Aceiss Targets GitHub's Hidden Identity Threats with New Platform

SAN FRANCISCO, CA – February 12, 2026 – In a move to address what it calls a critical visibility gap in developer security, Aceiss today launched a new platform on the Microsoft GitHub Marketplace designed to illuminate hidden identity and access risks across the vast GitHub ecosystem. The offering promises real-time observability and threat detection for the more than three million organizations and 100 million developers who rely on GitHub for storing mission-critical assets, from proprietary source code to next-generation AI models.

As software development has become the engine of the modern enterprise, GitHub has evolved into one of its most valuable—and vulnerable—nerve centers. The new solution from Aceiss wades into this high-stakes environment, claiming to provide a unified, authorization-aware view of effective access that has previously eluded security teams.

The Invisible Threat of Identity Sprawl

For most security leaders, the primary threat associated with code repositories has traditionally been vulnerabilities within the code itself or secrets accidentally committed by developers. However, a more insidious and complex problem has emerged: identity sprawl. The modern development environment is a bustling ecosystem of human developers, automated CI/CD agents, third-party applications, and AI-powered bots, all requiring access to sensitive repositories.

This proliferation of identities creates a sprawling and poorly understood attack surface. Security teams may be able to see a static list of permissions and roles, but they often lack insight into how that access is actually being used. This gap leaves the door open for significant risks, such as orphaned accounts from former employees, over-privileged bots with far more access than required, and dormant API tokens that can be activated by attackers for quiet, persistent access. A single compromised identity can become a pivot point for a devastating supply chain attack, allowing malicious actors to inject code, steal intellectual property, or disrupt operations.

“With the rise of automated agents, CI/CD systems, and AI-driven development workflows, identity sprawl inside GitHub is accelerating faster than traditional security models can keep up,” said Lloyd O'Connor, Chief Executive Officer at Aceiss, in the company's announcement. “Security teams can’t protect what they can’t see, and most existing tools only expose static permissions — not how access is actually exercised.”

A New Approach to Access Observability

Aceiss aims to close this visibility gap with what it terms "access-observability technology." Instead of merely analyzing static permissions, the platform correlates entitlement data with real-time authorization behavior. In essence, it aims to answer not just who can access a repository, but who does, how they do it, and whether that behavior deviates from established norms.

The platform automatically inventories all GitHub identities—users, bots, and applications—and continuously monitors their activity without requiring invasive agents or heavy API consumption that could slow down development workflows. By establishing behavioral baselines, the system is designed to detect anomalous usage patterns, flag excessive privileges, and recommend least-privilege changes to reduce the attack surface. This approach is intended to provide security teams with actionable intelligence to remediate risks as they occur, rather than discovering a breach long after the damage is done.

The company emphasizes its ability to provide this visibility at enterprise scale, claiming its optimized data collection methods overcome GitHub API constraints that can hamper other tools attempting to analyze large, complex organizational structures. Once installed by an administrator, the platform promises meaningful insights within minutes, integrating into the existing security stack rather than requiring a disruptive replacement of identity or governance systems.

Navigating a Crowded Security Marketplace

The challenge for any new security tool is differentiating itself in a crowded market. GitHub itself has invested heavily in its native security suite, GitHub Advanced Security (GHAS), which provides powerful code scanning (CodeQL), secret scanning, and dependency analysis. These features are deeply integrated and highly effective at securing the code itself. The marketplace also features established players like GitGuardian, which specializes in secret detection, and Snyk, a leader in open-source vulnerability management.

However, Aceiss appears to be carving out a specific niche that complements these existing solutions. While GHAS and others focus primarily on the content of repositories, Aceiss focuses on the context of access. Its unique selling proposition is the real-time behavioral analysis of all identities interacting with the platform. This focus on runtime authorization behavior and effective access is a distinct angle not explicitly highlighted by most code-centric or static analysis tools. By providing a layer of security that watches who is turning the keys—and how—it addresses a different facet of the software supply chain security problem.

Securing the Foundation of the Software Supply Chain

The launch comes at a time of heightened concern over the integrity of the software supply chain. High-profile breaches have repeatedly demonstrated that the most sophisticated attacks often begin not with a frontal assault, but with the subtle compromise of a trusted component or developer credential. Securing the development environment itself is now recognized as a foundational element of enterprise risk management.

By providing a clearer picture of effective access, solutions like Aceiss help organizations move closer to a true Zero Trust model, where access is continuously verified rather than implicitly granted. For CISOs and compliance officers, the ability to demonstrate precise control over who can and does access critical intellectual property is invaluable for meeting regulatory standards like SOC 2, NIST, and ISO. As development environments grow more automated and complex, understanding the web of identity and access is no longer a secondary concern but a primary security imperative.