Are you tracking identities, or just accounts?

Identity, application, and access sprawl all stem from the same problem: we can only control what we can see. It’s a familiar challenge, and it’s why we founded Torii in 2017.

Visibility built on purchase orders and official onboarding overlooked shadow apps, emerging AI tools, and the actual ways people work. That’s why Torii was built differently from other platforms. Rather than relying solely on the SSO to tell the story, we sifted through the shadow apps at the edges of a company’s ecosystem—the tools that dominated usage while remaining invisible to IT, procurement, and SecOps.

And it worked.

We uncovered orphaned accounts, role creep, and idle licenses that had been completely hidden from SecOps.

We know this because our discovery numbers revealed that most tools were drastically underestimating the reality. Per Okta in 2024: “The average number of apps deployed by organizations… we’re seeing a jump to 93 this year. Large companies with ≥ 2000 employees lead the way, with an impressive average of 231 apps each.” source

By contrast, our SaaS Benchmarks Annual Report found an average of 668 apps (7x Okta’s estimate), with large organizations (2,000–5,000 employees) averaging 1,474 apps.

This discrepancy isn’t an accident; it’s a testament to the importance of discovery based on usage, not just sanctioned approvals.

That’s long been the limitation of IGA vendors: they start with policies and approvals, but policies can only govern what’s visible. Torii began with discovery because we knew blind spots were the greatest risk. Years later, that focus has proven correct: in a SaaS-driven world, governance built on visibility and automation is the only way to keep pace with the rapid rate of change.

The Next Acceleration

Today, identity management is more complex than ever. AI agents are multiplying machine identities (non-human identities, or NHIs) at an alarming rate. Service accounts, API keys, and bots now outnumber humans 80:1. And if you can’t spot them, you can’t govern them — and you can’t offboard them. In this world, visibility isn’t “nice to have.” It’s step zero.

I’ve spoken with countless security leaders who feel the pain of the legacy IGA dilemma. One CISO put it bluntly:

“I always have to rerun my quarterly reviews. Every time. We keep finding apps the IGA never knew existed. I can’t delegate sign-off when I don’t trust the inventory list, so my team babysits the process, and onboarding time suffers. We don’t need more forms. We need a higher standard of discovery.”

At Torii, we’re dedicating our discovery engine to enhancing visibility and control across identity, governance, and access.

The Future State of Identity

The next wave of identity governance won’t be built on forms, approvals, or quarterly attestations. It will be built on:

  • Automatic data ingestion
  • Real-time shadow IT discovery
  • Cross-system automation
  • Predictive and prescriptive analytics

In this world, every identity—human and machine—must be visible the moment it comes into existence. Governance must be continuous and cross-platform, and machine identities must be treated with the same rigor as human ones.

Legacy IGA platforms are still playing catch-up. They provide permissions and insights based on SSO logs, rather than predicting actions and preventing threats in the face of continuously sprawling identities.

Wholistic Visibility, Automated Control

At the end of the day, visibility without control is useless, and control without visibility is blind. The future isn’t about adding another dashboard or checkbox. It’s about uniting both halves of the equation: seeing everything and acting with confidence.

The rise of AI and non-human identities has made this shift unavoidable. You can’t govern what you can’t see, and you can’t prove what you can’t automate. That’s why we’re building the first platform where discovery and governance live side by side.

That’s what we’ve built at Torii — and what we’ll continue to build — because your team deserves a tool that can keep up with your organization, no matter what the future holds.