Every major vendor in identity security — from SailPoint to CyberArk to Okta — operates on the same premise: that you already know what you're securing. For mid-market companies, that premise is wrong. And vendors have every reason to keep it that way.
Identity security is a $15+ billion market. It includes some of the most sophisticated software in enterprise technology: governance platforms, privileged access vaults, threat detection engines, authorization graphs, identity providers. The engineering is real. The problems these tools solve are real.
The issue is sequencing. Every tool in the category solves a downstream problem while assuming the upstream prerequisite — complete application visibility — is already in place.
It isn't. Not in most mid-market companies. And the vendors selling into these environments know it.
Five Categories, One Shared Assumption
The identity security market has organized itself into five distinct tool categories. They compete with each other on features, pricing, and deployment complexity. What they don't compete on is the foundational assumption they all share.
MFA and authentication platforms (Duo, Okta) secure user authentication. They require multi-factor verification, support passwordless login, and enforce adaptive authentication policies. What they assume: users are authenticating through systems you control, and applications are integrated with your identity provider. When your engineering team authenticates directly to fifteen cloud services outside your IdP, Duo doesn't see those authentications. The multi-factor requirement doesn't apply to applications that haven't been connected to your MFA platform.
IGA platforms (SailPoint, Saviynt, One Identity) govern identity lifecycle management, access reviews, role-based access control, and compliance reporting. What they assume: you have a complete application inventory and every application can integrate with centralized provisioning. SailPoint governs the applications you've integrated with SailPoint. If your actual environment has 180 applications but only 60 are integrated, SailPoint governs 60. The quarterly access reviews it produces certify complete coverage of an incomplete scope.
PAM solutions (CyberArk and similar platforms) vault privileged credentials, monitor privileged sessions, and enforce just-in-time access. What they assume: privileged access happens through infrastructure IT manages — servers, databases, network devices. In 2025, most privileged access in mid-market companies is in SaaS applications: Stripe admin, AWS console, GitHub admin, HubSpot admin, Salesforce system administrator. These admin accounts aren't vaulted. CyberArk doesn't see when someone with Stripe admin access exports payment records, because that access never passed through a PAM vault.
ITDR and authorization platforms (Veza, CrowdStrike Identity Security) build authorization graphs mapping who can do what across which systems, detect anomalous identity behavior, and enforce least privilege. Veza is explicit about what their authorization graph does: it maps permissions across connected systems. The graph is only as complete as the systems connected to it. Shadow IT applications that aren't nodes in the graph don't appear in threat detection, anomaly analysis, or permission mapping. CrowdStrike's identity security capabilities require integration with your IAM systems — if shadow IT isn't in your IAM, it isn't in CrowdStrike's detection either.
IdP and SSO platforms (Okta, Microsoft Entra) provide centralized authentication, directory sync, user provisioning, and identity federation. They assume applications authenticate through your IdP and users access applications through SSO. When users sign up for SaaS applications directly — using work email addresses, bypassing IT entirely — those applications exist outside the IdP. The directory shows 80 integrated applications. Users actively use 180.
The pattern across all five categories is consistent. Every solution operates on applications and identities connected to, integrated with, or managed through their platform. The scope of protection equals the scope of integration.
What Every Vendor Is Actually Saying
Strip away the marketing language and each category makes the same claim in different words:
MFA platforms: we'll require multi-factor authentication for applications that authenticate through us.
IGA platforms: we'll govern access for applications you've integrated with us.
PAM solutions: we'll secure privileged accounts in systems we're connected to.
ITDR platforms: we'll detect threats in identities and applications we're monitoring.
IdP platforms: we'll provide SSO for applications that use us for authentication.
None of these vendors are lying. Their products do exactly what the marketing describes. The gap is in what the marketing doesn't describe: every solution's coverage is bounded by what you've already discovered, integrated, and connected.
The identity security market has spent billions building specialized solutions for authentication, governance, privilege management, threat detection, and access visibility. It has not built a solution for the prerequisite that makes all of them work: knowing what applications exist in your environment.
Why This Works for Large Enterprises and Fails for Mid-Market
The industry's foundational assumption holds in large enterprise environments because those environments have already satisfied the prerequisite.
A Fortune 500 company typically has dedicated identity teams maintaining complete application inventories, procurement controls that route new software purchases through IT before approval, integration mandates that require every application to connect to enterprise SSO as a contract condition, and the engineering resources to maintain hundreds of integrations across multiple security platforms. Shadow IT exists but represents a small, quickly-discovered fraction of the application landscape.
