Why organizations underestimate real identity risk

An identity visibility gap is emerging in the identity layer, creating significant risk. Many see the warning signs, but few address them systematically. Here, I explain why this happens, and what you can do to reduce risk and waste in identity and cloud environments.

What is the identity visibility gap?

The identity visibility gap is the difference between how identities, access, and devices are intended to function in processes and documentation, and how they actually function in day-to-day operations.

• Accounts remain after employees leave or projects end.

• App consents and role assignments persist even when solutions are no longer used.

• Devices that do not meet compliance requirements are still used for sign-ins.

On the surface, structures appear orderly. Beneath that lies a layer of historical residue and deviations that few have full oversight of. This is often where identity risk hides.

Why does the gap emerge?

The identity visibility gap arises because identities, access, and devices are managed across systems and teams, without a unified view.

Fragmented ownership

HR handles onboarding and offboarding. IT manages devices. Cloud and application teams assign access within the platforms and systems they own. Security monitors signals. Risk and compliance follow up on deviations.

In addition to users, organizations manage non-human identities such as app and service principals, service accounts, and device identities for PCs and mobile devices.

Everyone does their part, but gaps quickly emerge at the handovers between teams and across these identity types.

Lack of a unified overview

Identity data lives in the identity platform, for example Microsoft Entra ID. Device status and compliance requirements live in device management, for example Intune. License and usage data lives in the productivity platform, for example Microsoft 365. Activity data lives within each individual application.

When this information is not viewed together, even simple questions become time-consuming to answer:

• Who is actually active right now?

• Which access is necessary and appropriate given current roles?

• Which devices fail compliance requirements but are still used for sign-ins?

The identity visibility gap is further amplified by technical debt, manual processes, and legacy tools that are unable to provide a unified view of identities, devices, and access. Many environments remain shaped by silo-based solutions that were never designed for today’s pace of change.

When reality outruns routines

A key reason for this is that identities, access, and devices are managed across different parts of the organization without a shared operational view. Role descriptions change, projects start and end, and new teams are formed.

At the same time, layers of groups, nested groups, and inherited permissions accumulate, granting more access than necessary. Automation creates identities that are never used, and access is rarely removed when the underlying need disappears.

The consequence is that the governance view leaders rely on becomes outdated compared to actual usage and activity.

Why does this matter?

Lack of visibility makes security, cost control, compliance, and daily operations more demanding. You cannot secure what you cannot see. You cannot optimize what you do not understand.

The industry is shifting

Analysts point to the need for holistic insight across identities, access, and devices. In 2025, Gartner highlighted Identity Visibility and Intelligence Platforms (IVIP) in its Hype Cycle for Digital Identity as a category that consolidates IAM-relevant data into a consistent view and adds an intelligence layer on top of existing tools.

The point is to make visibility a prerequisite for effective identity governance, not an optional feature.

So what can you do?

Here are four practical steps to gain better control over identities. You do not need to start big. Take concrete steps that strengthen identity control and build continuous visibility.

1. Establish a unified view

Real control over identities requires insight into what actually happens, not just what processes and structures suggest. You need to know who is active, which access is used, and which devices are signing in. When identities, activity, and device status are viewed together, risk becomes visible: redundant identities, expanded access, and devices that should never have been allowed access. Without a holistic view, governance is based on assumptions.

2. Ensure good identity hygiene

Identity environments degrade quickly without regular follow-up. Establish mechanisms to remove inactive or purposeless identities, limit privileged access to what is strictly necessary, and ensure that app and service identities have a clear owner and lifecycle. Good identity hygiene reduces the attack surface before it becomes exploitable.

3. Clarify ownership and establish clear frameworks

Effective identity governance requires clear ownership and decision-making structures. Each identity type must have one accountable function, and groups, roles, and access should be described in ways that make them understandable and comparable across systems. When it is clear who can grant access, register applications, and change critical permissions, access governance becomes more consistent and less vulnerable to errors and misuse.

4. Monitor what actually matters

Monitoring must capture what changes risk. Respond to unauthorized privileged access, non-compliant devices, and identities or applications with anomalous activity. A small number of clear indicators provide the best control when they have defined thresholds and clear accountability.

Organizations must take an active approach

The identity visibility gap is not a temporary deviation. It is a structural challenge in modern cloud environments where data and responsibilities are distributed.

The earlier organizations acknowledge this, the easier it becomes to build robust identity governance with lower risk, stronger compliance, and more predictable operations.

Tie indicators to clear responsibility. Who responds when thresholds are breached, how quickly, and with what expected outcome. That is when indicators move from being numbers to becoming concrete action.