IVIP: Beyond the Buzzword, Toward Identity Reality

Every few years, the identity industry gets a new acronym. Some fade quickly. Others reshape the way we think. The newest entry is IVIP — Identity Visibility & Intelligence Platforms.

Since Gartner added IVIP to their Hype Cycle, the debate has been lively. Analysts like Martin Kuppinger and Matthias Reinwarth have rightly asked:

• Is IVIP truly new, or just a repackaging of existing ideas?
• Is it a platform in its own right, or simply a capability?
• Does it overlap with ITDR (Identity Threat Detection & Response) or sit within the broader Identity Fabric?

These are fair questions. But behind the noise, there’s a reality we can’t ignore.

Policy vs. Reality

For two decades I’ve heard Identity leaders and stakeholders ask the same thing:

“When I’m asked to certify access to PRD_4682_SYSOPS, what does it actually mean?”

IGA tools can tell you who is in the group. PAM can rotate the password if it’s tied to an account. ITDR can detect if it’s used in a suspicious way. But none of these tools explain what the entitlement really does.

• Does it grant access to sensitive financial data?
• Does it allow shutting down production systems?
• Does it effectively give the user root privileges?

Without that understanding, recertifications become rubber stamps. SoD policies remain partial. Zero Trust initiatives stall.

This is where IVIP comes in.

The Case for IVIP

Think of the identity stack in layers:

• IGA: Who has access, and to what.
• PAM: Protects privileged accounts through vaulting and session control.
• ITDR: Detects and responds to identity-based attacks.
• IVIP: Shines light into the blind spots. It provides continuous visibility into identities, entitlements, and, crucially, how they’re used in practice.

In other words: IVIP bridges the gap between policy and reality.

Why Now?

The timing isn’t arbitrary. The identity landscape has changed:

• Non-human identities (service accounts, API keys, workloads, AI agents) already outnumber humans in most enterprises.
• Long-lived secrets (SSH keys, API tokens, static credentials) persist across systems, rarely rotated or monitored.
• Linux estates and containers introduce complex entitlement models that IGA tools can’t parse. A Linux group might mean sudo to root, write access to critical directories, or nothing at all. Only deep visibility reveals the difference.

As Martin Kuppinger has highlighted, we’ve drifted back into relying on persistent credentials, especially in AI workloads, just as the industry was moving toward ephemeral, automatically rotated secrets. That’s not just bad hygiene. It’s a step backward.

Platform or Capability?

So, is IVIP a platform? Personally, I lean toward the view that Identity Fabric is the platform. IVIP is a capability, but a critical one. Without visibility and intelligence, every other capability in the fabric is weakened.

Here’s one way to think about it:

• IVIP = Hygiene and posture (know your risks before attackers do).
• ITDR = Detection and response (stop identity attacks in real time).
• Identity Fabric = The architecture (bringing it all together).

Why This Matters

If IVIP becomes just another acronym, it will fade like many before it. But if it forces us to finally confront the gap between entitlement policy and entitlement reality, it will have done the industry a service.

The real measure of success will be when managers no longer rubber-stamp access reviews, but see them in plain language:

“This group allows the user to shut down the core banking system.”

That’s when certifications become meaningful, SoD policies become enforceable, and Zero Trust stops being just a slide in a deck.

Final Word

Is IVIP hype? Maybe. Is it needed? Absolutely.

Whether you call it IVIP, IVI, or simply identity observability, the point is the same: we can’t secure what we can’t see.

And until we close the gap between policy and reality, IAM will always fall short.