In this environment, the downstream solutions work exactly as designed. SailPoint governs all access because all applications are integrated. CyberArk secures all privileged accounts because the team knows where they exist. Okta provides SSO for all applications because all applications connect to Okta. Veza builds a complete authorization graph because all systems are connected.
Vendors make their Fortune 500 logos their reference customers for exactly this reason: those deployments succeed. The prerequisite exists. The tools perform as advertised.
Mid-market companies — roughly 200 to 5,000 employees — operate in a different environment. One or two IT people manage everything from infrastructure to help desk to identity governance. Teams purchase software directly on company credit cards. Free trials become paid subscriptions without IT involvement. Engineering uses dozens of tools the security team has never reviewed. The actual application landscape is typically 30 to 50 percent larger than the IT-maintained list, and growing.
When SailPoint deploys into this environment, it integrates with the applications IT has catalogued and ignores the rest. When CyberArk deploys, it vaults credentials for infrastructure-based privileged access while SaaS admin accounts accumulate outside the vault. When Okta deploys, it provides SSO for integrated applications while direct-authentication shadow IT bypasses it entirely.
The same tool. Different environment. Different outcome.
Vendors know this. They see coverage gaps in every mid-market deployment. The post-sale conversation consistently includes some version of "you'll need to integrate more applications" — which positions incomplete coverage as a deployment task rather than a product limitation.
Why the Industry Won't Fix It
Identity security vendors have rational reasons for not addressing the discovery prerequisite, even though they understand the gap exists.
Acknowledging it undermines the sales pitch. Marketing positions these tools as comprehensive identity security solutions. "Our platform governs identity access" is the claim that closes deals. "Our platform governs identity access in applications you've already discovered and integrated" is accurate but significantly less compelling. The gap between claimed and actual coverage is discoverable post-purchase, not pre-purchase.
It doesn't fit their product architecture. SailPoint built IGA workflows. CyberArk built credential vaults. Veza built authorization graphs. Building application discovery requires different technology, different data sources, and different go-to-market than any of these vendors has optimized for. Each vendor's product roadmap is built around making their existing category stronger, not solving an upstream prerequisite that sits outside their category definition.
Enterprise customers don't need it. The companies writing the largest checks — the Fortune 500 customers driving vendor roadmaps — have already solved the discovery problem. Application visibility gaps aren't in their feature requests. When enterprise requirements don't include discovery, vendor roadmaps don't prioritize discovery.
The Sequence That Works
The identity security industry's current sequence:
Deploy authentication, governance, and privilege management tools, then expand integration coverage over time, then try to discover what you missed.
The sequence that works in mid-market environments:
First: achieve complete application visibility. Continuous discovery that reveals what's actually in use across the environment — every SaaS application, every AI tool, every shadow IT instance, every service account, every API integration — not what IT approved, but what's actually running. This is the prerequisite the industry skips.
Second: understand actual scope. Most organizations discover their environment is significantly larger than their IT-maintained inventory. Knowing actual scope before deploying security tools means those tools deploy against reality rather than assumptions.
Third: build identity security on a complete foundation. With complete application visibility in place, the downstream solutions work as designed. IGA governs all applications because all applications are in scope. PAM secures all privileged accounts because the vault knows where they exist. Threat detection monitors the complete attack surface because it's connected to everything. Access reviews certify complete coverage because the inventory is complete.
Fourth: maintain visibility continuously. New applications appear constantly. Shadow AI adoption is accelerating. Service accounts accumulate without ownership. Continuous discovery keeps coverage current as the landscape evolves.
This sequence changes what mid-market identity security deployments can accomplish. The tools don't change. The order does.
How Zluri Solves the Prerequisite Problem
Zluri was built visibility-first — not as a positioning choice, but as an architectural one. The platform starts where the industry skips.
IVIP (Identity Visibility and Intelligence Platform) is the discovery and visibility layer. It ingests identity data across SSO, HRMS, finance tools, CASB, MDM, directories, endpoints, APIs, and on-premises systems through a patented discovery engine — going far beyond what SSO-only detection reveals. Every human identity, every non-human identity (service accounts, tokens, bots, AI agents), every SaaS application, every shadow IT instance, every API integration. Continuously, not on a quarterly review cycle.
