Introduction
In a world now dominated by identity-based attacks, many enterprise security programs remain blind to one of their biggest challenges: Accounts that no one knows about, no one owns, and no one monitors. These are the tech equivalents of abandoned doors in a secure facility. Known in the industry as “shadow accounts,” these identity artifacts create huge gaps for Privileged Access Management (PAM) and Identity Governance and Administration (IGA) programs.
SPHERE, led by CEO Rita Gurevich, has turned a spotlight on this issue with a clear imperative expressed during a recent talk at CyberArk IMPACT 2025: “Find it, Fix it, Fuhgeddaboudit.” In this second blog of our five-part series expanding on Ed Amoroso’s insights, we focus on the Find it portion of the message – namely, the act of discovering the full extent of an enterprise’s identity surface as a precondition for any meaningful access control strategy.
The Scope of the Problem: Shadow Accounts in a Fragmented Identity Landscape
Most large organizations manage hundreds of thousands, if not millions, of identity objects including human accounts, system and service accounts, database users, cloud-native identities, and ephemeral DevOps tokens. Enterprises also have layered identity stores, such as Active Directory, UNIX passwd/shadow files, LDAP, and proprietary IAM systems – all operating independently. Each of these silos carries the risk of misalignment in the following areas:
- Orphaned accounts from employees who left the company
- Shared admin credentials used in violation of policy
- Script-based service accounts with hardcoded passwords
- Overprivileged access that no longer maps to business need
What makes the problem so acute is that these accounts often sit outside the scope of traditional IAM tools. They aren’t surfaced in daily audit logs or tied to active directory groups with automated lifecycle management. They exist on the margins, at least until an attacker finds them.
Why Traditional Discovery Tools Fall Short
Security teams typically rely on PAM or IGA to enumerate users. But if an account exists in a shadow IT system, or on a long-forgotten server, or inside a cloud subscription created outside of governance channels, it’s invisible to governance tooling. SPHERE’s innovation lies in its ability to break through this visibility ceiling by performing cross-platform discovery that isn’t limited by assumptions about what should exist. Instead, it asks: What actually does exist?
SPHERE agents and connectors scan enterprise environments, both on-premises and cloud, and normalize identity data across the following aspects of an organization’s IT infrastructure:
- Windows local and domain accounts
- UNIX and Linux /etc/passwd accounts
- Service accounts embedded in application scripts
- Database identities (e.g., Oracle, SQL Server, MongoDB)
- IAM policies and roles in AWS, Azure, and GCP
- SaaS identity mappings (e.g., Salesforce, Workday, ServiceNow)
The result is a normalized and enriched identity inventory that not only aggregates these accounts but contextualizes them by system, privilege level, and risk factor.
Identity Context: It’s Not Just What You Find, But What It Means
Once accounts are surfaced, the critical task becomes understanding who they belong to, what they can do, and why they exist. Here’s where SPHERE goes beyond other types of identity tools and systems that may stop at simple listing. Their platform performs intelligent analysis to answer questions such as:
- Is this account associated with a real human owner?
- Is this account used by a business process or service?
- What privileges does this account hold?
- Has this account been used recently—or ever?
- Is this account duplicative or redundant?
This ability to map accounts to context transforms raw discovery into actionable insight. Rather than overwhelming a security team with a massive number of account entries, SPHERE highlights that portion that represents real risk, either because they’re unowned, overprivileged, or simply not supposed to be there.
Discovery as a Continuous Lifecycle
Many organizations treat account discovery as a one-time event, done before a compliance audit or PAM deployment. This is a critical mistake. Enterprise systems evolve constantly, and new accounts appear daily through automation, integration, and human error. SPHERE treats identity discovery as a living process, not a static milestone. Their platform enables continuous monitoring and alerting on the following:
- New accounts appearing in high-risk systems
- Privilege drift for known accounts
- Sudden changes in account behavior (e.g., spikes in usage, new geographies)
- Duplicate accounts across environments with different owners
This approach helps security teams stay ahead of the sprawl, flagging issues in real-time rather than reacting post-breach.
Case Example: Shadow Account Risk in a Global Manufacturing Firm
Consider a real global manufacturing company with operations in 40+ countries. They had launched a CyberArk-based PAM program but struggled with inconsistent results. Despite onboarding thousands of accounts, they continued to experience privilege escalation incidents.
Upon engaging SPHERE, the team discovered the following, which should be a major concern to any security practitioner:
- Over 22,000 unmanaged UNIX accounts still active
- Hundreds of local Windows admin accounts never audited
- Dozens of service accounts embedded in application configs with expired credentials
- Accounts with expired owners (former employees) still actively used in scripts
Within 60 days, SPHERE helped the team consolidate, assign ownership, and decommission unused accounts. The organization also put in place a repeatable discovery process aligned with quarterly business reviews. This wasn’t a one-and-done activity but rather became a hygiene habit.
The First Step to Hygiene Is Admitting You Don’t Know
Most organizations simply do not know what accounts they actually have, and even fewer can explain what each one does. SPHERE’s platform gives organizations the tools to admit what they don’t know and to then fix it. The “Find it” phase is not just about enumeration. It’s about reclaiming control over the sprawling, fragmented, and risky identity landscape that exists in every enterprise today.
As our industry moves toward increasingly complex hybrid environments with cloud-native services, federated identity, and autonomous systems, it will become even more important to maintain clean visibility into the identity fabric.
In our next blog in the five-part series, we’ll take a deep dive into the most elusive challenge in IAM: attribution. We will try to address the key questions of who owns what, and what happens when no one does? I hope you stay with us.
