A new Orchid Security study showed that nearly half of enterprise apps violate basic credential-handling guidance, 44% undermine centralized identity provider (IdP) policies and 40% fall short of widely accepted
identity-control standards.
Orchid researchers released the report ahead of the
Identiverse 2025 show in Las Vegas June 3-6, saying the shortcomings expose organizations to heightened audit findings, compliance penalties, and breach risk.
“These identity security gaps are by no means a reflection on today’s
identity and access management teams,” said Roy Katmor, co-founder and CEO of Orchid Security. “The reality is, with the average enterprise relying on more than 1,200 applications ... it’s a huge challenge to simply know all of the apps in use, let alone to fully understand not only the standard audited identity flows, but also all feasible authentication pathways and authorization attributes within each application. That complexity is only compounded by the fact that, until now, the process has been largely manual.”
Here are some of the leading findings from
Orchid’s research:
Nearly 50% of applications had clear-text credentials
In nearly half of the binary-level assessments conducted, Orchid’s analysis uncovered clear-text credentials. These were normally associated with alternative access flows, often for non-human accounts, but they also present an easy target for threat actors seeking entry or lateral movement.
44% of applications bypass IdP
While IdPs are very common within enterprises and a valuable tool to centralize secure authentication practices, 44% of the time
no IdP was used by at least one authentication path offered by the application. This often happens because of application-level constraints, particularly around integrating with third-party or legacy systems. While understandable, especially in support of external access scenarios, these siloed authentication paths create significant operational challenges. Because they sit outside the centralized identity and access management framework, these non-standard directories are frequently excluded from routine joiner, mover, and leaver (JML) processes. As a result, they can become outdated, unmanaged and ultimately represent a growing blind spot that increases organization’s exposure to identity-related risks.
More than 40% of apps lack identity control basics
Basic best practices to maintain identity security include monitoring and even rate controlling login attempts, implementing account lockout after a certain number of failed attempts, enforcement of password complexity, and token lifetime configurations. Unfortunately, each of these was found to be missing roughly 40% of the time. We know that most application developers are valued for their creativity, as it spurs innovation, but that spirit often makes consistent implementation of standards across applications a challenge.
“Clear text credentials in
NHI flows and a less that 40% IdP coverage, represents real and present danger for most organizations,” said Darran Rolls, an Orchid advisor and former CTO and CISO at SailPoint. “The fact that so many applications are missing basic identity controls is testament to the fact that we need to re-think how we prioritize and deploy identity security control.“
Amir Khayat, CEO and co-founder of Vorlon, shared similar sentiments when it came to securing identities.
“Every breach starts with a ‘valid’ login. If you can’t continuously see which identities, human or machine, are accessing what, then your audit trail is already broken," Khayat said. "The industry needs to move from static identity checklists to real-time detection and response, especially as SaaS and AI automation sprawl accelerates."