That raw data flows into a Unified Data Fabric — a normalized, deduplicated, continuously updated view of the entire identity and application landscape. This is the layer that makes downstream intelligence reliable. Without it, risk scoring and access analysis operate on fragmented data and produce incomplete results.
Powering the intelligence layer is IRIS (Identity Risk Intelligence System) — Zluri's engine for turning visibility into action. IRIS aggregates identity signals, normalizes and deduplicates identity records, builds the relationship graph connecting access paths across all systems, and runs continuous risk detection and prioritization. It's what separates knowing your identities exist from understanding where your identity risk actually is.
With that foundation in place, IGA — access management, access reviews, access requests, segregation of duties — operates on a complete and accurate scope. Governance covers what's actually in the environment, not just what's been integrated so far.
One customer discovered they had over 2,500 applications when they thought they had a few hundred. Another flagged 20+ new shadow tools every month automatically. A third closed a security gap created by undiscovered SaaS applications — in weeks, not a multi-month project.
The prerequisite the industry skips is exactly what Zluri is built to solve. See it in your environment.
What This Means If You're Evaluating Identity Security Solutions
If you're a mid-market IT or security leader evaluating identity security solutions, the vendor conversation typically starts with: what's your biggest identity challenge?
The honest version of that question is: what percentage of your actual application and identity environment will this solution cover on day one of deployment?
For most mid-market companies, the answer from any of the established platforms is somewhere between 40 and 70 percent. The remainder is shadow IT, ungoverned SaaS, unmanaged service accounts, and AI tools that adopted faster than IT could track.
Every platform's coverage improves as you integrate more applications. The question worth asking before you sign: what's the realistic integration timeline for your actual environment, not the 20 applications in the demo, and what risk exists in the gap between current coverage and complete coverage?
The vendors that acknowledge this question honestly are worth paying attention to. The ones that redirect to their feature roadmap are telling you something important about how post-sale conversations will go.
Identity security works when it operates on a complete picture of the environment it's securing. The industry has built sophisticated tools for everything that comes after that picture exists. Building the picture itself is still the unsolved prerequisite — and it's the one that determines whether everything downstream delivers what it promises.
Frequently Asked Questions
Why do IGA platforms like SailPoint and Saviynt have coverage gaps in mid-market deployments?
IGA platforms govern access for applications that have been integrated with them. In mid-market environments with limited IT resources, integration coverage typically reaches 40 to 70 percent of the actual application landscape. The rest exists outside governance, outside access reviews, and outside compliance reporting — even when the platform reports full completion of what it can see.
CyberArk focuses on privileged access. Why doesn't it cover SaaS admin accounts?
CyberArk was built for infrastructure-based privileged access management — servers, databases, network devices. Today, most privileged access in mid-market companies lives in SaaS: Stripe admin, AWS console, GitHub org owners, Salesforce admins. These accounts carry significant risk but sit in applications that PAM vaults weren't designed to reach. Most mid-market teams haven't completed the integration work required to bring SaaS privileged access into scope.
Veza claims identity visibility. What's the difference between that and complete application visibility?
Veza builds an authorization graph connecting identities and permissions across integrated systems. The graph is only as complete as the systems connected to it. Shadow IT, ungoverned SaaS, and AI tools adopted without IT involvement don't appear in the graph because they haven't been integrated. Application discovery and identity discovery are related but distinct problems; authorization graphs address the latter.
Is Okta the problem? We thought SSO was supposed to give us visibility.
SSO gives you visibility into applications integrated with Okta. Research consistently shows SSO captures 30 to 40 percent of actual application usage in mid-market environments. Applications adopted directly, tools that don't support enterprise SSO, and shadow IT are all invisible to Okta's dashboard. SSO is a meaningful input to visibility, not a substitute for it.
What does visibility-first identity security mean in practice?
It means solving the discovery prerequisite before deploying downstream tools. Continuous application discovery across all adoption channels, mapping of all identity types (human, machine, AI agents, service accounts), and a unified picture that stays current as the environment changes. IGA, PAM, and ITDR then operate on a complete scope rather than a partial one. Zluri's IVIP and IRIS are built specifically for this.
We already have identity security tools deployed. Is it too late to fix the visibility gap?
No. Visibility expands what your existing tools cover without replacing them. Adding discovery to an existing IGA deployment expands governance scope. Adding it to access reviews expands what gets certified. Adding application scope to a PAM deployment surfaces the privileged accounts that should be vaulted but aren't. The tools you already have become more effective when operating on a complete picture.
.svg)
