The Attribution Gap: Solving the Identity Ownership Crisis

Introduction

If you’ve ever worked in identity security, you’ve encountered this question: Who owns this account? In practice, attribution is one of the most vexing challenges in Privileged Access Management (PAM) and Identity Governance and Administration (IGA) programs. The implications of not knowing ownership are profound: elevated access persists, critical accounts go unmonitored, and PAM onboarding efforts grind to a halt.

SPHERE has developed a specialized approach to solving this issue, not by brute force, but through structured automation and metadata enrichment. In this third blog of our five-part technical series, we examine the Fix it phase of SPHERE’s identity hygiene model, with emphasis on one specific and essential capability: ownership attribution.

Why Ownership Matters in Identity Security

Every security control, whether it’s revoking access, rotating credentials, or applying least privilege, requires a responsible person or team. Without that ownership, identity controls exist in limbo. Here’s what happens in that vacuum:

• Service accounts persist with no known application owner.
• Departed employees leave behind orphaned accounts still in use.
• Third-party vendors receive elevated access with no clear revocation path.
• Local accounts with admin rights are ignored by centralized IAM.

Security teams know these are high-risk conditions. But without business ownership, it’s difficult to act. You can’t rotate credentials if you don’t know what system depends on them. You can’t deprovision access if you’re not sure who might be impacted. And you certainly can’t onboard identities into CyberArk, BeyondTrust, or Delinea without knowing the approver.

SPHERE’s Differentiator: Building the Book of Record

The innovation SPHERE brings to this challenge is a rigorous process for correlating accounts, especially service and privileged ones, to business owners, but this is not a simple database join. Rather, it’s a forensic process that blends metadata, behavioral signals, HR data, and integration context.

The outcome is what SPHERE refers to as a Book of Record, which is an authoritative reference that ties each account to a named person, role, or team. Here’s how they do it:

1. Metadata Harvesting: Every discovered identity is enriched with available metadata such as last login, originating host, account description, email addresses, and naming conventions.
2. Contextual Cross-Referencing: These data points are then cross-referenced with HR systems, application inventories, CMDBs (e.g., ServiceNow), and IGA platforms to find plausible attribution candidates.
3. Usage Correlation: SPHERE looks at usage history to understand how accounts are behaving including what scripts they run, what systems they access, and what identities they interact with.
4. Human-in-the-Loop Review: The platform facilitates a structured review process to confirm or adjust ownership before onboarding or remediation. This avoids false positives or risky assumptions.
5. Stewardship Assignment: Once ownership is assigned, it is recorded and continuously tracked. Changes in HR status (e.g., employee departure) trigger re-attribution or escalation.

This structured approach doesn’t just answer the “who owns this?” question. Instead, it creates a living catalog of stewardship that becomes the foundation for downstream security and governance.

Why Service Account Attribution Is Especially Hard

It’s one thing to identify ownership for a named user account. It’s another entirely to do it for a service account, especially in environments with aging infrastructure, custom-built legacy systems, or DevOps pipelines that have evolved without governance. Some examples of what SPHERE regularly encounters:

• Accounts Tied to Terminated Employees: Inherited service scripts continue to run under an old credential.
• Hardcoded Credentials: No documentation exists for who maintains or depends on the account.
• Overlapping Account Usage: One service account may be accessed by multiple teams across multiple applications.
• Cross-Domain Dependencies: An account runs in one region but is owned by an application team on another continent.

In many cases, these accounts are actively used and essential to business processes, but the owners are unknown. This is where traditional IAM platforms struggle, because their ownership logic is based on identity lifecycles, not complex, distributed service behavior.

SPHERE’s process is not just pattern matching. It’s identity forensics that ties observed activity and historical context to real-world organizational accountability.

From Attribution to Action: Enabling PAM and IGA

Once attribution is established, the security organization can take concrete, risk-reducing actions:

• PAM Onboarding: Now that ownership exists, SPHERE enables safe migration of high-risk accounts into PAM systems. Owners are engaged, passwords are rotated, and monitoring is enabled.
• IGA Certification: Accounts with assigned stewards can be included in access reviews. Owners are held accountable for periodic certifications and attestations.
• Change Management: Linked to CMDB entries and application ownership, account changes (creation, deactivation, role modification) can be tracked and approved with proper oversight.
• Remediation: For stale or unneeded accounts, ownership enables targeted decommissioning with clear lines of responsibility.

These actions dramatically reduce exposure and build trust in the security program. SPHERE does not operate in a silo – it also complements CyberArk, SailPoint, ServiceNow, and others through integration and orchestration.

Case Study: Attribution at Scale in Healthcare

Consider a multinational healthcare organization SPHERE worked with that had over 75,000 accounts across hundreds of facilities. Many were tied to aging UNIX systems and applications with no centralized documentation. The situation posed real risk including the following conditions:

• Service accounts were active in critical systems with no ownership.
• Attempts to onboard into PAM failed due to fear of breaking application dependencies.
• Periodic audits identified the accounts but offered no path to resolution.

SPHERE deployed their attribution engine across the enterprise and, in less than a month, the following benefits were achieved:

• Correlated 90% of service accounts to actual business owners.
• Reduced unmanaged risk by over 60%.
• Enabled the first successful onboarding of legacy accounts into PAM.

This excellent transformation built a culture of ownership and accountability across the IT and security teams.

Identity Hygiene Begins with Stewardship

The technical rigor of SPHERE’s attribution approach may seem complex, but it solves a simple problem: You cannot secure what no one owns. And in a digital ecosystem that grows by the minute, that ownership cannot be inferred. It must be discovered, verified, and managed.

SPHERE’s approach, backed by data-driven attribution, continuous tracking, and platform integration, fills a critical gap in IAM programs. It’s the connective tissue between visibility and control. In our next blog, we’ll shift focus from remediation to sustainability, addressing questions such as how organizations keep their identity hygiene clean over time, especially during M&A, cloud migration, and organizational change. Stay tuned.