It was the data-driven finding from our initial Cybersecurity Investment Priorities program in 2023 that really hit the home run on the importance of visibility for us. We’d just run a large survey to gauge investment priorities among CISOs and CIOs over the coming year, which had included a deep dive into four specific cybersecurity topics. During the data analysis phase of the research, we correlated the data on how visibility affected prioritization, and the relationship was clear (“self-evident” / “stark” / choose your “oh wow!” word): the better the visibility, the higher the priority. This was one of those post-survey data analysis moments where you see “A-ha!” written all across the spreadsheet and you want to fist-bump the data. The importance of visibility has been a recurring theme throughout our cybersecurity research ever since.
Sometimes, though, visibility is more than just a recurring theme within the research … and takes a starring role in the program itself. That’s the case for our latest report into identity security – with a focus on visibility, governance, and autonomous remediation. Last year we took on the question of MFA posture – which included a visibility angle – but this year the intent was to look much wider than just MFA. This research project has been on the wish list for a long time, and it’s a delight to make it available. Please see Strengthening Identity Security: Visibility, Governance, and Autonomous Remediation, sponsored by Abnormal AI, Constella Intelligence, Enzoic, NinjaOne, and Silverfort.
What’s the big idea underlying this research? IAM – identity and access management – is an established control for managing which identities can access what resources. Few organizations don’t have an IAM system in place in 2025, but even with a mature IAM system, organizations continue to suffer from identity-led and identity-implicated attacks and breaches. IAM was not designed to protect against:
- A threat actor using credentials they compromised through a phishing attack. An IAM system will see the credential pair as valid and give access.
- A threat actor using credentials they purchased from the dark web. Ditto.
- A threat actor bypassing strong IAM controls like MFA through various means, including MFA bombing attacks. An IAM system can’t see whether the MFA approval is from the intended user or a malicious one.
- A threat actor accessing data after compromising a credential because the IAM system is out of date, thereby allowing the employee’s now compromised credential to access data that was validly needed one or two job roles before but that has never been revoked. An IAM system effectively shrugs its shoulders saying “looks fine to me.”
- Malicious changes to identity configurations in order to engineer greater access than what should be allowed.
- … and many others.
Identity-led and identity-implicated attacks are front-and-center across most cyberattacks. Snowflake – check. Colonial Pipeline – check. There’s often an identity component in 80% to 90% of breaches, depending on which study you read.
The lesson … is that IAM is no longer enough. In response to the changing and challenging threat landscape, startups and established vendors alike have been building new layers of identity protections – some to beef up underlying IAM processes directly, and some to create ways of protecting identity protections. Our report looks at identity security solutions in three groupings – visibility (think identity security posture management and the detection of compromised credentials), governance (think identity governance and administration), and autonomous remediation (think identity threat detection and response; and identity platform backup and recovery).
It’s not a light read nor a short report. It’s 25 pages of hard data and analysis. We’re all about crafting insightful research that impacts organizations, and this program is no different. We want to facilitate the discussions internally within organizations that need to happen about strengthening identity security protections and approaches. If that sounds like your bailiwick, please get a copy.