There’s a quiet shift underway in enterprise security — one that’s not about more dashboards or another identity add-on, but about acknowledging that most organizations simply don’t know what identity actually looks like inside their own application estates. That’s the backdrop to Orchid Security being named to the 2025 CRN Stellar Startup list in the Security category. It reads like a typical “congratulations to the team” announcement at first glance, but the substance underneath is more interesting: Orchid isn’t trying to add more visibility to the already visible parts of the IAM stack. Instead, it’s going after the unseen half.
The company’s core idea is that identity in the modern enterprise isn’t centrally governed, no matter how good the IAM program is. Codebases evolve, documentation lags, services get onboarded without full review, and SaaS usage sprawls across departments faster than policies can catch up. What emerges is a layer of unsupervised identity logic embedded directly within applications — permissions hardcoded, roles mislabeled, privileges inherited without anyone remembering why. Orchid refers to this as identity “dark matter,” and the term fits surprisingly well. Just as most of the universe isn’t visible through typical instruments, most identity configurations aren’t visible through the IAM tools enterprises rely on.
Where Orchid differs from other identity-first vendors is its method of inspection. Rather than relying on what the IAM system already knows, the platform analyzes identity controls directly from application binaries — essentially reading identity from the source of truth itself. That lets organizations see the real picture: which apps exist, who can access them, whether privileges make sense, where controls drifted, and how much of the identity landscape is unmanaged in practice. For many enterprises, nearly half of their application estate falls into this shadow layer. That gap explains why even mature IAM programs still struggle with audit friction, slow onboarding, and recurring incidents tied to privilege issues no one noticed because no system was designed to look there.
The CRN recognition matters mainly because it signals that this category is moving from emerging idea to accepted market need. Enterprises aren’t just experimenting with identity continuous monitoring anymore; they are acknowledging that reactive IAM is insufficient when the real risks live outside the known map. The pitch isn’t “replace your IAM stack” but “finally understand what your IAM stack doesn’t see.” And for teams already stretched thin, the appeal is pragmatic: faster audits, smoother application onboarding, fewer manual governance reviews, and security spend that maps to real exposure instead of theoretical models.
Roy Katmor, Orchid’s CEO, frames the moment simply: identity security has stopped being a controls problem and become a context problem. Organizations don’t lack tools; they lack ground truth. The customers already adopting Orchid are drawn less to novelty and more to relief — clarity where there wasn’t any, and a restored sense of control over the identity layer that underpins everything else in security.
It’s still early in this market, but the direction feels inevitable. The unseen part of identity has grown larger than the part we manage. At some point, enterprises either reckon with that or stay in the loop of re-certifying the same visible roles while incidents continue to emerge from places no one was looking. Orchid has stepped into that space, and recognition like the CRN list suggests that others are beginning to see the same gap forming.
Leave a Reply