Orchid Security’s State of Identity Security 2025 Report Reveals Alarming Gaps in Application Identity Controls
May 27, 2025 - In a concerning report, Orchid Security has shed light on the alarming gaps in application identity controls within enterprises. The company's inaugural State of Identity Security 2025 report reveals that nearly half of enterprise applications contain clear-text credentials, while 44% offer alternate authentication methods that bypass centralized Identity Providers.
These findings expose organizations to heightened audit findings, compliance penalties, and breach risk. Complementing traditional industry research based on post-incident findings, the report presents a proactive analysis of the state of identity controls. Unlike assessments of external exposures, Orchid analyzes authentication flows and authorization practices embedded deep within enterprise applications.
The report's insights span financial services, healthcare, manufacturing, retail, energy, and other sectors, offering a first large-scale view into unseen and often overlooked identity practices. These hidden vulnerabilities and compliance gaps are exposed by Orchid's analysis of over 10,000 applications across North America and Europe between January and April 2025.
The findings come at a critical time in the industry, with the recently released 2025 Verizon Data Breach Investigation Report confirming that stolen credentials are once again the most common initial access method leading to breaches. Similarly, Crowdstrike's Threat Report observes that "every breach starts with initial access, and identity-based attacks are among the most effective entry methods."
"These identity security gaps are by no means a reflection on today's identity and access management teams," said Roy Katmor, CEO and co-founder of Orchid Security. "The reality is, with the average enterprise relying on more than 1,200 applications – some developed and deployed globally, others introduced by regional offices or specific lines of business – it is a huge challenge to simply know all of the apps in use. Let alone to fully understand not only the standard audited identity flows, but also all feasible authentication pathways and authorization attributes within each application."
"Organizations can no longer afford to overlook identity as a central element of their security posture," added Katmor. "Even without automated tools such as Orchid Security in place, there are practical steps teams can take, from manual code reviews to architecture and monitoring enhancements. Identity remains the most common attack vector, and proactive, layered assessment is key to reducing exposure."
Orchid Security's Recommendations for Reducing Identity Risk
Orchid Security notes that there are a variety of common tools and methods that enterprises can use to assess their environments for identity security exposures. These include:
- Manual code reviews
- Architecture and monitoring enhancements
- Automated, binary-level assessments of applications in production environments
"The cost of not addressing these gaps will be higher than the cost of implementing a solution," said Katmor. "We're committed to helping organizations reduce identity risk and improve their overall security posture."
About Orchid Security
Orchid Security is an identity security orchestration platform that leverages Open Telemetry, Prompt Engineering, and Large Language Models (LLMs) to unify and secure complex identity environments across enterprises. Founded by AI and cybersecurity experts Roy Katmor, Robert Weisman, and Ido Kelson, and backed by Intel Capital and Team8, Orchid enables large organizations to reduce the costs and effort of identity and access management while maintaining compliance and security across their digital infrastructure.
The company's platform facilitates continuous discovery of self-hosted and SaaS applications, assessment of native identity controls, and remediation of compliance and cyber exposure from a single point of control – without extensive effort or application recoding. To learn more about Orchid Security and its Identity-First Security platform, visit the website.