Nearly half of all identity activity in enterprise environments occurs completely outside the visibility of centralised IAM systems. That’s not a theoretical risk estimate — it’s what Orchid Security found when analysing real enterprise environments, and it’s the finding that underpins the launch of their Identity Audit capability.
If your IAM programme is only seeing 54% of what’s actually happening with identities in your organisation, the question isn’t whether you have a problem. The question is how bad it already is.
What Is Identity Dark Matter?
The term identity dark matter — borrowed from astrophysics — refers to the vast layer of identity activity that exists but cannot be observed through conventional IAM tools. It lives in application code, embedded credentials, service-to-service interactions, local accounts, and the growing sprawl of non-human identities (NHIs) that operate autonomously across enterprise infrastructure.
Modern enterprises run hundreds, often thousands, of applications. Each has its own authentication and authorisation logic. Many were built before zero-trust was a priority. Some authenticate via hardcoded API keys. Others use local service accounts that bypass centralised SSO entirely. All of these create identity activity that is real, consequential, and completely invisible to your SIEM, your IGA platform, and your PAM solution.
The proliferation of NHIs — service accounts, API tokens, robotic process automation bots, and increasingly, agentic AI systems — is accelerating the problem. These identities are non-governed by design. They were created to get a job done, not to satisfy an audit. And they’re multiplying far faster than any security team can manually track.
Why This Matters for Compliance and Incident Response
The practical consequences of identity dark matter go beyond theoretical risk exposure. When regulators call, or an incident occurs, security teams are forced to rely on partial IAM data, documentation that may be years out of date, and attestations from application owners who genuinely don’t know what their systems are doing at the identity layer.
This isn’t a failure of diligence — it’s a structural problem. Traditional IAM tools were built to govern the identities they know about. They have no mechanism to discover, let alone govern, the identities they don’t. The result is a growing gap between an organisation’s intended security policy and the actual effective access that exists across its application estate.
Closing the Gap
Orchid Security’s Identity Audit approach — combining proprietary audit data captured inside unmanaged applications with logs from governed IAM systems — represents a meaningful step towards full identity visibility. The goal is a unified view of identity behaviour and business context across the entire application estate, not just the portion that’s already under management.
For NHI security practitioners, the message is direct: your governance programme is only as good as your discovery capability. If you can’t see a service account, an API token, or an agent identity, you cannot govern it, audit it, or protect it. Investing in identity visibility infrastructure isn’t a nice-to-have — it’s the prerequisite for everything else. (Source: Orchid Security)