A Scoring Layer Needs Something Accurate to Score
Identity Security Posture Management (ISPM) tools evaluate identity hygiene and risk — flagging accounts without MFA, stale privileged access, misconfigurations, and compliance gaps — then prioritize what to fix first. That evaluation logic is genuinely useful, and it depends entirely on one upstream input: an inventory of the identities being evaluated.
That's the quiet problem with posture scoring. An ISPM tool scores whatever identities it or its connected sources already know about. If 30% of the estate — local accounts, orphaned service accounts, unmanaged AI agent credentials — never entered that inventory, the posture score is computed against the other 70% and presented as if it describes the whole estate.
An IVIP is the layer underneath ISPM that makes the inventory it scores actually complete. Continuous discovery, normalization, and correlation aren't a competing form of risk scoring — they're the input risk scoring has always depended on and rarely gets to audit.