In April 2024, Cloudflare disclosed that attackers accessed its internal Atlassian system using credentials stolen from a third-party vendor account that had not been fully offboarded. The breach was not about zero-days or nation-state malware; it was an identity the company did not know was still active.
This pattern is everywhere. IBM’s Cost of a Data Breach Report 2025 found that 82% of breaches now involve compromised or misused credentials, and over 45% of those incidents involved accounts the organization did not know existed.
If you cannot see every identity in your environment, you are not managing risk. You are leaving doors unlocked and hoping nobody checks the handle.
Identity Has Replaced the Perimeter
The traditional network perimeter is gone. Firewalls, VPN concentrators, and intrusion prevention systems still matter, but they no longer define the edge. Cloud adoption, SaaS sprawl, and hybrid work have redrawn the boundaries.
In 2023, MGM Resorts lost tens of millions in revenue after an attacker gained access via social engineering of an identity provider account. No perimeter firewall could have stopped it because the attacker simply logged in.
Credential-based attacks are cheap, quiet, and often invisible to legacy monitoring. Microsoft’s Digital Defense Report 2025 estimates that password spray and token theft attacks now account for 60% of all initial access attempts in enterprise environments.
The most dangerous identities are not the obvious ones. They are the AWS root key created for a one-time migration in 2021, the “tempadmin” profile a vendor used to troubleshoot production, or the Slack API token sitting in a forgotten GitHub repo. If you cannot name every account with access to critical systems, your risk model is wrong before you start.
Discovery Is More Than Counting Accounts
Many still treat identity discovery as a box to tick during an audit. In 2025, that approach guarantees a miss.
Identities are constantly created and modified: a developer spins up a new CI/CD service account on GitHub Actions, a marketing team trials a SaaS tool that auto-creates admin profiles, or a contractor leaves but their Azure AD account remains active for months.
Continuous discovery means scanning all sources: Active Directory, Azure AD, Okta, AWS IAM, GCP, SaaS admin consoles, privileged access vaults, and DevOps pipelines and flagging:
- Shadow identities: unapproved accounts created outside IT workflows
- Dormant accounts: 90+ days of inactivity but still enabled
- Privilege creep: gradual permission growth without documented need
In the 2024 Change Healthcare breach, a dormant Citrix account with elevated permissions was the initial access point. It was discovered only after weeks of forensic investigation.
Context is critical. Without knowing who owns an account, what it can access, and how it is used, you are simply generating a longer list of problems you do not have time to fix.
What Breaks Without Discovery
Risk scoring collapses. Gartner’s Risk Management Survey 2025 shows 62% of CISOs admit their risk models do not include all active identities, meaning budget and control investments are misaligned from day one.
Incident response stalls. When Okta investigated its 2023 breach, early containment was slowed because teams had to identify which overlooked service accounts were compromised. Every hour spent discovering accounts after a breach is an hour attackers have to escalate.
Governance gaps widen. In a 2024 audit of a major healthcare network, over 1,200 active accounts were found outside formal review cycles, including accounts with direct EHR database access. None had been in scope for compliance checks.
The Cost of Ignoring the Problem
Unknown identities are not benign. In regulated sectors, they are a compliance red flag. PCI DSS 4.0, HIPAA, and ISO 27001:2025 all require proof of complete, current access inventories.
Operationally, the cost is steep. A 2025 SANS survey found that security teams spend an average of 14% of their total incident response time just identifying the accounts involved, time that could be eliminated with pre-existing continuous discovery.
Reputation damage lingers. In 2024, a major European bank’s breach was traced back to an inactive vendor VPN account. Even after remediation, customer churn increased 9% in the quarter following disclosure.
Making Discovery Routine and Actionable
Leaders in identity security, from fintech to healthcare, now treat discovery as a permanent operational function, not a periodic clean-up.
- Automated scanning across all identity systems, on-premises and in cloud
- Single source of truth consolidating human and machine identities
- Real-time change detection for account creation, privilege changes, and ownership updates
Privileged identities get flagged for immediate owner verification and tighter session monitoring. Unapproved accounts are quarantined before they can be used.
The goal is not a longer list. It is zero unknown identities so that risk assessment, incident response, and compliance are built on complete, accurate data.
The Leadership Imperative
Identity discovery is now a baseline security control. Without it, every other safeguard rests on incomplete data.
Unknown identities exist in every enterprise. The only real question is whether you will find them before an attacker does. The organizations leading in 2025 have stopped guessing and made continuous discovery part of their daily security muscle memory.
