There is a comforting story in which an organization has one identity provider, one console, and one clean answer to the question of who can access what. I have almost never seen it in real life. The norm is hybrid: Entra ID in the cloud, Active Directory on premises, and a long tail of SaaS applications that each keep their own little list of users.
Each of those systems is fine on its own. The risk lives in the space between them.
The blind spot between consoles
Every identity console shows you its own slice of reality. The cloud console knows about cloud accounts. The on premises directory knows about its accounts and groups. The SaaS app knows about its local admins. No single one of them can answer the question that actually matters, which is everything a given person can touch across all of it.
That gap is where risky access hides. A few examples I see again and again:
- A cloud account that was disabled, while its synced on premises twin is still very much alive.
- Nested directory groups that quietly grant cloud access several layers down, far from where anyone would think to look.
- Local administrators inside a SaaS tool who sit completely outside the central identity provider, and therefore outside every report built on it.
Why one console is never enough
When your view is fragmented, your control is fragmented too. You can run a perfectly clean access review in one system and still be exposed through another. Offboarding can succeed in the place you checked and fail in the place you did not. The attacker does not care which console owns the account. They only care that it works.
If no single place can tell you everything a person can reach, then no single place can tell you when something is wrong.
One continuous view across providers
The way out is not to force everything into a single identity system, which is rarely realistic. It is to build one continuous view on top of the systems you already have. That means connecting to each provider, normalizing what they report into a common picture, and evaluating the whole thing against one consistent set of rules.
With that in place, the questions that used to require a cross team project become routine. Where does this person actually have access, across cloud and on premises and SaaS. Which disabled accounts still have an active counterpart somewhere else. Which group nesting grants more than anyone intended. The blind spot only stays a blind spot while the systems are looked at one at a time.