News

Orchid Launches Identity Audit to Illuminate the Dark Matter of Enterprise Identity Activity

Orchid Security

Feb 5, 2026

•

min read

Share it on:

Offers ground-truth insight straight from the application binary, speeding application prioritization, onboarding and governance

Alarming data shows 46% of enterprise identity activity occurs outside centralized IAM visibility

New York – February 5, 2026 – Orchid Security, the company bringing clarity and control to the complexity of enterprise identity, today unveiled Identity Audit, the industry’s first complete picture of identity activity. By combining proprietary audit data captured inside unmanaged applications with audit logs from governed IAM systems, Orchid provides a unified view of identity behavior and business context across the entire application estate, including gaps where centralized identity controls stop - identity dark matter. The result is a provable, end-to-end understanding of how identities are actually used, their intent, and the risks they introduce across both managed and unmanaged applications.

According to Orchid’s analysis of enterprise environments, as much as 46% of enterprise identity activity occurs outside centralized identity and access management (IAM) visibility, spanning overlooked applications, local user accounts, unmanaged permissions, and opaque authentication paths. These growing blind spots - what Orchid refers to as identity dark matter - are invisible to traditional IAM tools. Identity Audit enables organizations to pull back the veil on this activity, and for the first time, teams can fully understand how identity is utilized (as well as coded) and why across the broader landscape.

The Identity Dark Matter Problem

Enterprise identity has reached a critical inflection point as modern enterprises operate hundreds or thousands of applications, each with its own authentication and authorization logic. While IAM platforms govern a portion of this environment, a growing share of identity activity remains embedded directly in application code, infrastructure, and service-to-service interactions, outside centralized visibility and governance. This gap is rapidly widening with the proliferation of non-human identities (NHI) and agentic AI, which are non-governed by design and increasingly operate beyond traditional IAM controls.

With identity dark matter, identity usage exists without ownership, enforcement, or auditability. As a result, security and governance teams often rely on partial IAM data, documentation reviews, and owner attestations when responding to audits, regulatory requirements, board inquiries, or security incidents - shortcuts that provide an incomplete and frequently inaccurate picture of real identity behavior.

“This ‘identity dark matter’ represents the critical disparity between an organization’s intended security policy and the actual effective access that should exist and be the primary goal of most IAM programs. In the complex landscape of modern cybersecurity, this silent but pervasive threat lurks,” explains Lawrence Pingree, head of data security and AI research at Software Analyst Cyber Research. “Despite massive investment in Identity Access Management (IAM), organizations still often remain vulnerable. The ‘front door’ is locked, but attackers are bypassing it entirely through unmanaged, invisible vectors, often introduced through code or entitlements.”

Pingree added, “Orchid’s Identity Audit surfaces identity activity as it occurs directly inside applications and across unmanaged environments, allowing organizations to distinguish real from expected behavior. This insight can help organizations reduce risk and strengthen governance, finally bringing accountability to areas of identity that have historically gone unseen.”

Key Findings from Early Deployments

Across initial deployments, Orchid Security has found that:

85% of applications have accounts from legacy or external domains; 20% of these are consumer email domains
70% of applications have excessive access privileges; 60% grant broad admin or API access to external third parties
40% of all accounts across applications were found to be orphaned; reaching 60% in some cases

With Orchid Security’s Identity Audit, organizations can now answer critical questions that were previously unprovable:

Is least privilege actually enforced in practice, or only documented in policy while unused permissions quietly accumulate?
Can you prove that identities - human and non-human - are removed, rotated, or suspended when they should be, across every application?
When auditors or executives ask how identity is governed end-to-end, are you answering with evidence or inference and user attestation?

“Identity decisions are only as good as the data behind them,” said Roy Katmor, co-founder and CEO at Orchid Security. “For years, teams have been making high-stakes decisions based on fragments of information. Our new capability delivers a cross-estate Identity Audit that shows not just how IAM is implemented, but how identity is actually used in practice across every application, providing real-world visibility into who or what is acting, including agentic AI, the intent behind each action, and the true privilege being exercised. This complete context becomes the data foundation teams need to make confident identity decisions, and Orchid’s platform turns that insight into action with no-code remediation by orchestrating changes across the existing IAM stack.”

How Identity Audit Works

Identity Audit applies Orchid’s observability principles to identity, shifting identity from static configuration into continuous, runtime insight. Rather than inferring risk solely from policies and integrations alone, Orchid observes identity behavior as it unfolds directly within the application.

The new capability expands Orchid observability by surfacing rich application-level telemetry on identity activity, including logins (successful or not), logouts, Joiner/Mover/Leaver changes, and more. By extrapolating insights from this newly generated audit stream, Orchid unlocks visibility directly from applications, not just from IAM tools limited to integrated apps. The result is a complete, end-to-end view of identity usage across the enterprise - not just what happened, but why.

By uncovering patterns, anomalies, and associated risks, Orchid enables teams to move beyond visibility into true identity observability. Signals are enriched with LLM-powered analytics, turning raw telemetry into intent-based intelligence, for deep, actionable insights at machine speed and scale, which traditional identity tools cannot see.

With Identity Audit, organizations can:

Gain a complete view of identity activity by collecting telemetry on all identity utilization, human and machine, directly from each application, both managed or unmanaged by your IAM stack.
Enforce least privilege with confidence by monitoring real identity activity across all applications and confirming whether accounts actually use the access they’ve been granted.
Identify and eliminate orphaned accounts by detecting inactive or unused accounts and correlating them with existing IAM and HR systems to confirm ownership, reducing both compliance risk and attack surface.
Accelerate incident investigation and response Trace identity behavior across applications to understand how compromised human or machine identities authenticate, move laterally, and access sensitive systems.
Verify security control adoption by monitoring all authentication activity—local or managed—to ensure required controls such as SSO, MFA, and strong password policies are actually being used‍
Shrink audit prep from months to minutes by continuously generating compliance evidence mapped to major regulatory frameworks, removing the manual burden of traditional audits

Together, these capabilities provide a unified, continuously updated view of identity activity across the enterprise, enabling security and governance teams to answer critical questions with certainty during audits, incidents, and executive reviews.

“Identity dark matter is where attackers hide and where audits fail,” said Katmor. “As identity becomes the control plane for the enterprise, including its AI and cloud-native systems, complete visibility- and thus control and governance- is no longer optional. It’s essential.”

To learn more about Orchid Security’s identity audit capabilities or to request a demo, visit https://www.orchid.security/platform.

About Orchid Security

Orchid Security sees straight into application code to deliver the industry’s first Identity Control Plane, transforming IAM complexity into clarity, compliance and control. Its Identity-First Security Orchestration platform continuously discovers enterprise applications, analyzes their native authentication and authorization flows, and accelerates onboarding into governance systems—cutting months of manual work into a single click. By exposing and remediating the ‘identity dark matter’ hidden across modern environments, Orchid helps enterprises reduce risk, lower operational costs and achieve compliance at scale. Backed by Intel Capital and Team8, Orchid leverages observability, automation and large language models to unify fragmented identity operations. Global organizations rely on Orchid to, among other things, modernize identity governance, accelerate IGA adoption and secure the next generation of applications and AI agents.