ISPM is the practice of continuously discovering, assessing and reducing identity risk across every system in your estate. IdentityFirst delivers it read-only, in 24 hours.
ISPM addresses the identity risk that already exists inside your environment — not just the risk of new access being granted.
Traditional Identity and Access Management (IAM) tools are built to manage provisioning — they handle joiners, movers, and leavers, and enforce access request workflows. They are forward-looking: designed to ensure that future access is granted correctly.
Identity Security Posture Management (ISPM) is fundamentally different. It looks at what already exists inside your environment: the stale accounts left behind when employees depart, the service accounts with Domain Admin privileges that nobody remembers configuring, the Kerberoastable SPNs with eight-year-old passwords, and the 34% of users who are silently exempt from your MFA policy because of a legacy exception nobody audited.
ISPM works by continuously reading your identity estate — Active Directory, Entra ID, AWS IAM, GCP IAM, Okta, and the other systems that collectively define who has access to what — and applying a structured assessment model to surface, prioritise, and track every material risk.
The discipline rests on five pillars, each of which IdentityFirst addresses directly:
Enumerate every identity, account, group, service account, and workload identity across all connected systems — including systems that are normally invisible to manual review.
Evaluate each identity against a structured risk model covering privilege, credential hygiene, activity, federation gaps, and configuration risk.
Rank findings by blast radius, compliance impact, and likelihood of exploitation — so security teams work on what matters most, not what is easiest to find.
Deliver step-by-step playbooks for every finding, with estimated effort, ownership assignment, and compliance control mapping.
Track identity posture continuously — surfacing drift as new accounts are created, privileges are elevated, or policy exceptions accumulate over time.
Three converging pressures have made identity posture management a board-level priority in 2025 and 2026.
Over 80% of breaches now involve compromised credentials, excessive privilege, or identity misconfiguration. Attackers do not hack in — they log in. ISPM is the discipline that ensures that when they try, the attack surface is as small as possible: no stale accounts to pivot through, no Kerberoastable service accounts, no standing Domain Admin sessions to hijack.
NIS2 requires demonstrable access control governance for all operators of essential services. DORA mandates continuous ICT risk management including identity risk. SOC 2 Type II auditors now routinely test privileged access controls, MFA coverage, and access review evidence. Organisations that cannot produce this evidence on demand face audit qualifications, regulatory action, and rising cyber insurance premiums.
A manual Active Directory review that samples 5% of accounts takes weeks, misses service accounts entirely, and produces a report that is outdated before it is delivered. ISPM replaces sampling with complete enumeration — every account, every group membership, every SPN — and runs continuously, so drift is caught within days rather than discovered in next year's audit.
IdentityFirst assesses eight core risk domains across every connected identity source.
Accounts inactive for 90+ days, departed employees still in Active Directory, and disabled accounts that retain group memberships and SPN registrations.
Standing Domain Admin, Schema Admin, and Global Admin memberships. Accounts with Tier-0 access that should be on JIT elevation. Privilege creep from historical group additions.
Kerberoastable SPNs using RC4-HMAC encryption, AS-REP roastable accounts, unconstrained and constrained delegation scope, and Resource-Based Constrained Delegation (RBCD) risks.
Privileged accounts without phishing-resistant MFA, Conditional Access policy exclusions, legacy authentication protocols that bypass MFA, and SSPR with weak recovery factors.
Non-human identities with interactive logon rights, service accounts with never-expiring passwords, orphaned service accounts no longer attached to any running service.
AWS root account usage, over-permissive IAM policies (AdministratorAccess attached to users), GCP service accounts with project-wide Owner bindings, and Okta admin federation gaps.
Every finding mapped to NIS2, DORA, SOC 2 CC6 series, ISO 27001:2022, Cyber Essentials Plus, and NCSC CAF controls — with specific remediation evidence for each framework.
For each finding, IdentityFirst calculates the theoretical blast radius: how many downstream systems and identities are reachable from the compromised account — weighted by Tier-0/1/2 privilege.
