Orchid Security’s State of Identity Security 2025 Report Reveals Alarming Gaps in Application Identity Controls

Nearly half of enterprise applications contain clear-text credentials; 44% offer alternate authentication methods that bypass Identity Providers, offering easy ways in and throughout

LAS VEGAS and NEW YORK, May 27, 2025 (GLOBE NEWSWIRE) -- Identiverse -- Orchid Security, the company bringing clarity to the complexity of enterprise identity security, today released its inaugural State of Identity Security 2025 report. Orchid’s analysis shows nearly half of enterprise applications violate basic credential-handling guidance, 44% undermine centralized IdP policies and 40% fall short of widely accepted identity-control standards. These shortcomings expose organizations to heightened audit findings, compliance penalties and breach risk.

Complementing traditional industry research based on post-incident findings, the report presents a proactive analysis of the state of identity controls. Unlike assessments of external exposures, Orchid analyzes authentication flows and authorization practices embedded deep within enterprise applications. These insights span financial services, healthcare, manufacturing, retail, energy and other sectors - offering the first large-scale view into unseen and often overlooked identity practices, and in doing so, exposing hidden vulnerabilities and compliance gaps.

Orchid will showcase these findings and its Identity-First Security platform at Identiverse 2025, taking place June 3-6 in Las Vegas.

The report’s findings come at a critical time in the industry. The recently released 2025 Verizon Data Breach Investigation Report confirms that stolen credentials are once again the most common initial access method leading to breaches. Similarly, Crowdstrike’s Threat Report observes that “​​every breach starts with initial access, and identity-based attacks are among the most effective entry methods.” As threat actors focus on “logging in” via stolen credentials rather than “hacking in,” understanding and eliminating identity security gaps becomes a top priority for CISOs and identity providers.

Key findings from Orchid’s research:

1. Clear-text credentials found in nearly 50% of applications
   Given that no code is impenetrable and weaknesses as well as their exploit, are a fact of life, masking or encrypting credentials – ideally in an identity store but certainly when coded into applications – is a security imperative. In nearly half of the binary-level assessments conducted, Orchid’s LLM-powered analysis uncovered clear-text credentials. These were normally associated with alternative access flows, often for non-human accounts, but they also present an easy target for threat actors seeking entry or lateral movement.
   
   
2. 44% of applications bypass Identity Providers (IdP)
   While (IdPs) are very common within enterprises and a valuable tool to centralize secure authentication practices, 44% of the time no IdP was utilized by at least one authentication path offered by the application. This is often due to application-level constraints, particularly around integrating with third-party or legacy systems. While understandable, especially in support of external access scenarios, these siloed authentication paths create significant operational challenges. Because they sit outside the centralized IAM framework, these non-standard directories are frequently excluded from routine joiner, mover, and leaver (JML) processes. As a result, they can become outdated, unmanaged and ultimately represent a growing blind spot that increases organization’s exposure to identity-related cyber risk.
   
   
3. ~40% of apps lack identity control basics
   Basic best practices to maintain identity security include monitoring and even rate controlling login attempts, implementing account lockout after a certain number of failed attempts, enforcement of password complexity, token lifetime configurations and more. Unfortunately, each of these was found to be missing roughly 40% of the time. We know that most application developers are valued for their creativity, as it spurs innovation, but that spirit can make the consistent implementation of standards across applications a challenge.

“These identity security gaps are by no means a reflection on today’s identity and access management teams,” said Roy Katmor, CEO and co-founder of Orchid Security. “The reality is, with the average enterprise relying on more than 1,200 applications – some developed and deployed globally, others introduced by regional offices or specific lines of business – it is a huge challenge to simply know all of the apps in use. Let alone to fully understand not only the standard audited identity flows, but also all feasible authentication pathways and authorization attributes within each application. That complexity is only compounded by the fact that, until now, the process has been largely manual.”

Orchid’s recommendations for reducing identity risk

Orchid Security notes that there are a variety of common tools and methods that enterprises can use to assess their environments for identity security exposures, including:

• Static Application Security Testing (SAST): Code analysis during the development phases can easily be configured to look for hard-coded credentials, including those stored in clear text. Applications developed without a SAST tool should also be subject to code reviews looking for these practices as part of the release process.
• Architecture reviews: The use of identity providers (IdPs) should be a standard design requirement, enforced during design reviews.
• Monitoring tools: Basic log monitoring and Security Information and Event Management (SIEM) products will show you whether basic identity security hygiene is in place.
• Penetration testing: Identity is the most common way in for threat actors, as well as those acting as them for security assessment. Testing for common identity weaknesses should be included.

“Organizations can no longer afford to overlook identity as a central element of their security posture,” said Katmor. “Even without automated tools such as Orchid Security in place, there are practical steps teams can take, from manual code reviews to architecture and monitoring enhancements. Identity remains the most common attack vector, and proactive, layered assessment is key to reducing exposure.”

Methodology

Orchid Security performed automated, binary‑level assessments of applications in production environments across North America and Europe between January and April 2025. Rather than observing primary user interactions, Orchid mapped every identity flow built into each application – including legacy, third‑party and service‑account paths – to surface controls that could be subverted by threat actors. The State of Identity Security 2025 report aggregates the most gaps revealed by those assessments in order to surface those that are most common.

Visit Orchid at Identiverse 2025 in the Startup Alley (SU21) June 3-6.

To learn more about the current state of identity security, download Orchid’s State of Identity Security report.

For more information on Orchid’s Identity-First Security platform, visit the website.

About Orchid
Orchid Security is an identity security orchestration platform—leveraging Open Telemetry, Prompt Engineering and Large Language Models (LLMs)—to unify and secure complex identity environments across enterprises. Founded by AI and cybersecurity experts Roy Katmor, Robert Weisman, and Ido Kelson, and backed by Intel Capital and Team8, Orchid enables large organizations to reduce the costs and effort of identity and access management (IAM), while maintaining compliance and security across their digital infrastructure. Its platform facilitates the continuous discovery of both self-hosted and SaaS applications, assessment of their native identity controls (and gaps), and remediation of compliance and cyber exposure from a single point of control—without extensive effort or application recoding.

Media Contact
Chloe Amante
Montner Tech PR
camante@montner.com

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.