Request a demo
Open mobile menu
Back
CompanyIdentity SecurityIndustry NewsTechnical Thought Leadership

Why Analysts Keep Pointing To Veza as the Leader In The New Identity Security Landscape

Matthew Romero

Most enterprises have already done the first wave of identity work. You standardized on an IdP, rolled out MFA, inherited or bought IGA and PAM, and collected audit evidence showing that someone reviewed access and clicked Approve. On paper, identity and even non-human identity security looked under control.

But the reality around your identity stack kept getting more complicated.

Non-human identities exploded across cloud, SaaS, CI/CD, and AI services. Permission models multiplied across platforms and data stores. AI pilots quietly added machine identities and new data paths. Boards, regulators, and insurers started asking about identity-driven incidents and IAM attack surface, not just SSO coverage.

Analyst firms did what they do when the problem is structural, not a blip. They named it:

  • Frost & Sullivan created a Frost Radar for Non-Human Identity (NHI) Solutions and highlighted Veza as a leader and innovation trailblazer in NHI and identity security posture.
  • GigaOm published a Radar for Identity Security Posture Management (ISPM) and placed Veza as a leader and fast mover in the platform cohort.
  • Gartner introduced Identity Visibility and Intelligence Platforms (IVIP) in the Digital Identity Hype Cycle, updated its IGA Market Guide, and started talking about IAM attack surface as a risk to manage on its own.

This is not a “what is ISPM” or “what is IVIP” explainer. It is about why three different analysts views keep landing on the same access graph architecture Veza already put into production.

Different reports, same message: you cannot run a serious security program if you cannot answer, accurately and on demand, who or what can take what action on which systems and data, and how quickly you can change that. That is the access graph problem Veza was built to solve.

Frost: Non-Human Identity Is Now A Named Risk Domain

Non-human identity security is the practice of discovering, governing, and right-sizing machine identities and their permissions across all your systems.

Most organizations still lack a clear understanding of non-human identities. Think service principals in Entra ID, automation accounts in IT tools, application registrations, CI/CD pipelines that mint tokens, and machine accounts for RPA, agents, and connectors that were created to “get this working by Friday” and never audited again.

Basic questions are still hard:

  • How many non-human identities exist across cloud, SaaS, and data platforms?
  • Who actually owns each one?
  • What effective permissions do they have in practice?
  • Which ones are redundant, overprivileged, or orphaned?

Frost and Sullivan’s 2025 Frost Radar for Non-Human Identity Solutions treats that mess as its own market instead of a side effect of IAM or PAM. They evaluate vendors on discovery, governance, control, and innovation for NHI and name Veza a leader and innovation trailblazer. You can see that recognition in the BusinessWire press release and in Veza’s Frost Radar NHI report.

Under the covers, that view maps directly to Veza NHI Security:

  • Automatically discovers non-human identities across dozens of integrations and classifies them with built-in detection logic and custom enrichment rules.
  • Exposes an NHI overview with metrics such as total NHI accounts, unowned and high-risk NHIs, keys and secrets, and credential status, with Entity Owners assigned for accountability.
  • Uses NHI-specific Access Reviews, Review Intelligence policies, and rules and alerts to govern service and automation accounts and drive remediation workflows.

All of that runs on top of the same access graph used for human identities, where non-human identities are first-class objects tied to owners, policies, and permissions, not fake users on the side.

If your stakeholders are still ramping on the concepts, Veza backs this with primers like the NHI iceberg blog, “The NHI Iceberg: Visibility and actionability of hidden risks”, plus a Non Human Identity Management use case and the NHI Security product page.

The Frost signal for IT BDMs and CISOs is simple. NHI is now a named risk domain, and Veza is one of the few platforms that treats it as a measurable program.

GigaOm: Identity Security Posture Has To Be Continuous

Identity security posture management is how you deal with everything that happens after access is granted.

Once you have SSO, provisioning, and MFA, the problems change:

  • Permissions quietly accumulate across SaaS, cloud, and data
  • Temporary exceptions never get rolled back
  • OAuth consents grant broad scopes that nobody revisits
  • Access reviews are periodic, human-only, and narrow in scope

The GigaOm Radar for Identity Security Posture Management defines ISPM as the discipline of dealing with what happens after access is granted. ISPM platforms are expected to continuously map identities and entitlements, assess risk, prioritize issues, and support remediation for both human and non-human identities.

In that Radar, Veza is positioned as a leader and fast mover in the platform cohort with one of the highest overall scores. That posture work all runs on the same access graph that powers NHI.

