Guest Post by Abhay Kulkarni, Widefield.ai
Here’s a scenario that will be familiar to any CISO who has sat through a vendor briefing in the last three years: a salesperson opens with a slide full of overlapping acronyms: ITDR, ISPM, PAM, NHI, IVIP. Each represents a distinct product, each promising to solve a distinct piece of the identity security puzzle. And yet, the breaches keep coming.
The problem isn’t that any of these categories is wrong. The problem is that attackers don’t respect category boundaries, and our security architectures increasingly do.
How We Got Here: The Origins of ITDR
When Gartner first coined Identity Threat Detection and Response (ITDR), it was not conceived as a product category. It was a practice consisting of a framework for integrating identity signals into the security operations workflows that organizations were already running through their SIEMs and XDR platforms. The assumption was that identity telemetry would flow into existing tools, enriching the broader threat detection picture.
That assumption has aged poorly.
As I argue in ITDR Is Dead. Long Live ITDR, the original model made sense in a world where identity security largely meant protecting Active Directory. But the enterprise identity surface of 2026 looks nothing like it did when ITDR entered the lexicon. Today’s organizations operate across on-premises directories, cloud identity providers, SaaS platforms, APIs, service accounts, and increasingly, AI agents with their own identity posture, privilege relationships, and attack vectors.
A practice designed for one identity system cannot adequately cover all of them.
The Proliferation Problem
The market’s response to this evolved threat landscape has been to create new categories. ISPM (Identity Security Posture Management) addresses configuration drift and standing privileges. Non-Human Identity (NHI) management tackles service accounts and machine credentials. The news, Identity Verification and Intelligence Platform (IVIP) takes a verification-first approach. PAM vendors have expanded their scope. ITDR vendors pivoted from practice-enablers to standalone products.
The result is a market that has solved the categorization problem, while the actual security problem has gotten worse.
Consider what we know about the highest-profile identity-related breaches of recent years: they did not succeed because organizations lacked identity security tools. They succeeded because those tools operated in silos. Attackers moved laterally across identity boundaries; from a compromised OAuth token to a service account, from a cloud identity to an on-prem directory. All while defenders were watching dashboards that had no visibility into the full chain of events.
The category naming arms race is a distraction. Attackers don’t file their techniques under the Gartner taxonomy. They simply find the seam between your PAM deployment and your cloud identity posture, then walk through it.
Why Generic Platforms Fall Short
A reasonable counterargument is: if the problem is silos, solve it at the SIEM or XDR layer. Pull all identity signals into a single pane of glass and let the existing detection logic do the work.
This approach fails for a fundamental reason: identity systems are stateful.
Unlike a firewall log or an endpoint alert, identity data is deeply contextual. A privileged access event means something very different depending on whether the account is human or non-human, whether the privilege is standing or just-in-time, whether the access pattern is consistent with historical behavior, and whether the account has transitive relationships to other sensitive resources. Generic SIEM and XDR platforms are not architected to model that context; instead, they are built to process events rather than understand identity relationships.
This is the gap that a purpose-built, unified identity security platform can close. Not another point solution. Not another acronym. A platform with comprehensive visibility into every identity type, from human and non-human, across its full lifecycle: provisioning, entitlement, behaviour, and termination.
What “Long Live ITDR” Actually Means
The statement is deliberately provocative, but the underlying argument is optimistic. The practice of ITDR, continuous detection and response to identity threats, is not dead. In fact, it’s more important than ever.
What needs to die is the assumption that it can be achieved through category-by-category tool acquisition. The organizations that will win the identity security challenge in the next three years will not be those with the most complete acronym bingo card. They will be the ones that have achieved coherent, unified visibility across the full identity landscape, and built detection and response capabilities that reflect how identity systems actually work: stateful, relational, and deeply interconnected.
