← BlogSecurity Insights

Observability Is No Longer Optional: Why O11y Is the Foundation of Modern Security | Avistar.AI Blog

Observability (O11y) has evolved from infrastructure monitoring to identity-aware security. Most organizations still cannot see the machine identities acting on their systems.

In March 2026, a compromised Microsoft Intune admin credential gave Iranian-linked threat actors access to Stryker's internal environment. They wiped over 100,000 machines and exfiltrated 20TB of data. The credential had not been rotated. Nobody saw it coming.

That is not a monitoring failure. Stryker had monitoring. What they lacked was observability: the ability to understand what was happening inside their systems by analyzing the signals those systems produce. Specifically, the ability to see which non-human identities were active, what they were doing, and whether their behavior had changed.

This is the gap that observability (O11y) was designed to close. And it is a gap that most organizations have not addressed.


What O11y Actually Means

O11y (pronounced "Ollie") is shorthand for observability. The term comes from control theory, where a system is considered "observable" when you can determine its internal state from external measurements. It migrated to software engineering in the 2010s as cloud-native architectures outgrew traditional monitoring. [1] [https://www.logicmonitor.com/blog/what-is-observability]

Monitoring asks: "Is something wrong?" Observability asks: "Why is it wrong?"

Monitoring watches predefined thresholds and fires alerts when they breach. Observability gives you the ability to explore system behavior in real time and investigate problems you never anticipated. Monitoring handles known-knowns. Observability handles unknown-unknowns. In a world where the average enterprise runs hundreds of microservices, deploys multiple times per day, and manages infrastructure across three or more cloud providers, the unknown-unknowns are where the real risk lives.


The Three Pillars

O11y rests on three data types, each serving a distinct purpose:

Logs are timestamped records of discrete events. They are the system's diary: granular, detailed, and usually the first place you look when something breaks.

Metrics are numeric measurements over time: CPU usage, request latency, error rates, connection counts. They are your system's pulse. Good for spotting trends and triggering alerts.

Traces follow a single request as it moves through distributed services. In a microservices architecture, one user action might touch a dozen services. Traces map that path, showing which service handled what and how long each step took. Each step is called a "span."

None of these are useful in isolation. The power comes from correlation: linking metrics, logs, and traces together with shared context (typically a unique trace ID that follows a request through every service it touches). OpenTelemetry [https://opentelemetry.io/], the CNCF-backed standard, provides vendor-neutral instrumentation that makes this correlation consistent across platforms.


The Real Shift: From Infrastructure Visibility to Identity Visibility

Here is where O11y gets consequential for security.

Traditional observability focused on infrastructure: can I see my servers, my containers, my network traffic? That was the right question in 2015. It is not the right question in 2026.

The right question now is: can I see every identity acting on my infrastructure?

This matters because non-human identities (NHIs) now outnumber human identities by ratios of 40:1 to over 100:1, depending on the industry. [6] [https://www.britive.com/resource/blog/2026-security-predictions-identity-as-the-control-plane-for-cloud-ai] Service accounts, API keys, OAuth tokens, workload identities, pipeline credentials, AI agent tokens. Every cloud migration, every automation initiative, every agentic AI deployment creates more of them. And NHIs create other NHIs: an automated deployment pipeline generates temporary credentials for each build; a containerized application spawns new identities for each microservice.

CyberArk's latest identity report puts the ratio at 82:1 machine identities to human identities. [9] [https://www.darkreading.com/cybersecurity-operations/growing-challenge-ai-agent-nhi-management] Add LLM-powered agents and Model Context Protocol (MCP) toolchains, each capable of invoking dozens of downstream services, and the identity surface multiplies again.

82:1

Machine identities to human identities in the average enterprise cloud.

The O11y world is converging with identity security. Observability, compliance, and risk are landing in unified, identity-centric views. [3] [https://appdevelopermagazine.com/2026-cybersecurity-predictions:-identity-becomes-the-interface/] The question is no longer just "what changed?" but "which identity made the change, when, and why?"


Why This Matters for Security Teams

Four reasons O11y is now a security imperative, not just an operations concern:

  1. You cannot secure what you cannot see

Over 75% of security breaches involve compromised machine identities, according to CyberArk research. [8] [https://nhimg.org/nhi-101/machine-identity-observability] Most of those identities were invisible to the security team before the breach. Without observability into NHI behavior (creation patterns, access patterns, privilege levels, rotation status), you are defending a perimeter you cannot map.

  1. Monitoring catches what you expect. Observability catches what you do not.

The Stryker breach was not caused by a known vulnerability. It was caused by a credential that had not been rotated, used by a service account that nobody was watching, in a system where the anomalous behavior was invisible to the existing monitoring stack. That is the definition of an unknown-unknown.

