A new platform from Clarity Security, called Aperture, enters the market with an explicit architectural premise: governance was never the right foundation for identity security, and building better governance tooling will not close the gap. What is required is a different model entirely, one that treats risk as a continuously measured property of every identity and access relationship rather than a periodic review artifact.

What Fails When Governance Becomes the Goal Instead of the Method

Traditional IGA platforms structure the identity security workflow around scheduled access reviews. Every 90 days, or every six months, or annually, a batch process generates a list of entitlements assigned to each user. Managers are asked to certify whether those assignments remain appropriate. The certifications are logged as evidence. The cycle repeats.

That model addresses a compliance control requirement, typically tied to SOC 2 Type II access review criteria, ISO/IEC 27001:2022 Annex A.9.2 (user access management), or PCI DSS 4.0 Requirement 7.2 (access control review). It does not address the question of whether any given identity presents exploitable risk at this moment. Between review cycles, entitlements accumulate. Service accounts proliferate. Federated access grants permissions that nested policy logic obscures. APIs issue tokens that outlive the sessions they were intended to secure. By the time the next review cycle begins, the risk landscape has changed in ways that backward-looking certification workflows cannot detect.

“IGA was the wrong shape from the start, designed for auditors, not for security,” said Alexis Moyse, CEO and co-founder at Clarity Security. “We are not building better IGA. Aperture is what identity security should have looked like from day one if risk reduction had actually been the goal.” That framing reflects a broader market tension: IGA vendors have layered analytics and risk scoring onto governance-first architectures, but the core workflow remains oriented toward periodic certification rather than continuous risk closure.

The operational consequence is that security teams run access reviews as a recurring project, separate from the work of identifying and remediating active identity risk. When a high-risk entitlement is discovered (a contractor account with database admin privileges that has been dormant for six months, or an OAuth app with tenant-wide read/write scope that no one remembers authorizing), the IGA platform documents it. Someone opens a ticket. Remediation occurs in a separate system, if it occurs at all. The next review cycle will reveal whether the ticket was closed.

How Continuous Risk Scoring and Integrated Remediation Change the Architecture

Aperture structures the identity security workflow differently. At its core is a dynamic risk scoring engine that evaluates inherent and contextual risk across every identity and access relationship in real time. Inherent risk derives from the scope and sensitivity of the entitlements themselves: a service account with IAM policy modification rights in AWS carries higher inherent risk than a read-only role scoped to a single S3 bucket. Contextual risk incorporates behavioral signals, access patterns, federation paths, and permission chaining: that same service account becomes higher risk if it has not authenticated in 180 days, if it was provisioned outside the standard workflow, or if it holds credentials that were copied into a developer Slack channel.

The platform maintains read and write capabilities across connected systems, spanning legacy mainframes, on-premises directories, public cloud IAM systems, and SaaS application APIs. Risk identified in the platform can be remediated within the platform: entitlements can be revoked, permissions can be downscoped, accounts can be disabled, and OAuth grants can be withdrawn without leaving the interface or opening an external ticket. That architectural choice closes the loop that traditional IGA leaves open.

Nested permissions and federated access present a particular challenge for identity risk assessment. A user may hold a role in Azure AD that grants them membership in a group that is federated into AWS, where that group is assigned a policy that allows assumption of another role with privileged access to production databases. Traditional IGA platforms document each step in isolation. Aperture maps the full blast path: not just who has access, but how they obtained it, what transitive permissions it conveys, and what downstream resources it exposes.

The result is what Clarity calls Adaptive Trust, a model in which access governance becomes a continuous function of measured risk rather than a scheduled review process. Audit evidence is generated as a byproduct of risk remediation work rather than as the primary output the workflow is designed to produce.

Non-Human Identities as the Fastest-Growing Exposure Surface

Alongside the core platform, Clarity is releasing an NHI and AI Security module designed specifically to address the proliferation of non-human identities: service accounts, API keys, OAuth applications, machine-to-machine tokens, and AI agents. These identities now outnumber human identities in most enterprise environments by a factor of 10 or more, and they operate with access patterns that access review workflows cannot evaluate meaningfully.

There is no manager associated with a service account that can sign off on its permissions. The API key is not listed on any organizational chart. The access granted to an OAuth application provisioned by a contractor who left the organization half a year ago persists until it is discovered and manually removed. AI-powered agents pose a similar threat to security. Their permissions change depending on the tasks assigned to them, which makes them harder to manage than other types of identities.

Without tooling purpose-built to discover, map, and govern non-human identities, these exposures remain invisible to both IGA platforms and security operations teams. The NHI module in Aperture discovers every non-human identity across connected systems, maps its full permission chain, identifies ownership (or lack of ownership), and measures risk against the OWASP Non-Human Identity Top 10, a framework that provides board-level reporting structure for NHI security posture.

