Orchid Security is changing how enterprises handle identity governance by starting at the source - the application itself. Its
Identity-First Security Orchestration platform, pulls identity data directly from application code into governance systems. The result is less fragmentation, faster onboarding, and fewer blind spots across the application estate.
Confronting Identity Dark Matter
Application onboarding has always been a sticking point for IAM. Shadow IT, legacy apps, and missing documentation make it tough to keep an accurate inventory. Every patch, policy change, or IAM update adds more blind spots. Orchid calls this “identity dark matter” - the unmanaged apps and credentials that sit outside governance tools. Its latest snapshot shows that dark matter already makes up nearly half of the average enterprise estate, a problem set to grow as AI agents bypass traditional joiner-mover-leaver models.
Roy Katmor, co-founder and CEO of Orchid Security, told ChannelE2E why the traditional onboarding model is broken: “Most IGA onboarding starts with questionnaires and interviews. App owners are asked to explain how identities work in their systems, even when they don’t have the full picture or access to the code. It’s slow, manual, and often incomplete despite best efforts. For enterprise customers, this process takes four weeks - at times, longer. We’re changing that paradigm. Instead of asking people, we ask the app. By analyzing the binaries, we see every identity, account, and access path as they actually exist. No guessing. No endless back-and-forth.”
This shift creates an accurate baseline to govern from, reduces friction between app owners and security teams, and gets applications into the IAM stack much faster. The payoff is not just efficiency, but stronger compliance and fewer blind spots.
Extending Governance to AI Agents
The problem of identity dark matter is about to expand as enterprises adopt AI agents that act with real authority but don’t map to human identity lifecycles. Left unmanaged, they can create a shadow layer of access with little accountability.
Katmor explained the risk: “AI agents don’t fit the old joiner-mover-leaver mold. They are not employees, but they act with real authority. If left unmanaged, they can create a shadow layer of access, especially when an operator and its companion agent are not aligned on permissions or when audit trails cannot tell them apart.”
To prevent this, Orchid is extending its infrastructure to treat agentic credentials with the same rigor as human or service accounts, including MCP-based agent AI. “We are enabling clear attribution of every AI-driven action, scoped authorization tied to human operators, and audit trails that distinguish between human and AI activity,” Katmor said. “The goal is to let organizations adopt MCP-based agents without eroding compliance or creating hidden access.”
Opening New Opportunities for Service Providers
Orchid’s application-first approach isn’t just a fit for enterprises - it also creates differentiation for MSSPs and GSIs building managed identity practices. Traditional service models often stop at provisioning IAM tools, leaving the most complex integration work to customers. With Orchid, providers can reach deeper into the application estate.
MSPs and GSIs can use Orchid’s application-level discovery to move beyond surface-level identity coverage and uncover where identity dark matter actually hides, Katmor noted. “By starting at the application itself, they can onboard legacy or complex systems that were previously out of reach, prioritize what they uncover based on risk, and bring applications into governance frameworks faster. That means less operational drag for customers and fewer blind spots left unaddressed.”
The benefits go beyond efficiency. By providing a more accurate foundation, service providers can deliver higher-value offerings tied to governance and compliance outcomes rather than just tool management.
The Identity Control Plane Advantage
Orchid is positioning its platform as an “Identity Control Plane,” unifying managed and unmanaged identities in a single view sourced directly from applications. For service providers, that opens the door to services beyond basic IAM hosting and administration.
“Orchid acts as an Identity Control Plane, giving MSPs and GSIs a single view of both managed and unmanaged identities across the customer’s application estate, direct from the source,” Katmor said. “That visibility unlocks a range of new services beyond basic hosting and management of IAM tools, including continuous application security assessment, complex identity governance, audit readiness, incident response support, and identity risk management services.”
By accelerating app onboarding, prioritizing by risk, and enabling continuous compliance monitoring, service providers can deliver a new tier of governance and risk services that build deeper trust with customers. For enterprises, it translates into reduced risk, lower costs, and the ability to govern even the newest identity types - human or machine.