Four stages from connector setup to board-ready report — all read-only, all in 24 hours.
Day 1
Read-only connectors to 14+ production-ready identity sources: Active Directory via LDAP, Entra ID via Microsoft Graph, AWS IAM, GCP IAM, Okta, Google Workspace, CrowdStrike, SailPoint, and more. No agents. No write permissions. Connector health verified before any data is processed.
Day 1–2
IdentityMRI™ scans your entire identity estate, applying 40+ risk checks across every enumerated identity. Kerberos security, delegation scope, MFA coverage, SPN encryption, stale accounts, and cloud IAM posture are all evaluated in a single pipeline run.
Day 2
Every finding is scored by the Identity Coverage Ratio (ICR) — IdentityFirst's composite posture metric — weighted by blast radius (how far a compromise would propagate), Tier-0/1/2 privilege level, and mapped compliance impact. Your security team gets a ranked list, not a flat dump of findings.
Day 2–3
A board-ready PDF report with executive summary, ICR score with industry benchmark, top 10 findings with blast radius analysis, compliance gap mapping across NIS2/DORA/SOC 2/ISO 27001, and a prioritised remediation playbook with step-by-step guidance and estimated effort for each finding.
Traditional IAM and ISPM serve different purposes. Here is how they compare across the dimensions that matter most to security teams.
| Capability | Traditional IAM | IdentityFirst ISPM |
|---|---|---|
| Discovery scope | New access requests only | Complete enumeration — every account, SPN, group, app, service account |
| Existing risk visibility | Limited or manual sampling | Automated — 40+ checks across all connected sources |
| Blast radius analysis | Not supported | Per-finding blast radius weighted by Tier-0/1/2 privilege |
| Board reporting | Operational dashboards only | Board-ready PDF with ICR score, top findings, compliance mapping |
| Time to first findings | Weeks (manual review) or never | 24 hours from connector setup |
| Production impact | Writes required for governance | Zero — entirely read-only |
Straight answers to the questions we hear most often about Identity Security Posture Management.
Identity Security Posture Management (ISPM) is the continuous practice of discovering, assessing, and reducing identity-related risk across your entire technology estate. Unlike traditional IAM tools that focus on provisioning, ISPM focuses on what already exists — the accumulated risk from stale accounts, excessive privileges, misconfigurations, and unmonitored service accounts — and provides the visibility needed to prioritise and remediate it.
IdentityFirst connects read-only to your identity systems and delivers initial findings within 24 hours of connector setup. A full IdentityMRI™ scan typically surfaces 40 or more categorised findings, prioritised by blast radius and compliance impact. The board-ready PDF report is available within 24–48 hours.
No. IdentityFirst operates entirely read-only via API connectors to your existing identity systems. No agents are installed, no changes are made to your production environment, and no write permissions are required. Connector setup requires read-only API credentials or service accounts only. During the scoping process, we specify the exact minimum permissions required for each platform in scope.
IdentityFirst maps every finding to relevant controls across NIS2, DORA, SOC 2 Type II, ISO 27001:2022, Cyber Essentials Plus, and the NCSC CAF. Each finding includes the specific control reference, gap description, and recommended remediation step. The compliance mapping is included in the board report and can be filtered by framework for auditor evidence packs.
Privileged Access Management (PAM) is a control tool — it manages, vaults, and sessions privileged credentials. Identity Security Posture Management (ISPM) is an assessment and visibility layer — it discovers what privileged access exists, identifies where PAM controls are absent or bypassed, and surfaces the risk of standing privilege across your entire estate.
ISPM and PAM are complementary: ISPM tells you where PAM needs to be applied — and surfaces the gaps in your existing PAM deployment (accounts that should be vaulted but are not, service accounts outside PAM scope, admin accounts that bypass session management).
Explore a real IdentityMRI assessment report — no sign-up required — or book a live demo to see how ISPM works on your actual identity estate.
Read-only • No agents • First findings in 24 hours • UK-hosted & ICO registered