Start with visibility, not replacement
Most SMEs already run AD, Entra ID, Microsoft 365, VPN access, and shared SaaS administration. ISPM gives them a way to inspect what exists now before committing to bigger governance tooling.
Identity Security Posture Management for SMEs
Identity Security Posture Management for SMEs
ISPM helps SMEs understand identity risk across Microsoft, cloud, and SaaS estates without starting with a heavyweight IAM programme. IdentityFirst MRI delivers a read-only starting point for internal teams and MSP-supported environments, with first findings in 24 hours for standard supported scopes.
Read-Only — No Agents
First Findings in 24 Hours
Cyber Essentials Certified
Launch-core connectors first
Why identity security posture management matters for SMEs
Smaller organisations still inherit hybrid identity risk, but they rarely have time for a multi-quarter IAM transformation before they can see what is exposed.
Works with lean internal teams or an MSP
A read-only posture review is practical whether security is handled in-house or through a service provider. It creates the evidence base both sides can use to prioritise remediation and ongoing governance.
Produces evidence people can use
SMEs usually need clear findings for management, insurance, audit, or customer diligence. That means specific gaps, realistic remediation steps, and links to trust and compliance context rather than vague maturity language.
What is Identity Security Posture Management?
ISPM addresses the identity risk that already exists inside your environment — not just the risk of new access being granted.
Traditional Identity and Access Management (IAM) tools are built to manage provisioning — they handle joiners, movers, and leavers, and enforce access request workflows. They are forward-looking: designed to ensure that future access is granted correctly.
Identity Security Posture Management (ISPM) is fundamentally different. It looks at what already exists inside your environment: the stale accounts left behind when employees depart, the service accounts with Domain Admin privileges that nobody remembers configuring, the Kerberoastable SPNs with eight-year-old passwords, and the 34% of users who are silently exempt from your MFA policy because of a legacy exception nobody audited.
For IdentityFirst, the public starting point is MRI: a read-only assessment across supported identity sources that applies a structured model to surface, prioritise, and explain material risk. Broader continuous monitoring and deeper workflow remain later-tier conversations rather than the default public promise.
The discipline rests on five pillars, each of which IdentityFirst addresses directly:
Discovery
Enumerate every identity, account, group, service account, and workload identity across all connected systems — including systems that are normally invisible to manual review.
Assessment
Evaluate each identity against a structured risk model covering privilege, credential hygiene, activity, federation gaps, and configuration risk.
Prioritisation
Rank findings by blast radius, compliance impact, and likelihood of exploitation — so security teams work on what matters most, not what is easiest to find.
Follow-up
Deliver prioritised next steps, estimated effort, and ownership guidance so teams know what to review first without implying autonomous action.
Repeat Review
Support repeat assessment and drift conversations over time, while keeping the public MRI promise anchored to read-only assessment and evidence-backed reporting.
Why ISPM Matters Now
Three converging pressures have made identity posture management a board-level priority in 2025 and 2026.
Identity Is the Primary Attack Surface
Over 80% of breaches now involve compromised credentials, excessive privilege, or identity misconfiguration. Attackers do not hack in — they log in. ISPM is the discipline that ensures that when they try, the attack surface is as small as possible: no stale accounts to pivot through, no Kerberoastable service accounts, no standing Domain Admin sessions to hijack.
Compliance Pressure Is Accelerating
NIS2 requires demonstrable access control governance for all operators of essential services. DORA mandates continuous ICT risk management including identity risk. SOC 2 Type II auditors now routinely test privileged access controls, MFA coverage, and access review evidence. Organisations that cannot produce this evidence on demand face audit qualifications, regulatory action, and rising cyber insurance premiums.
Manual Reviews Miss Too Much
A manual Active Directory review that samples 5% of accounts takes weeks, misses service accounts entirely, and produces a report that is outdated before it is delivered. ISPM replaces sampling with complete enumeration — every account, every group membership, every SPN — and runs continuously, so drift is caught within days rather than discovered in next year's audit.
What ISPM Covers
IdentityFirst assesses eight core risk domains across every connected identity source.
Stale & Departed Accounts
Accounts inactive for 90+ days, departed employees still in Active Directory, and disabled accounts that retain group memberships and SPN registrations.
Privileged Access Review
Standing Domain Admin, Schema Admin, and Global Admin memberships. Accounts with Tier-0 access that should be on JIT elevation. Privilege creep from historical group additions.
Kerberos Security
Kerberoastable SPNs using RC4-HMAC encryption, AS-REP roastable accounts, unconstrained and constrained delegation scope, and Resource-Based Constrained Delegation (RBCD) risks.
MFA Coverage Gaps
Privileged accounts without phishing-resistant MFA, Conditional Access policy exclusions, legacy authentication protocols that bypass MFA, and SSPR with weak recovery factors.
Service Account Governance
Non-human identities with interactive logon rights, service accounts with never-expiring passwords, orphaned service accounts no longer attached to any running service.
Cloud IAM Posture
AWS root account usage, over-permissive IAM policies, Okta admin federation gaps, and other cloud-identity issues where supported evidence is in scope.
