What should Zero Trust programmes measure to know whether identity governance is working?

Measure how quickly access is provisioned, reviewed, and revoked, and whether privilege is actually reduced over time. If entitlements remain static while environments change, the programme may look modern but still behaves like a perimeter model with extra layers.

Why This Matters for Security Teams

zero trust only works when identity governance produces measurable change in access, not just cleaner diagrams. The practical question is whether entitlement scope is shrinking, approvals are happening fast enough to avoid workarounds, and revocation actually removes access before it can be reused. That is especially important for non-human identities, where standing privilege and stale secrets create a persistent control gap. NHIMG’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which is a strong signal that governance is failing at the point of enforcement, not just at the point of policy.

Security teams often over-measure policy volume, review completion, or tool adoption and under-measure actual privilege reduction. That leads to programmes that look mature in dashboards while still leaving service accounts, API keys, and automation tokens broadly usable across changing environments. The right metrics should show whether access decisions are becoming narrower, shorter-lived, and more accountable over time. Current guidance from NIST Cybersecurity Framework 2.0 and NIST SP 800-207 Zero Trust Architecture both point toward continuous verification, but the measurement challenge is still often left to local interpretation. In practice, many security teams discover the gap only after a dormant entitlement or overbroad secret is used in an incident, rather than through intentional control testing.

How It Works in Practice

Identity governance should be measured as a lifecycle, not a one-time access review. The most useful metrics track the time from request to approval, approval to issuance, and detection to revocation. They also track whether the effective privilege level of users, service accounts, and NHIs declines as roles and systems change. NHIMG’s Lifecycle Processes for Managing NHIs is a useful reference point because lifecycle control is where standing privilege, stale credentials, and orphaned access usually accumulate.

In operational terms, programmes should measure:

• Mean time to provision and mean time to revoke, separated by human and non-human identities.
• Percentage of access granted with just-in-time expiration rather than standing entitlements.
• Privilege creep over time, especially where the same identity accumulates new roles or scopes.
• Secrets age, rotation compliance, and the share of credentials stored outside managed vaults.
• Review outcomes, including how often reviews actually reduce access versus simply re-certify it.

Those metrics matter because Zero Trust is not only about verifying identity once, but about continuously reassessing trust at each request. NIST’s Zero Trust Architecture guidance supports this direction, yet the real test is whether entitlements are being continuously constrained in practice. For NHI-heavy environments, the Regulatory and Audit Perspectives section is especially relevant because auditors increasingly look for evidence that access decisions are timely, documented, and reversible. These controls tend to break down when access is embedded directly into CI/CD pipelines or infrastructure automation because revocation becomes operationally risky and teams delay cleanup.

Common Variations and Edge Cases

Tighter governance often increases operational overhead, requiring organisations to balance faster delivery against stronger access discipline. That tradeoff is real in cloud-native, DevOps, and agentic AI environments where identities are created and destroyed frequently, and where static review cadences cannot keep up with the pace of change. Best practice is evolving, but current guidance suggests measuring exception rates as carefully as normal-path approvals, because exceptions are often where governance weakens first.

Some environments also need different metrics for different identity types. Human users can usually be measured by access recertification and least-privilege drift, while NHIs need stronger emphasis on token lifetime, rotation success, and orphan detection. NHIMG’s Top 10 NHI Issues highlights why this distinction matters: the same control can look effective for employees and still fail badly for service accounts that never “log out.” A useful benchmark from NHIMG’s research is that 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, which reinforces that identity governance is a core ZT measure, not a side task.

The edge case is highly automated environments where identity is issued per transaction or per workload. In those settings, standard access review metrics become less useful than runtime policy decision quality, token TTL compliance, and revocation latency. That is where the programme should be asking whether trust is being recalculated at the point of use, not just whether a ticket was closed on time.

Related resources from NHI Mgmt Group

• What should identity teams measure to know if lifecycle governance is working?
• How do security teams know whether machine identity governance is actually working?
• What should teams measure to know whether NHI governance is working?
• How do security teams know whether identity governance is reducing risk?