Veza’s ISPM capabilities combine:

  • A graph-backed model of who can do what across IdPs, SaaS, cloud, and data
  • Access Intelligence dashboards, queries, and rules that highlight excessive privileges, missing MFA, orphaned accounts, and segregation of duties issues
  • Access Monitoring for systems such as AWS, Snowflake, SharePoint, Entra ID, and BigQuery, using audit logs to find dormant and over-provisioned access
  • Veza Actions and workflow integrations that push remediations into ITSM and native platforms, so posture work becomes real changes instead of another spreadsheet
  • Access AI as an enhancement layer that turns natural language into graph queries, helps teams find risky identities and paths, and explains review scopes and lifecycle decisions

GigaOm’s point is blunt. Identity compromise remains one of the most common paths into serious incidents, and weak hygiene over stale or overprivileged accounts is a standard attacker move. ISPM is the operating model for closing that gap continuously, not a one-off clean-up.

For leaders who need narrative air cover, Veza points to Tarun Thakur’s Forbes Technology Council article on ISPM as the foundation of security strategy, along with Veza’s Identity Security Posture Management explainer and the “Understanding ISPM” how-to article.

Gartner: IVIP, Next Gen IGA, and IAM Attack Surface all on One Graph

An identity visibility and intelligence platform is the layer that unifies identity and entitlement data from many systems and feeds that context into the rest of your security stack.

Across the Digital Identity Hype Cycle, the IGA Market Guide, and research on IAM attack surface, Gartner keeps returning to three themes that all line up with the same architecture.

  1. Identity visibility and intelligence, not just another inventory.
    In its research on identity visibility and intelligence platforms, for example, Gartner document 7012098, Gartner describes an emerging layer that pulls identity and entitlement data from many systems, normalizes it, runs analytics across relationships, and feeds that context into IGA, PAM, ITDR, SIEM, and SOAR. That description is a direct fit for how Veza’s access graph behaves in production. The graph unifies identities, accounts, groups, roles, policies, and resources from IdPs, clouds, SaaS platforms, and data stores, then exposes that model through Veza search and Access Graph search to answer questions like “which identities can write production data in this Snowflake account” or “what path gives this workload access to this S3 bucket”.
  2. Modernizing IGA without ripping it out.
    In the IGA Market Guide and related work on “light IGA” and CIEM, Gartner notes that you already have IGA and it is expensive and risky to replace, while cloud, SaaS, and non-human identities create blind spots that legacy IGA cannot model. The practical move is to augment IGA with better data and analytics. Veza’s Next Gen IGA model is aimed at that reality. Customers keep IdPs and HR systems as systems of record, but shift decision logic to the access graph. On that graph, Access Reviews run against actual effective access, not just directory groups. SoD rules are defined in a query-driven builder and evaluated continuously, with targeted reviews launched directly from findings. Lifecycle Management uses the same model to drive joiner, mover, and leaver automation. Access Hub gives managers and end users a single place to see and request access. Veza’s Next Gen IGA resource lays out that reference architecture.
  3. Treating identity as an attack surface you can measure and shrink.
    Gartner’s IAM attack surface research advises teams to instrument identity and entitlement data, use observability to detect when risk increases, and build repeatable remediation loops that steadily reduce exposure. Veza’s ISPM capabilities and Access AI are built to run that loop. The graph gives you a live picture. Access Intelligence and Access Monitoring highlight risky conditions and dormant access. Veza Actions and workflow integrations turn those insights into tickets and changes. AI helps humans see where to start. RSA’s perspective on ISPM as a governance-led approach for the modern enterprise echoes the same theme. Identity is now a primary attack surface, and posture plus governance is how you control it.

For a CISO or CTO, the message is clear. You do not have to throw away your IdPs or IGA, but you do need an access intelligence layer above them if you want a realistic shot at managing identity risk at the current scale.

Veza’s Access Graph Bet And Why The Patent Story Matters

A lot of vendors are now trying to retrofit products to match new analyst language around NHI, ISPM, and IVIP. Veza came from the other direction. From the beginning, the company treated “who or what can take what action on which resource” as a graph problem and built the platform around that idea.

Starting in 2022, Veza and its predecessor Cookie.AI filed and published a series of US patents that all orbit the same core design:

  • US20220067186A1, which covers building and traversing a unified privilege graph from many identity and policy sources
  • US20220067194A1 and US20220358233A1, which focus on normalizing accounts, groups, roles, and policies from multiple directories and cloud providers into a consistent model, and keeping it fresh
  • US20220286466A1 and its continuation US20250097233A1, which describe computing effective permissions from complex IAM policies and role chains and using those entitlements for governance decisions
  • US20220358228A1 and US20240406214A1, which connect that entitlement truth into governance workflows
  • More recent patents, such as US20240406177A1 and US20240411905A1, which layer on risk inference, usage-based right sizing, and decision support for reviewers, along with US20240020407A1 and US20240095279A1, which focus on keeping the graph clean at scale and evaluating access requests with near real-time context.

You do not need to read every claim to see the pattern. Access is modeled as a single, explorable graph across human and non-human identities, applications, infrastructure, and data. Effective permissions are calculated from real policies and entitlements and exposed through Veza search and Access Graph search. Changes flow into that graph as events from IdPs, clouds, SaaS platforms, and data systems. Governance features like Access Reviews, Lifecycle Management, SoD, NHI Security, and Access AI all operate on that same source of truth.