Ownership is treated as a structural property of the environment, not a documentation exercise. Every service account, API key, and OAuth app must have an assigned owner who is accountable for its continued operation and responsible for its remediation or decommissioning. When ownership cannot be determined, the identity is flagged for revocation or re-provisioning through a controlled workflow.

Reading the Competitive Position Against IGA and CIEM Incumbents

The identity security market has historically separated into two categories: IGA platforms focused on governance, compliance, and access certification (led by SailPoint, Saviynt, and Okta Identity Governance), and cloud infrastructure entitlement management (CIEM) platforms focused on discovering and analyzing entitlements in public cloud environments (including Ermetic, now part of Tenable Cloud Security, Wiz, and Sonrai Security). PAM vendors like CyberArk have added identity analytics capabilities but remain architecturally centered on privileged session management.

Aperture positions itself as a synthesis rather than an iteration. It incorporates the continuous discovery and entitlement mapping that defines CIEM, the governance workflow and audit evidence generation that defines IGA, and the remediation capability that PAM vendors offer for privileged accounts, but it extends all three across human and non-human identities in hybrid and multi-cloud environments.

The architectural distinction is the integration of real-time risk scoring, blast path analysis, and in-platform remediation as a unified workflow rather than as separate tool categories that require integration. SailPoint IdentityNow can generate risk scores, but remediation typically occurs through ticketing systems external to the platform. Wiz can map cloud entitlements and identify toxic permission combinations, but it does not extend into on-premises identity systems or provide access certification workflows for compliance. CyberArk Identity can enforce adaptive authentication policies, but it does not provide full-spectrum NHI discovery or permission chain mapping for service accounts across SaaS applications.

Clarity is entering a market where enterprises have already invested in one or more of these categories. The GTM argument is not replacement in all cases, but rather the recognition that layering governance, entitlement analysis, and remediation as separate products creates the gaps that identity-based attacks exploit.

Budget Reallocation Patterns This Shift Creates

The launch of Aperture signals budget movement in two areas. First, organizations that have treated IGA as a compliance line item (renewing SailPoint or Saviynt subscriptions annually because SOC 2 audits require access review evidence) are beginning to evaluate whether those platforms deliver security value proportional to their cost. If the answer is that they produce audit artifacts but do not measurably reduce identity risk, budget conversations shift toward platforms that do both.

Second, the rapid expansion of non-human identities, particularly in organizations deploying AI agents with autonomous access, is creating net-new budget allocation for NHI governance tooling. This is not a reallocation from existing IGA or PAM spend. It is a new category driven by an exposure surface that did not exist at scale three years ago and that traditional identity governance platforms were not designed to address.

Security leaders managing SaaS sprawl, multi-cloud IAM complexity, and DevOps environments where service accounts are provisioned faster than they can be inventoried are facing a workflow problem that access reviews cannot solve. The budget signal is a move toward platforms that treat identity risk as a continuous security function rather than a periodic compliance activity.

Which Enterprises Have Already Run Out of Runway

The organizations facing the most immediate pressure are those where identity has already become the primary attack vector and where existing governance tooling has not prevented incidents. This includes SaaS-heavy enterprises where OAuth app abuse, compromised service accounts, and over-privileged third-party integrations have led to data exposure or business email compromise. It includes financial services and healthcare organizations subject to GDPR Article 32 (security of processing), HIPAA Security Rule 45 CFR §164.308(a)(4) (access controls), and PCI DSS 4.0 Requirement 7, where compliance audit success has not translated into reduced identity-related breach risk.

Cloud-native organizations running Kubernetes at scale, where service account tokens and workload identities proliferate faster than manual governance processes can track them, face a distinct challenge. Traditional IGA cannot operate at the velocity these environments require. By the time an access review flags an over-privileged service account, the pod it was attached to has been terminated and replaced a dozen times.

Enterprises deploying AI agents with access to email, calendars, CRM systems, and internal knowledge bases are entering uncharted territory. These agents hold permissions that combine the scope of a privileged user with the execution speed of an API and the autonomy of a process that operates without direct human oversight. If your identity governance model still assumes that every access grant has a human user behind it who can be interviewed during an access review, you are operating with architecture that no longer maps to the environment it is meant to secure.

The shortest runway belongs to organizations that have completed IGA implementations, passed their compliance audits, and still experienced identity-related incidents in the past 12 months. If governance has not closed the gap, the next conversation is not about better governance. It is about whether identity security requires a different model entirely.

Research and Intelligence Sources: Clarity Security

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com