Identity dark matter is the hidden layer of identity and access in an environment: local application accounts, embedded API keys, service credentials, shadow permissions, and other authorization paths that central IAM tools may not fully see. These elements often exist outside normal user directories and can persist even when a company believes access is well governed.
It matters because attackers frequently target the least visible credentials and permissions. If a local account, script secret, or delegated workflow is overlooked, it can become a durable entry point or a path for privilege escalation. Defenders reduce this risk with continuous discovery, secret scanning, least-privilege design, and regular review of app-level accounts and permissions. In AI-driven systems, the same idea applies to software agents: if an agent can act on hidden or poorly documented access, security teams lose control over what it can do and who can revoke it.