Veza did not see “IVIP” and “ISPM” on a slide and pivot. The architecture those frameworks now describe was already in place, already defended with patents, and already running for customers. Analysts put names on it after the fact.

Underneath The Categories, The Architecture Is The Same

On the surface, Frost focuses on NHI, GigaOm defines ISPM, and Gartner talks about IVIP, IGA, and IAM attack surface. Underneath, they are all circling the same architecture.

  • A single access graph that models who or what can take what action on which asset across human and non-human identities, accounts, groups, roles, policies, and critical resources, with path visualization, historic snapshots, and effective permission views. Veza describes that model on the Access Graph product page.
  • Continuous evaluation of that graph, with posture and risk recalculated as identities, applications, infrastructure, and policies change, using Access Intelligence, Rules and Alerts, and Access Monitoring to bring in usage and find dormant or over-provisioned access.
  • Governance that reflects reality, where Access Reviews, Access Requests, SoD checks, and Lifecycle Management run on that shared source of truth, with campaigns scoped on the graph, SoD rules defined as queries, and lifecycle events from HR and directories driving real entitlement changes and immutable evidence.
  • AI that explains and guides, where Access AI turns natural language into Veza Query Language and graph queries, surfaces risky identities and paths, explains why access exists, and suggests safe reductions that keep least privilege and SoD intact.

In Veza’s platform, that architecture shows up as NHI Security for non human identities, ISPM capabilities for continuous posture and risk scoring, Next Gen IGA for Access Reviews, SoD, Access Requests, and Lifecycle Management, Access Hub to make it usable at scale for managers and end users, and Access AI tying it all back to the people who need to make and justify decisions. For a wider comparison across the identity security landscape, Veza’s identity security software buyer’s guide shows how this pattern differs from traditional SSO, PAM, and legacy IGA tools.

If You Own Identity Risk, What To Do With This

If you are an IT BDM, CISO, or CTO, you are not reading analyst work for fun. You are trying to move your architecture the right way without guessing.

Across Frost, GigaOm, and Gartner, the pattern is consistent:

  • Non-human identities need dedicated visibility and governance.
  • Identity security posture has to be continuous and actionable, not a once-a-year exercise.
  • IGA needs an access intelligence layer above it, not another rip-and-replace project.
  • Identity itself is now a primary attack surface and control plane.

Veza’s access graph, NHI Security, ISPM capabilities, Next Gen IGA, and Access AI are what that pattern looks like when it is actually running in production on real data.

From here, three practical moves.

  1. Stand up NHI as a named program.
    Use Frost’s Radar and Veza’s NHI assets as air cover and execution guidance. Scope a program around discovery, ownership, effective permissions, and risk reduction for NHIs across cloud, SaaS, data, and automation. Measure success as fewer unowned and high-risk NHIs, fewer live secrets on inactive accounts, and fewer overprivileged machine identities. Run it on Veza NHI Security, using the Non-Human Identity visibility and intelligence datasheet as your playbook.
  2. Treat identity posture as core exposure management.
    Use GigaOm’s ISPM work to pull identity posture out from under IAM. Put it next to CSPM and EDR. With Veza, that looks like using Access Intelligence and Access Monitoring to define and track baselines for excessive privileges, missing controls, orphaned access, and toxic combinations. Use Over Provisioned Access Scores where granted access and usage diverge. Use rules, alerts, and workflow integrations or Veza Actions to turn findings into actual changes.
  3. Modernize IGA with access intelligence, not a rip and replace.
    Follow Gartner’s IGA and IVIP guidance. Keep HR systems and IdPs as systems of record. Use the access graph as the decision layer. Run Access Reviews, SoD, and Lifecycle Management on that graph so governance reflects reality, not just directory groups. The Next Gen IGA resource lays out how to plug Veza into existing HR, ITSM, and identity flows.

Next Steps

If you want to turn the analyst story into something concrete for your own environment:

FAQ

What is non-human identity security?
Non-human identity security is the practice of discovering, governing, and right-sizing the permissions of machine identities such as service principals, app registrations, automation accounts, CI/CD tokens, and service agents across all your cloud, SaaS, infrastructure, and data platforms.

What is identity security posture management?
Identity security posture management is the ongoing process of mapping identities and entitlements, finding excessive or risky access, and driving remediation so that identity-related risk stays within acceptable bounds instead of drifting out between audits.

What is an identity visibility and intelligence platform?
An identity visibility and intelligence platform is a layer that unifies identity and entitlement data from many systems into one model, runs analytics across those relationships, and feeds that context into tools like IGA, PAM, ITDR, SIEM, and SOAR so they can make better security decisions.

Table of Contents

    Related Posts