  1. Agentic AI is accelerating the problem

AI agents hold credentials, invoke APIs, and write code autonomously. Many organizations have created an entire shadow workforce of digital employees without proper onboarding, offboarding, or lifecycle governance. [7] [https://www.cyberdefensemagazine.com/cybersecurity-predictions-for-2026-a-year-of-convergence-and-containment/] NHI governance is becoming table stakes. The core question is shifting from "What is the secret?" to "Which identity used it, when, and why?"

  1. The MSP/MSSP channel needs this yesterday

Managed service providers are starting to operationalize NHI observability as part of their MDR offerings. [4] [https://www.msspalert.com/news/entro-extends-nhi-security-to-agentic-ai-bringing-observability-and-control-to-shadow-agents] MSPs already manage the infrastructure. They already run the SIEM. What they lack is visibility into the machine identities operating across their client environments. That visibility gap is where breaches happen.


The Convergence: O11y Meets NHI Governance

The market is moving fast. CrowdStrike acquired SGNL in January 2026 to extend dynamic authorization across SaaS and cloud environments, enabling access for human, NHI, and AI identities to be continuously granted and revoked based on real-time risk. [5] [https://www.crowdstrike.com/en-us/press-releases/crowdstrike-to-acquire-sgnl-to-transform-identity-security-for-ai-era/] Entro Security added AI Agents Discovery and Observability to its NHI Security Platform. [4] [https://www.msspalert.com/news/entro-extends-nhi-security-to-agentic-ai-bringing-observability-and-control-to-shadow-agents] Splunk's community-built O11y TA bridges observability data into the same Splunk search interface SOC teams already use. [2] [https://splunkbase.splunk.com/app/7249]

Security teams want identity-aware observability data in their existing investigation tools. They do not want another dashboard. They want the answer to three questions: Which identity acted? What did it do? Was that normal?

Platforms that handle human IAM or secrets security are pushing features that tie human owners to each NHI's lifecycle, from creation through rotation to revocation. [7] [https://www.cyberdefensemagazine.com/cybersecurity-predictions-for-2026-a-year-of-convergence-and-containment/] The concept of "blended identities," where a human and an AI agent share common permissions and audit trails, is emerging as a governance framework for 2026.


How to Start

If your organization has not implemented identity-aware observability, here is a practical starting point:

  • Instrument your most critical services first. The ones that page you at night. Use OpenTelemetry for vendor-neutral instrumentation. Start with auto-instrumentation, add custom instrumentation where it matters.
  • Map your NHI surface. How many service accounts, API keys, and workload identities exist across your environments? Who owns them? When were they last rotated? Most organizations cannot answer these questions.
  • Correlate identity data with telemetry. Your observability platform should be able to tell you not just that latency spiked, but which identity was responsible for the change that caused it.
  • Name an owner for NHI governance. This is not an IT problem or a security problem. It is a risk management problem that requires a named owner with a measurable risk reduction objective.
  • Build toward maturity. Start reactive (basic logging and metrics). Move to proactive (integrated telemetry and distributed tracing). Then predictive (ML-driven anomaly detection). The goal is not to instrument everything at once. It is to prove value at each phase before expanding.

Where Avistar Fits

Avistar was built for the identity visibility layer that traditional observability platforms miss. Our platform discovers every non-human identity across your cloud environments, scores their risk using FAIR-aligned financial metrics, and shows you what to fix first.

This is Map, Measure, Mend applied to the observability challenge:

  • Map: Continuous discovery of service accounts, API keys, OAuth tokens, workload identities, and AI agent credentials across AWS, Azure, and GCP.
  • Measure: FAIR-aligned risk scoring quantifies risk per identity based on privilege level, rotation status, usage patterns, and blast radius.
  • Mend: Prioritized remediation guidance and automated rightsizing so your team fixes the identities that matter most, first.

Traditional O11y platforms tell you a request failed. Avistar tells you which machine identity made the request, whether it should have had that access, and whether its behavior has changed. That is the difference between monitoring and observability in the identity era.


The Bottom Line

Observability started as "can I see my servers." Then it became "can I trace my requests." Now the question is "can I see every identity acting on my infrastructure?"

Most organizations cannot answer that third question. The ones that can are the ones that will avoid the next Stryker-scale breach.

The convergence of O11y, NHI governance, and agentic AI identity management is not a trend. It is a structural shift in how we think about security. The organizations that treat machine identity observability as a board-level priority, not a back-office IT project, will be the ones that survive the next wave of credential-based attacks.

The window to get ahead of this is narrowing.


Sources

Keep reading

More from the team.

Ready to see your machine identity risk?

Get a free assessment of your clients' non-human identity exposure.