An activity metric shows whether an identity process moved or completed, such as a certification being closed or a ticket being resolved. It is useful for operations, but it does not prove that access became safer, more appropriate, or better governed.
Expanded Definition
An activity metric is an operational indicator that records motion in an identity workflow, such as a certification closing, a ticket resolving, a rotation job completing, or a provisioning request being processed. In NHI governance, it tells teams that a process advanced; it does not tell them whether the resulting access is safer, compliant, or appropriately scoped. That distinction matters because activity metrics often get mistaken for control effectiveness metrics.
In practice, activity metrics are useful for throughput, backlog management, and SLA reporting across service accounts, API keys, certificates, and agent permissions. They help teams see volume and execution timing, while measures like entitlement reduction, privilege creep, and residual risk indicate whether the identity posture improved. This aligns with the operational view found in NIST Cybersecurity Framework 2.0, which separates process tracking from outcome validation. NHI Management Group treats this distinction as essential because high completion counts can mask weak governance if the underlying access remains unchanged.
The most common misapplication is reporting task completion as security improvement, which occurs when teams close workflow items without validating the post-action entitlement state.
Examples and Use Cases
Implementing activity metrics rigorously often introduces a measurement tradeoff: they are easy to collect, but they can create false confidence if leaders stop at completion counts instead of reviewing access outcomes.
- A certification campaign shows 98 percent closure, but the real question is whether revoked entitlements were actually removed from the service account.
- A secrets rotation program reports hundreds of successful rotations, yet the team still needs to confirm that stale credentials were invalidated everywhere they were stored.
- An identity governance queue records that all access requests were fulfilled, while the security team separately checks whether the approved access matched least-privilege intent.
- A remediation ticket is marked resolved after a misconfigured API key is updated, but the control is not effective until downstream systems stop accepting the old secret.
- An agent onboarding workflow completes on time, but the organisation still needs to verify the agent’s tool access, scopes, and approval chain against policy.
These examples are especially relevant in NHI programs because completion data can look healthy even when exposure remains high. The Ultimate Guide to NHIs shows that only 5.7% of organisations have full visibility into their service accounts, which means activity data alone often arrives before trustworthy state data does. For implementation patterns that mirror federated identity workflows, SPIFFE provides a useful reference point for identity issuance and workload lifecycle handling.
Why It Matters in NHI Security
Activity metrics matter because NHI environments fail silently when teams track work performed instead of access secured. A ticket can close, a certification can complete, and a rotation job can succeed while the underlying secret remains usable, overprivileged, or replicated in code and CI/CD tooling. That is why NHI Management Group consistently emphasizes lifecycle verification alongside process tracking.
The risk is not theoretical. In the Ultimate Guide to NHIs, 96% of organisations store secrets outside secrets managers in vulnerable locations, and 97% of NHIs carry excessive privileges. Those conditions can make activity dashboards look productive while the attack surface remains largely unchanged. Activity metrics are still valuable, but only when paired with evidence that the identity state actually improved after the workflow finished. That is consistent with CISA Zero Trust Maturity Model guidance, which prioritises validated control outcomes over simple task completion. Organisations typically encounter the limits of activity metrics only after a breach review shows that a completed process never translated into reduced exposure, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.PO-01 | Policy metrics should distinguish process completion from measurable security outcomes. |
| NIST Zero Trust (SP 800-207) | continuous verification | Zero Trust requires ongoing validation, not just evidence that a workflow finished. |
| OWASP Non-Human Identity Top 10 | NHI-07 | NHI governance must prove remediation and lifecycle actions changed the identity state. |
Track activity metrics for operations, then validate whether the control outcome actually reduced NHI risk.
Related resources from NHI Mgmt Group
- How should security teams monitor AI agent activity without disrupting developers?
- How can SOC teams use identity context to improve response to agent activity?
- What is the difference between activity metrics and risk metrics in IAM?
- How can organisations tell legitimate automation from compromised service account activity?
