fit Together
ISPM does not replace IGA or PAM. It is a complementary layer that provides the visibility and risk quantification that governance and control tools lack. The three categories are best understood as addressing different questions:
| Dimension | IGA | PAM | ISPM |
|---|---|---|---|
| Primary Question | Who has what access? | How are privileged accounts being used? | What is our identity risk posture? |
| Core Function | Access governance and lifecycle | Privileged session management and vaulting | Identity discovery, risk assessment, scoring |
| Time Orientation | Periodic (access reviews, certifications) | Real-time (session control) | Continuous (posture monitoring) |
| Scope | Human identities, defined systems | Privileged accounts (human and service) | All identities — human, NHI, dark matter |
| Output | Access certifications, policy decisions | Audit logs, session recordings | Risk scores, remediation recommendations |
| Integration Role | Source of truth for entitlements | Control point for privileged access | Aggregator and risk layer across all tools |
| Weakness Addressed | Does not score overall risk posture | Does not cover non-privileged or unknown identities | Does not govern or control access (by design) |
Think of it this way: IGA writes the access policy, PAM enforces privileged access controls, and ISPM continuously answers "is what we've configured actually keeping us secure?"
The most mature identity security programs run all three — using ISPM findings to drive IGA remediation campaigns and PAM scope expansion.
The Cyber Insurance Connection
One of the most commercially significant drivers of ISPM adoption in 2025–2026 is the cyber insurance market. Underwriters have dramatically tightened requirements following a string of high-profile identity-based breaches, and identity security posture is now a core underwriting signal.
Specifically, leading insurers are asking for:
- Evidence that MFA is enforced across all users, not just privileged accounts
- Proof that privileged access is managed through a formal PAM program
- Quantified metrics on orphaned account remediation rates
- Identity security scores from recognized platforms as part of annual attestation
This shift has important implications for security teams:
- Security becomes a financial instrument: a better identity security score directly translates to lower premiums and broader coverage
- Board-level language: "our identity security score improved from 62 to 78 this quarter" is more legible to executives than "we completed 94% of our access certifications"
- Third-party validation: insurers increasingly require attestation from an independent ISPM platform rather than self-reported metrics
Organizations that already have an ISPM platform in place can use its scoring reports as direct input to insurance applications. Those without one are beginning to find that their renewal conversations are significantly more difficult.
Vendor Landscape
The ISPM market is young but consolidating quickly. Key players span purpose-built platforms, ITDR vendors expanding their scope, and established IAM vendors adding posture capabilities:
| Vendor | Category | ISPM Approach |
|---|---|---|
| Orchid Security | Pure-play ISPM | Dedicated Identity Security Score, deep NHI coverage, application identity discovery |
| Silverfort | Identity Threat Protection | Agentless posture assessment across all identity infrastructure including legacy systems |
| CrowdStrike Falcon Identity | ITDR with ISPM | Integrates identity posture with endpoint telemetry for unified risk view |
| Microsoft Entra ID Governance | Platform vendor | Secure Score for identity, integrated with M365 ecosystem; limited cross-platform visibility |
| SailPoint Identity Security Cloud | IGA vendor expanding | Access risk analytics and posture reporting built on top of IGA data |
| Tenable One | Exposure management | ISPM as part of a broader exposure management platform, strong cloud IAM coverage |
| Zscaler | Network security expanding | Identity segmentation and posture management tied to Zero Trust Network Access |
Evaluation criteria to consider when selecting an ISPM platform:
- Coverage breadth: does it cover cloud IAM (AWS, Azure, GCP), on-prem AD, SaaS, and NHIs?
- Integration depth: how does it connect to your existing IGA, PAM, and ITSM tools?
- Remediation workflow: automated fix vs. ticket creation vs. advisory only?
- Scoring methodology: is the scoring model transparent and customizable?
- Reporting for insurance: does it produce reports in a format insurers accept?
Building Your ISPM Program: A Phased Approach
ISPM is not a product you deploy once. It is a capability you build incrementally. The following phased approach allows organizations to demonstrate value quickly while building toward full maturity.
Phase 1 — Achieve Visibility (Months 1–3)
The first goal is simply knowing what you have. Deploy discovery integrations with your core identity stores: Active Directory, your primary IdP (Okta, Entra ID, Ping), and your largest cloud environments. Produce an initial identity inventory and dark matter report. The number of orphaned and unmanaged accounts you find will be the first concrete output you can bring to leadership.
Phase 2 — Establish a Baseline Score (Months 3–6)
Configure risk rules against your organization's policies and regulatory requirements. Run your first posture assessment and establish a baseline score. Segment the score by domain so you know whether cloud IAM, SaaS, or on-prem is your weakest area. Use this score as the starting point for trend tracking.
Phase 3 — Drive Remediation (Months 6–12)
Connect ISPM findings to remediation workflows. Integrate with ServiceNow or Jira so that risk findings automatically generate tickets routed to the appropriate team. Start with the highest-severity, lowest-effort remediations first: disabling dormant accounts, enforcing MFA on missing identities, revoking unused API keys.
Phase 4 — Continuous Operations (Ongoing)
Establish a monthly posture review cadence. Track score changes. Use ISPM findings to prioritize the next cycle of IGA access certifications. Report quarterly to the board and to cyber insurance contacts. Expand discovery coverage as new SaaS applications and cloud accounts are added to the environment.
TIP
If you are just beginning your ISPM journey and don't know where to start, focus on one thing first: Non-Human Identity (NHI) discovery. NHIs now outnumber human identities in most enterprises by a ratio of 10:1 or more, and they are almost always the least governed class of identity. Running an NHI discovery scan against your cloud environments and CI/CD pipelines will immediately surface your highest-risk identity dark matter — and the findings will build the business case for a full ISPM investment.
Key Takeaways
- ISPM is the observability layer for identity security — it answers "how secure are we?" in a way that IGA and PAM cannot.
- Identity dark matter (orphaned, shadow, forgotten accounts) represents 30–40% of the average enterprise's identity population and is the highest-risk, least-governed class.
- The four pillars — Discovery, Risk Assessment, Posture Scoring, and Continuous Monitoring — must work together as a feedback loop, not as isolated functions.
- ISPM is not a replacement for IGA or PAM. It is a complementary visibility layer that makes existing controls more effective.
- Cyber insurance is accelerating adoption: quantified identity security scores are becoming a standard underwriting requirement, making ISPM a direct business enabler.
- Start with NHI discovery: the fastest path to ISPM value is surfacing the non-human identity risk that no existing tool is tracking.
- Gartner's recognition of ISPM as a formal category in 2025 signals that this discipline is moving from emerging to mainstream — organizations that build this capability now will have a meaningful advantage when regulatory requirements and insurance mandates fully crystallize.