Over the last 60 days, fourteen Fortune 500 CISOs and IAM leaders have told me a variant of the same story: that their IAM programs are under stress; teams are overburdened, while incumbent platform vendors have managed to perfect the art of providing less while charging more. Many of these security leaders told me that they are still stuck with the same number of manual processes as they had three years ago (e.g., access reviews, controls validation, data attestation) while also highlighting (in often colorful language) how PAM and IGA initiatives have gone off the rails.
We have documented many of these issues before, largely out of a desire to call attention to what we see as the explanatory reasons why companies are still susceptible to rather common identity-based attacks despite spending way more on IAM tooling. (News flash: “more tools” do not = better security).
There’s also an obvious dynamic at the market level that we feel is driving some of the broader dysfunction: mega market consolidation has created a situation where vendor behemoths offer sprawling catalogs of overlapping tools. This is not, in and of itself, a bad thing, per se. More choice is in fact better. But we have seen many situations where teams have ended up licensing multiple tools from the same vendor that essentially do the same thing; each acquired through a different acquisition and not properly integrated. What this results in is tool proliferation, half-baked implementations, and precious budgets that dwindle over time because the so-called platform-ization effect in IAM never really took off.
Problem One: All Identity Data is Fragmented
One of the first questions I ask every prospect is: “What’s your source of truth about identity?” Rarely, if ever, do I get a concise answer. Every large enterprise we work with manages identity data across dozens (and often hundreds) of disconnected systems. A typical Fortune 500 maintains separate identity stores in Active Directory, HRIS systems, multiple cloud providers, mainframe systems, SaaS apps, and custom applications that don’t play nicely with their IdaaS or PAM tools. Each of these solutions store different identity data, with slightly different attributes and different schemas, and everything updates on different schedules. Identity data complexity is a fact of life in modern enterprise.
But the fragmentation of these IAM programs – compounded by these tool and identity data siloes – creates serious problems for overburdened teams. Regulators demand more data to validate existing controls. Months of manual time reconciling said data among different systems. The next-gen-ish platforms haven’t delivered on lofty AI-marketing promises and security teams end up hemorrhaging money on professional services contracts to maintain the status quo.
Problem Two: Manual Processes Still Pervade Most IAM Teams
Even the most sophisticated IAM teams still rely on lots of manual effort. Access reviews get exported to Excel and .CSV. Provisioning requests flow through email. Certification campaigns require armies of contractors to chase down application owners.
I’ve seen organizations with multi-million dollar IAM investments where much of the actual work of identity management still happens in spreadsheets. One company I met at Identiverse told me that they had implemented 3 different IGA platforms in 7 years. Their access certification process? Still manual. Their onboarding workflow? Still requires IT to touch seven different systems by hand.
The manual process trap creates a vicious cycle. Organizations can’t automate because they lack clean data. They can’t get clean data because their processes are manual. And they can’t fix their processes because they’re too busy fighting fires created by manual efforts.
Problem Three: The Professional Services Dependency Cycle
One of the IAM leaders I met with told me openly that he has spent more on certified consultants over the past 5 years than he has on the IGA vendor’s licenses.
Vendors have little motivation to simplify deployment and configuration when complexity drives their own services revenue as well as their partners. System integrators build practices around perpetual IAM transformation projects that never finish. And enterprises find themselves locked into multi-year, multi-million-dollar engagements just to make sure these systems are semi-operational.
The services trap drains budgets and saps willingness to take on anything that seems like multi-year transformation. One CISO last week told me: “Why should I rip out [Gartner MQ PAM vendor] that was deployed well before I got here, despite it only ever being 40% implemented? Customer support is terrible and our features take forever to get addressed on the roadmap. But I don’t want to lose my job with a rip-and-replace project whose effectiveness depends on an army of services consultants. Consultants are hard to hire and maintain. Even if the lighter-weight PAM vendor offers something more modern, that tool hasn’t been built to scale and doesn’t have enough proof points for me to roll it into production. The risk is too high even if the license cost is a fraction of what I’m paying right now.”
Hydden Charts a New Way Forward
These three problems—data fragmentation, manual processes, and unsustainable services costs—form the toxic foundation of modern identity management. After watching Fortune 500s burn millions on implementations that never deliver, seeing security teams drowning in spreadsheets despite massive IAM investments, and hearing vendor after vendor defend business models built on perpetual complexity, we realized the industry needed a fundamentally different approach.
That’s why we built Hydden. We started with the simple premise that most IAM threats that actually impact IAM teams are hiding in the gaps of existing tools that are partially implemented, poorly configured, and often difficult to maintain. Instead of building yet another next-gen PAM or IGA company, we decided to tackle this problem space at its root: identity data. Security teams ought to be able to continuously discover, visualize, and take action on identity data irrespective of where it resides. Delivering on this promise is our north star.
The urgency couldn’t be clearer. The AI future is here. And agentic systems of tomorrow will demand rock-solid identity foundations to operate safely. Regulatory requirements will intensify as human oversight diminishes. Organizations need continuous, automated governance across every identity transaction—capabilities that today’s IAM platforms, trapped in their services-dependent models, simply cannot deliver.
The IAM industry needs a new foundation—one that turns identity data from a liability into genuine security intelligence. That’s what we’re building at Hydden.
