They should measure whether account inventories are complete, whether stale or ghost accounts still exist, and whether access reviews produce actual revocation. They should also track third-party accounts separately from internal users, because supplier access often follows different lifecycle paths and requires stronger termination evidence.
Why This Matters for Security Teams
Retiring a legacy maturity tool only helps if the replacement measures outcomes that matter: complete identity coverage, verified deprovisioning, and evidence that access reviews actually change access. Otherwise, teams get a cleaner dashboard without reducing exposure. That matters most for accounts that never show up in ordinary user workflows, including service accounts, API keys, and third-party access paths that age differently and are often missed by standard recertification. NHI Management Group has documented how weak visibility persists in practice, with only 5.7% of organisations reporting full visibility into service accounts in The Ultimate Guide to NHIs. Aligning measurement to outcomes also fits the NIST Cybersecurity Framework 2.0, which emphasizes governance, protection, and continuous improvement rather than scoring maturity for its own sake. In practice, many security teams discover the control gap only after an access review passes on paper while the stale account remains active in production.
How It Works in Practice
IAM teams should replace maturity scoring with operational evidence that shows whether identity controls are actually working. That starts with baselining all account types, then measuring completeness, recertification effectiveness, and termination speed across internal, contractor, supplier, and machine identities. For non-human identities, the question is not just whether an account exists, but whether it is tied to a real workload, whether its secrets are still valid, and whether access can be revoked without delay.
Useful metrics are usually simple, but they must be collected consistently:
- Inventory completeness: percentage of known systems and directories reconciled against the IAM source of truth.
- Ghost account rate: accounts with no active owner, no current use, or no matching workload.
- Review-to-revocation conversion: how often an access review results in actual removal, not just approval.
- Termination evidence: time from offboarding request to confirmed disablement across all identity stores.
- Third-party separation: supplier accounts tracked in a distinct lifecycle because contract, renewal, and offboarding steps differ from employees.
For machine access, the better signal is whether credentials are short-lived and automatically rotated rather than whether a review was completed on schedule. That is where dynamic access patterns matter most, especially for APIs and automation that should be governed through runtime policy rather than static role assignments. Current guidance suggests pairing identity inventory with secret-scanning and rotation evidence, because secrets often remain valid long after teams believe the risk has been removed, as discussed in The Ultimate Guide to NHIs and in vendor research on insecure secret handling in The 2024 Non-Human Identity Security Report. The practical test is whether the organisation can prove that access was removed everywhere it existed, not just in the primary IAM console.
These controls tend to break down when identity data is fragmented across directories, cloud platforms, and ticketing systems because no single system can confirm complete revocation.
Common Variations and Edge Cases
Tighter measurement often increases operational overhead, requiring organisations to balance stronger assurance against slower reporting and more reconciliation work. That tradeoff is real, especially when legacy tools were built to produce scores instead of evidence. Current guidance suggests being explicit about scope: employee access, third-party access, and non-human access should not be merged into one metric set, because their lifecycles and termination proofs differ.
There is no universal standard for this yet, but some patterns are widely useful. For example, ghost account detection should include dormant privileged accounts, not only obviously abandoned users. Access review failure should be measured as “review completed with no change” only when risk actually warranted revocation, otherwise the metric can overstate control quality. In cloud-heavy environments, organisations should also separate human approvals from automated revocation events so they can see whether the control is manual theater or actual enforcement. For teams modernizing off a legacy maturity model, the most defensible measurement set is the one that shows complete coverage, timely deprovisioning, and revocation evidence across all identity classes, not the one that produces the highest score.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Identity visibility and lifecycle control are central to finding stale and ghost accounts. |
| NIST CSF 2.0 | PR.AC-1 | Access control should prove who has access and whether it is still needed. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege depends on timely removal of excess and expired access. |
Measure full account coverage and reconcile every identity source until orphaned accounts are eliminated.
