RSAC 2026 Vendor Spotlight: Sphere and the Identity Hygiene Imperative

Identity has become the new perimeter — but only in theory. In practice, most enterprises are operating with a fundamentally broken foundation: identity stores riddled with undiscovered accounts, unmanaged privileges, stale groups, and infrastructure no one can fully enumerate. Security teams invest heavily in PAM and IGA platforms, then discover those tools are only as effective as the data fed into them. When that data is incomplete or simply wrong, the entire investment underperforms. That gap — between what organizations believe about their identity environment and what exists — is the problem Sphere was built to solve.

The Challenge: You Can’t Secure What You Can’t See

The scale of the problem is jarring. According to Gartner, enterprises with ten thousand or more employees create or modify approximately fifty privileged accounts per week. Business decisions — launching a new application, onboarding a new branch, enabling a new software platform — continuously generate identities that outpace security team awareness. Organizations deploy PAM and assume the problem is solved, then discover months later that their external auditor has found accounts no one knew existed.

The data quality problem runs deeper than most CISOs realize. CMDBs are invariably a tangled mix of fully qualified domain names, IP addresses, and API endpoints with no authoritative normalization. Database administrators, when asked to enumerate their accounts, historically provided only what they deemed necessary — leaving a shadow inventory of direct, indirect, and federated access invisible to governance processes. In one Sphere engagement, the first scan revealed a 70% delta: accounts the security team had never seen. With 50% or more of enterprise accounts still lacking mandatory MFA enforcement, that invisible population represents material, exploitable risk.

Manual PAM onboarding compounds the problem. The industry average for the full cycle — discovery, classification, mapping to platforms and vaults, rotation configuration — runs roughly six weeks per account. At fifty new or modified accounts per week, organizations fall further behind every day.

What Sphere Does

Sphere positions itself as the identity hygiene layer that sits between and beneath the major IAM platforms — feeding CyberArk, SailPoint, and identity providers with the clean, normalized, continuously updated data those platforms require but cannot generate independently.

Its core capability is comprehensive account discovery across Active Directory, cloud infrastructure, databases, and hybrid environments, surfacing accounts that PAM and IGA tools have never ingested. The CyberArk integration is particularly mature: Sphere compares what exists in the environment against what CyberArk has onboarded, identifies the delta, maps each account to the appropriate platform and vault, and automates the onboarding workflow — compressing a six-week manual process to roughly one week while handling multiple accounts simultaneously. For IGA customers, Sphere provides the infrastructure-layer context that platforms like SailPoint need to make access certification meaningful: not just who has access to an application, but what the underlying infrastructure permissions look like.

Database visibility addresses one of the most persistently blind spots in identity governance. Sphere enumerates direct, indirect, and federated access at the server, database, and schema level — including the functions each account can execute — and tracks permission changes week over week, correlating them against ServiceNow or SharePoint authorization records. Security teams gain the ability to walk into an audit proactively, rather than reactively.

The platform also tackles Active Directory hygiene: nested groups, empty groups, stale objects, and device-populated groups that have accumulated over years of organic provisioning. A new SaaS architecture allows Sphere to connect across multiple untrusted domains without satellite servers or collectors — a meaningful operational advantage for global enterprises managing fragmented domain environments.

Deployment Considerations

Sphere’s SaaS delivery model is relatively new and still maturing, which prospective customers should assess against their architectural requirements. The AWS connector is currently in development, with Azure already supported. The platform remains focused on human identities and accounts that humans can authenticate to, meaning machine-to-machine and pure NHI use cases are not the current priority — though Sphere is actively evaluating where to extend scope without diluting its core value proposition.

Why This Matters

The fundamental insight Sphere’s Field CISO Freddy Pardo articulates is worth internalizing: identity inventory is golden. Before an enterprise makes its next PAM or IGA investment, it should know the true perimeter it is trying to protect — how many accounts exist, where they live, what they can access, and whether they are under governance control. Without that foundation, every downstream security tool operates on incomplete information.

As agentic AI accelerates the proliferation of service accounts and automated execution paths, the account discovery and hygiene problem will intensify, not diminish. Organizations that treat identity data as a strategic product — with lineage, traceability, and continuous validation — will be materially better positioned to govern the expanding attack surface. Sphere is building that discipline into an operational platform. Enterprises serious about closing the gap between their assumed and actual identity posture should put it on the evaluation list.