Start with visibility, not replacement
Most SMEs already run AD, Entra ID, Microsoft 365, VPN access, and shared SaaS administration. ISPM gives them a way to inspect what exists now before committing to bigger governance tooling.
Identity Security Posture Management for SMEs
Identity Security Posture Management for SMEs
ISPM helps SMEs understand identity risk across Microsoft, cloud, and SaaS estates without starting with a heavyweight IAM programme. IdentityFirst delivers a read-only starting point for internal teams and MSP-supported environments, with first findings in 24 hours.
Read-Only — No Agents
First Findings in 24 Hours
Cyber Essentials Certified
9+ Identity Source Connectors
Why identity security posture management matters for SMEs
Smaller organisations still inherit hybrid identity risk, but they rarely have time for a multi-quarter IAM transformation before they can see what is exposed.
Works with lean internal teams or an MSP
A read-only posture review is practical whether security is handled in-house or through a service provider. It creates the evidence base both sides can use to prioritise remediation and ongoing governance.
Produces evidence people can use
SMEs usually need clear findings for management, insurance, audit, or customer diligence. That means specific gaps, realistic remediation steps, and links to trust and compliance context rather than vague maturity language.
What is Identity Security Posture Management?
ISPM addresses the identity risk that already exists inside your environment — not just the risk of new access being granted.
Traditional Identity and Access Management (IAM) tools are built to manage provisioning — they handle joiners, movers, and leavers, and enforce access request workflows. They are forward-looking: designed to ensure that future access is granted correctly.
Identity Security Posture Management (ISPM) is fundamentally different. It looks at what already exists inside your environment: the stale accounts left behind when employees depart, the service accounts with Domain Admin privileges that nobody remembers configuring, the Kerberoastable SPNs with eight-year-old passwords, and the 34% of users who are silently exempt from your MFA policy because of a legacy exception nobody audited.
ISPM works by continuously reading your identity estate — Active Directory, Entra ID, AWS IAM, GCP IAM, Okta, and the other systems that collectively define who has access to what — and applying a structured assessment model to surface, prioritise, and track every material risk.
The discipline rests on five pillars, each of which IdentityFirst addresses directly:
Discovery
Enumerate every identity, account, group, service account, and workload identity across all connected systems — including systems that are normally invisible to manual review.
Assessment
Evaluate each identity against a structured risk model covering privilege, credential hygiene, activity, federation gaps, and configuration risk.
Prioritisation
Rank findings by blast radius, compliance impact, and likelihood of exploitation — so security teams work on what matters most, not what is easiest to find.
Remediation
Deliver step-by-step playbooks for every finding, with estimated effort, ownership assignment, and compliance control mapping.
Monitoring
Track identity posture continuously — surfacing drift as new accounts are created, privileges are elevated, or policy exceptions accumulate over time.
Why ISPM Matters Now
Three converging pressures have made identity posture management a board-level priority in 2025 and 2026.
Identity Is the Primary Attack Surface
Over 80% of breaches now involve compromised credentials, excessive privilege, or identity misconfiguration. Attackers do not hack in — they log in. ISPM is the discipline that ensures that when they try, the attack surface is as small as possible: no stale accounts to pivot through, no Kerberoastable service accounts, no standing Domain Admin sessions to hijack.
Compliance Pressure Is Accelerating
NIS2 requires demonstrable access control governance for all operators of essential services. DORA mandates continuous ICT risk management including identity risk. SOC 2 Type II auditors now routinely test privileged access controls, MFA coverage, and access review evidence. Organisations that cannot produce this evidence on demand face audit qualifications, regulatory action, and rising cyber insurance premiums.
Manual Reviews Miss Too Much
A manual Active Directory review that samples 5% of accounts takes weeks, misses service accounts entirely, and produces a report that is outdated before it is delivered. ISPM replaces sampling with complete enumeration — every account, every group membership, every SPN — and runs continuously, so drift is caught within days rather than discovered in next year's audit.
What ISPM Covers
IdentityFirst assesses eight core risk domains across every connected identity source.
Stale & Departed Accounts
Accounts inactive for 90+ days, departed employees still in Active Directory, and disabled accounts that retain group memberships and SPN registrations.
Privileged Access Review
Standing Domain Admin, Schema Admin, and Global Admin memberships. Accounts with Tier-0 access that should be on JIT elevation. Privilege creep from historical group additions.
Kerberos Security
Kerberoastable SPNs using RC4-HMAC encryption, AS-REP roastable accounts, unconstrained and constrained delegation scope, and Resource-Based Constrained Delegation (RBCD) risks.
MFA Coverage Gaps
Privileged accounts without phishing-resistant MFA, Conditional Access policy exclusions, legacy authentication protocols that bypass MFA, and SSPR with weak recovery factors.
Service Account Governance
Non-human identities with interactive logon rights, service accounts with never-expiring passwords, orphaned service accounts no longer attached to any running service.
Cloud IAM Posture
AWS root account usage, over-permissive IAM policies (AdministratorAccess attached to users), GCP service accounts with project-wide Owner bindings, and Okta admin federation gaps.