Compliance Mapping
Findings can be carried into relevant framework conversations such as NIS2, DORA, SOC 2, ISO 27001, Cyber Essentials Plus, and the NCSC CAF where the agreed report pack supports that view.
Blast Radius Analysis
For each finding, IdentityFirst calculates the theoretical blast radius: how many downstream systems and identities are reachable from the compromised account — weighted by Tier-0/1/2 privilege.
How IdentityFirst Delivers ISPM
Four stages from connector setup to an evidence-backed report pack — MRI stays read-only and standard scopes often produce first findings within 24 hours.
1
Day 1
Connect
Read-only connectors to the public launch-core set first: Entra ID, Okta, Google Workspace, and AWS IAM with CloudTrail enrichment. Qualified extensions such as Active Directory are agreed explicitly. No agents. No write permissions.
2
Day 1–2
Assess
IdentityFirstMRI™ assesses the identity sources in scope and returns evidence-backed findings across the supported review areas. The exact checks and depth depend on the connectors and environment agreed for the assessment.
3
Day 2
Prioritise
Findings are prioritised by blast radius, privilege level, and evidence-backed context so your team gets a ranked action list, not a flat dump of issues. Any scoring shown should be read as part of the agreed report pack, not as a generic promise of universal benchmarking.
4
Day 2–3
Report
An evidence-backed report pack with executive summary, top findings, blast-radius context, and prioritised next steps. Final output format and any framework or board-oriented view depend on the agreed delivery scope.
ISPM vs Traditional IAM Tools
Traditional IAM and ISPM serve different purposes. Here is how they compare across the dimensions that matter most to security teams.
| Capability | Traditional IAM | IdentityFirst ISPM |
|---|---|---|
| Discovery scope | New access requests only | Evidence-backed review across the identity sources agreed in scope |
| Existing risk visibility | Limited or manual sampling | Automated findings across supported connectors in scope |
| Blast radius analysis | Not supported | Per-finding blast radius weighted by Tier-0/1/2 privilege |
| Board reporting | Operational dashboards only | Evidence-backed executive and board-oriented reporting where included in the agreed pack |
| Time to first findings | Weeks (manual review) or never | Often within 24 hours of supported connector setup |
| Production impact | Writes required for governance | Zero — entirely read-only |
ISPM — Common Questions
Straight answers to the questions we hear most often about Identity Security Posture Management.
What is Identity Security Posture Management (ISPM)?
Identity Security Posture Management (ISPM) is the continuous practice of discovering, assessing, and reducing identity-related risk across your technology estate. Unlike traditional IAM tools that focus on provisioning, ISPM focuses on what already exists — the accumulated risk from stale accounts, excessive privileges, misconfigurations, and unmonitored service accounts — and provides the visibility needed to prioritise and remediate it. For IdentityFirst, the public starting point is the read-only MRI assessment.
How long does an ISPM assessment take?
IdentityFirst connects read-only to your identity systems and often delivers initial findings within 24 hours of supported connector setup. A full IdentityFirstMRI™ assessment returns an evidence-backed findings set with prioritised next actions. Final report format and delivery timing depend on the agreed scope.
Does ISPM require agents or production changes?
No. IdentityFirst operates entirely read-only via API connectors to your existing identity systems. No agents are installed, no changes are made to your production environment, and no write permissions are required. Connector setup requires read-only API credentials or service accounts only. During the scoping process, we specify the exact minimum permissions required for each platform in scope.
Which compliance frameworks does ISPM support?
IdentityFirst can frame findings against relevant controls across NIS2, DORA, SOC 2 Type II, ISO 27001:2022, Cyber Essentials Plus, and the NCSC CAF. The exact compliance mapping and evidence view depend on the agreed report pack rather than a blanket public promise.
What is the difference between ISPM and PAM?
Privileged Access Management (PAM) is a control tool — it manages, vaults, and sessions privileged credentials. Identity Security Posture Management (ISPM) is an assessment and visibility layer — it discovers what privileged access exists, identifies where PAM controls are absent or bypassed, and surfaces the risk of standing privilege across your entire estate.
ISPM and PAM are complementary: ISPM tells you where PAM needs to be applied — and surfaces the gaps in your existing PAM deployment (accounts that should be vaulted but are not, service accounts outside PAM scope, admin accounts that bypass session management).
Is ISPM realistic for SMEs and lean security teams?
Yes, if the scope stays practical. Most SMEs do not need a heavyweight IAM replacement before they can improve identity visibility. A read-only ISPM approach gives internal teams and MSPs a clear starting point: which privileged accounts exist, where MFA coverage is weak, which stale accounts remain active, and what should be fixed first.
That is why IdentityFirst starts with assessment-led visibility. It lets an SME prove where the risk sits before deciding how much ongoing governance process or tooling is actually justified.
See ISPM in Action
Explore a public representative IdentityFirstMRI assessment report, or book a live demo to see how ISPM maps to your actual identity estate.
Read-only • No agents • Standard scopes often show first findings within 24 hours • UK-hosted & ICO registered