The Identity Data Problem

Jai Dargan
Jai Dargan
CEO & Co-Founder
March 31, 2026
5 min read
the-identity-data-problem-featured.png

I've been in enough identity program reviews to understand how numbers and key performance indicators for Privileged Access Management (PAM) programs get built. Someone assembles a list at kickoff, derived from AD exports, critical applications and maybe a few other sources. Most people quietly know that this number is probably inaccurate in large measure because enterprise infrastructure is constantly changing. And three years later the coverage percentage on the QBR slide is a fraction of a denominator that stopped being accurate a long time ago.

Continuous visibility of all privileged accounts is a prerequisite to making any PAM implementation successful. For too long, programs and controls have been built around misleading inventories that remained static while technology infrastructure did not.

How batch syncs creates the gap

A batch sync extracts data from source systems on a fixed schedule, loads it into the governance platform, and runs controls against that snapshot. The problem? That snapshot is stale a second after its written. Accounts get provisioned, roles get modified, services spin up, and the governance platform has no mechanism to see any of it until the next extraction runs. This was a defensible architectural choice when identity events were infrequent and the estate was primarily human accounts in Active Directory. That world is gone. Modern environments generate identity events continuously and across a myriad of other source-of-truth systems beyond the IdP.

The result is a governance record that reflects the past yet displays it as the present. The gap between those two things is where the exposure lives.

What's actually in the gap

The same categories appear in every environment. Database accounts provisioned directly by DBAs, often without a ticket, frequently without an expiration date anyone actually intended to honor. Local administrator rights catalogued at imaging time and not revisited since, sitting outside the governance program for years with no current owner attached to them. Service accounts accumulated across reorgs and leadership transitions, many of them effectively ownerless, still running on credentials that were never rotated because rotating them risked breaking something nobody fully understood anymore. And now AI agent service principals, which authenticate independently, receive short-lived OAuth tokens, access resources, and complete sessions before the next sync even runs.

These represent a substantial portion of the actual privileged access estate in nearly every enterprise environment in which we've worked. they tend to carry the longest-lived, least-rotated credentials for exactly this reason: nothing has been actively watching them. Some of these accounts predate the last two CISOs. Nobody revisited them because, frankly, nobody particularly wanted to find out what they were connected to. That last point is worth sitting with. The accounts most likely to carry dangerous, stale credentials are precisely the ones the governance program never reached. The ones the batch-sync model made invisible, and invisible things don't generate findings, and things that don't generate findings don't get fixed.

What incomplete data does to your controls

An access review run against a dataset missing these categories certifies what the dataset contains. The certifier sees what's in front of them but they don't see the service account provisioned last Tuesday outside the workflow, and they don't see the database account with admin rights that nobody onboarded. They approve what's there and generate the compliance artifact. When the rational action and the thorough action both point to the same outcome, the rational action wins. The artifact, for what it's worth, usually looks excellent.

PAM programs stall the same way. The 40% completion figure is measured against the target list, which doesn't include what the sync couldn't see, and the program closes as a success against a denominator that was never accurate. Access reviews certify a partial view. Detection fires on what was logged. Governance programs satisfy auditors while leaving the ungoverned portion ungoverned. These are are the predictable output of building controls on an incomplete foundation.

Why AI agents closed the window on deferring this

An AI agent session can begin, access resources across multiple systems, and complete before a batch extraction cycle even registers it. The governance record will simply never capture it. If your IGA tool syncs nightly and your agent credentials expire in five minutes, you are not governing agent identity. You are governing the record of a service principal that once existed. That is a meaningfully different thing.

What fixing it actually requires

We spent the first two years hammering on the data problem before we built a single governance, security, or access control. The goal: ensure that the underlying data layer is always complete, current, and reconciled across every connected system. The denominator problem is only solvable if you actually know what the denominator is.

The controls we're building now run on that foundation. Access reviews, policy generation, risk detection, provisioning reflect the actual environment as it exists, and not last night's snapshot.

Data first, controls second. It's not the sequence that produces the best demo. It is the only sequence that produces a result worth trusting.

Share
Jai Dargan

Jai Dargan

CEO & Co-Founder

Identity visionary and Co-Founder of Hydden. Former strategy leader at industry giants with decades of experience closing the gaps in enterprise identity security.

Stay Ahead of Identity Security Threats

Get the latest insights on identity governance, zero trust, and cybersecurity delivered to your inbox.

Hydden Logo

Hydden, Inc.

1701 Rhode Island Ave NW, 4th Floor

Washington, DC 20036

SOC 2 Type 2 Certified

Stay Updated

Sign up to be the first to know about important company and product updates

© 2026 Hydden Inc. All rights reserved.Privacy PolicyTerms of Service