Compliance Mapping
Every finding mapped to NIS2, DORA, SOC 2 CC6 series, ISO 27001:2022, Cyber Essentials Plus, and NCSC CAF controls — with specific remediation evidence for each framework.
Blast Radius Analysis
For each finding, IdentityFirst calculates the theoretical blast radius: how many downstream systems and identities are reachable from the compromised account — weighted by Tier-0/1/2 privilege.
How IdentityFirst Delivers ISPM
Four stages from connector setup to board-ready report — all read-only, all in 24 hours.
1
Day 1
Connect
Read-only connectors to 9+ supported identity sources: Active Directory via LDAP, Entra ID via Microsoft Graph, AWS IAM, GCP IAM, Okta, Google Workspace, CrowdStrike, SailPoint, and more. No agents. No write permissions. Connector health is verified before any data is processed.
2
Day 1–2
Assess
IdentityFirstMRI™ scans your entire identity estate, applying 40+ risk checks across every enumerated identity. Kerberos security, delegation scope, MFA coverage, SPN encryption, stale accounts, and cloud IAM posture are all evaluated in a single pipeline run.
3
Day 2
Prioritise
Every finding is scored by the Identity Coverage Ratio (ICR) — IdentityFirst's composite posture metric — weighted by blast radius (how far a compromise would propagate), Tier-0/1/2 privilege level, and mapped compliance impact. Your security team gets a ranked list, not a flat dump of findings.
4
Day 2–3
Report
A board-ready PDF report with executive summary, ICR score with industry benchmark, top 10 findings with blast radius analysis, compliance gap mapping across NIS2/DORA/SOC 2/ISO 27001, and a prioritised remediation playbook with step-by-step guidance and estimated effort for each finding.
ISPM vs Traditional IAM Tools
Traditional IAM and ISPM serve different purposes. Here is how they compare across the dimensions that matter most to security teams.
| Capability | Traditional IAM | IdentityFirst ISPM |
|---|---|---|
| Discovery scope | New access requests only | Complete enumeration — every account, SPN, group, app, service account |
| Existing risk visibility | Limited or manual sampling | Automated — 40+ checks across all connected sources |
| Blast radius analysis | Not supported | Per-finding blast radius weighted by Tier-0/1/2 privilege |
| Board reporting | Operational dashboards only | Board-ready PDF with ICR score, top findings, compliance mapping |
| Time to first findings | Weeks (manual review) or never | 24 hours from connector setup |
| Production impact | Writes required for governance | Zero — entirely read-only |
ISPM — Common Questions
Straight answers to the questions we hear most often about Identity Security Posture Management.
What is Identity Security Posture Management (ISPM)?
Identity Security Posture Management (ISPM) is the continuous practice of discovering, assessing, and reducing identity-related risk across your entire technology estate. Unlike traditional IAM tools that focus on provisioning, ISPM focuses on what already exists — the accumulated risk from stale accounts, excessive privileges, misconfigurations, and unmonitored service accounts — and provides the visibility needed to prioritise and remediate it.
How long does an ISPM assessment take?
IdentityFirst connects read-only to your identity systems and delivers initial findings within 24 hours of connector setup. A full IdentityFirstMRI™ scan typically surfaces 40 or more categorised findings, prioritised by blast radius and compliance impact. The board-ready PDF report is available within 24–48 hours.
Does ISPM require agents or production changes?
No. IdentityFirst operates entirely read-only via API connectors to your existing identity systems. No agents are installed, no changes are made to your production environment, and no write permissions are required. Connector setup requires read-only API credentials or service accounts only. During the scoping process, we specify the exact minimum permissions required for each platform in scope.
Which compliance frameworks does ISPM support?
IdentityFirst maps every finding to relevant controls across NIS2, DORA, SOC 2 Type II, ISO 27001:2022, Cyber Essentials Plus, and the NCSC CAF. Each finding includes the specific control reference, gap description, and recommended remediation step. The compliance mapping is included in the board report and can be filtered by framework for auditor evidence packs.
What is the difference between ISPM and PAM?
Privileged Access Management (PAM) is a control tool — it manages, vaults, and sessions privileged credentials. Identity Security Posture Management (ISPM) is an assessment and visibility layer — it discovers what privileged access exists, identifies where PAM controls are absent or bypassed, and surfaces the risk of standing privilege across your entire estate.
ISPM and PAM are complementary: ISPM tells you where PAM needs to be applied — and surfaces the gaps in your existing PAM deployment (accounts that should be vaulted but are not, service accounts outside PAM scope, admin accounts that bypass session management).
Is ISPM realistic for SMEs and lean security teams?
Yes, if the scope stays practical. Most SMEs do not need a heavyweight IAM replacement before they can improve identity visibility. A read-only ISPM approach gives internal teams and MSPs a clear starting point: which privileged accounts exist, where MFA coverage is weak, which stale accounts remain active, and what should be fixed first.
That is why IdentityFirst starts with assessment-led visibility. It lets an SME prove where the risk sits before deciding how much ongoing governance process or tooling is actually justified.
See ISPM in Action
Explore a public representative IdentityFirstMRI assessment report, or book a live demo to see how ISPM maps to your actual identity estate.
Read-only • No agents • First findings in 24 hours • UK-hosted & ICO registered