You Can’t Secure What You Can’t Explain

When Ian mentioned the Sarbanes-Oxley Act in his LinkedIn post sharing the news of SGNL getting acquired by Crowdstrike, it led to a funny exchange between us. It also reminded me of a task I had assigned myself almost 8 months ago.

Last summer, I spent quite a bit of time going deeper into how the Identity Governance and Administration (IGA) world has evolved since the days I was immersed in it, back in the Thoracle days. It’s not like I wasn’t aware of what had been happening. I watched IAM evolve into IGA, and saw PAM, Zero Trust, and ITDR emerge as platforms and buzzwords. So when I was looking at the identity market in the summer, the question I found myself asking was: Is Identity Observability actually something new, or just IGA repackaged? Looking back, I probably went into this assuming it was mostly marketing. After spending time digging in, and working with my friends at ObserveID, I realized that there is something real here. Something that addresses a gap many identity teams feel but struggle to articulate.

The Limits of the IGA Mental Model

IGA is fundamentally about control. It models identities and entitlements, enforces lifecycle processes, certifies access, and produces evidence for auditors. Simply put, IGA aims to answer questions like:

• Who should have access to what?
• How did they get it?
• Who approved it?
• Does this comply with policy?

But, importantly, these questions assume that the identity system is working as designed.

Anyone who has operated IGA in the real world knows that’s often not the case. Most identity failures don’t come from missing policies. They come from:

• Broken joiner/mover/leaver flows
• Stale or incorrect attributes
• Orphaned accounts
• Shadow admins and service accounts
• Failed deprovisioning
• Controls that “exist” but don’t actually fire

Traditional IGA is very good at describing and executing the intended state of identity. Where it falls short is when an organization wants to continuously validate the actual state. That gap is where Identity Observability shows up.

What Identity Observability Actually Is

Identity observability applies observability principles – telemetry, events, metrics, correlation – to identity systems. Instead of just asking:

“Who has access?”

It asks:

“What is actually happening across our identity stack right now, and does it match what we think is happening?”

Conceptually, it’s an operational analytics and assurance layer for identity. It goes beyond configuration to look at runtime behavior. It evaluates data quality and control drift, and surfaces rare or risky access paths. Most importantly, it explains why identity decisions occurred. In other words, the essential outcome here is explainability.

This clicked into place for me when I realized that this wasn’t some new invention. Identity was just catching up to a shift that had already been happening across IT. Infrastructure and application teams, cloud platforms, security operations – each of these domains had shifted from monitoring to observability, reflecting a realization that configuration visibility, static dashboards, and periodic reports just aren’t enough. Systems have become too distributed, too dynamic, and too interconnected. Observability became necessary because modern systems required continuous validation of behavior, not just confirmation of design.

Identity is just going through that same transition.

From Defining Intent to Validating Reality

IGA is a control and workflow plane, focused on policies, roles, lifecycle workflows, certifications, and compliance artifacts. Identity observability, on the other hand, is an assurance and insight plane, focused on whether those controls actually work, where identity data drifts, how access is really being used, and when behavior diverges from intent.

Put simply, IGA defines what should be true, whereas identity observability validates what is true.

The key learning for me was that Identity Observability wasn’t just next gen IGA. It’s a layer that sits above heterogeneous IAM, IGA, PAM, and CIEM tools to make their behavior visible and explainable.

And this is more important than ever. In modern enterprises, identity isn’t static, necessitating a shift from periodic governance to Continuous Identity: continuously validated, continuously explainable, continuously defensible. Modern identity environments have changed dramatically as well. They are multi-cloud, SaaS-heavy, API-driven, full of non-human identities (another term I have been trying to get used to), and owned by many teams. Just like applications and infrastructure before them, identity systems have become distributed systems. And distributed systems require observability.

This makes it almost impossible for organizations to rely solely on a single, centralized control plane to continuously answer the question:

“Is the entire identity fabric behaving as intended, end to end?”

As identity sprawl increases, that question becomes unavoidable. Identity observability introduces a meta-layer that enables identity teams to take this challenge on by:

• correlating signals across identity systems
• detecting gaps between design and reality
• compressing time to insight (crucial to the “continuous” element)
• making identity decisions defensible

So, if you’ve ever been surprised by an audit finding, discovered access paths you didn’t model, found entitlements no one remembered granting, learned a control existed but wasn’t enforced, or spent weeks investigating a “simple” identity issue, then you already understand the problem identity observability is trying to solve. For years, we’ve focused on building IGA systems that can enforce rules. Now we’re realizing we also need systems that can explain behavior.

Because, as the headline said, you can’t secure what you can’t explain.