The story isn't that enterprises can't see half their identity activity. It's that the company selling the cure also defined the disease, named the category, and supplied the number.

How to Sell a Problem Nobody Can Disprove

What happened: A sponsored article on The Hacker News announced a new analyst-defined category — the "Identity Visibility and Intelligence Platform" (IVIP), placed at Layer 5 of Gartner's Identity Fabric — and named Orchid Security as the vendor delivering it. The piece cited Orchid's own analysis that 46% of enterprise identity activity occurs outside centralized IAM visibility, a hidden layer it calls "Identity Dark Matter."

What's really going on: One actor is supplying every part of the argument. Orchid produces the statistic that defines the problem, the problem maps onto a category that contains exactly one named solution, and that solution is Orchid. The genius of the framing is that "Identity Dark Matter" is invisible by definition — you cannot audit what sits outside your visibility, so the only proof the risk exists is the tool that claims to detect it, and the only proof you are safe is buying that tool. What makes this hard to reverse is procurement: once "IVIP" lands on an analyst's layer diagram, "we don't run one" becomes a documented gap a CISO has to defend in front of a board, regardless of whether the 46% was ever independently confirmed.

Why most people are missing this: They are arguing about whether 46% is the right number, when the real move is that an unverifiable number became the entry ticket to a brand-new spending category.

The Take: Identity Dark Matter can't be measured, audited, or disproven — which is precisely what makes it the perfect thing to sell.

Why it matters: Once a vendor-supplied figure defines an analyst layer, the framing stops being optional. Competitors have to adopt the same vocabulary to be considered, and every security buyer has to budget against a risk whose size is set by the people selling the fix.

Source: https://thehackernews.com/2026/06/shrinking-iam-attack-surface-through.html

The tension is between analyst categories that emerge from independent research and categories that are authored, funded, and populated by the vendor who benefits from them. Vendor-authored categories are winning right now, because the rise of agentic AI and non-human identities has created real anxiety, and a confident number is the fastest way to attach a product to a fear. The interesting question is not whether enterprises have an identity visibility gap — they do. It is whether the gap is being measured to be closed, or named to be sold.

In the 1920s, Listerine's marketers took "halitosis," an obscure medical term for bad breath, and built a mass market by giving an everyday condition a clinical name and an implied cure. The product barely changed; the naming did the work. Manufacturing a category has always been cheaper than manufacturing a need.

POST: A vendor-sponsored article just announced a brand-new security category — IVIP — and named the company that delivers it: the same company that supplied the statistic justifying the whole thing. The number is "46% of enterprise identity is invisible," sourced to the vendor's own analysis. You can't disprove invisible risk, which is what makes it sellable: the only evidence it exists is the instrument being sold to detect it. Real identity gaps exist. But this isn't a gap being measured to close it — it's a gap being named to bill against it.

TAKE: The most profitable thing in security isn't fixing a problem. It's naming one that can't be disproven and putting it on the procurement checklist.