Subscribe to the Non-Human & AI Identity Journal

How should security teams measure identity risk instead of using static tiers?

Security teams should measure identity risk continuously, using posture and runtime behaviour together rather than assigning a fixed label once and revisiting it later. The score must be evidence-backed, explainable, and updated as the identity changes so that prioritisation reflects current exposure, not stale entitlement data.

Why This Matters for Security Teams

Static identity tiers age badly. A service account that looked low risk at onboarding can become high risk after a credential leak, privilege creep, or a new integration path. Security teams need a score that reflects current posture and live behaviour, not a label assigned during procurement or account creation. That is especially true in environments with heavy API use, automation, and third-party connectivity.

NHIMG research shows why this matters: in the Ultimate Guide to NHIs, 97% of NHIs are reported to carry excessive privileges, which means tiering by name or system owner is a weak proxy for actual exposure. NIST’s Cybersecurity Framework 2.0 reinforces the broader point: risk management should be continuous, evidence-based, and tied to changing conditions. In practice, many security teams discover the gap only after an API key is abused or an automation path is quietly expanded, rather than through intentional re-scoring.

How It Works in Practice

Continuous identity risk measurement combines posture signals and runtime signals into one operational score. Posture covers what the identity is allowed to do and how safely it is configured. Runtime covers what it actually does, when it does it, and whether that behaviour deviates from its normal pattern. The goal is not a perfect number. The goal is a defensible prioritisation model that updates as the identity changes.

A practical scoring model usually blends several inputs:

  • Privilege breadth, including unused entitlements and cross-environment access
  • Credential hygiene, such as age, rotation status, and secret storage location
  • Authentication strength, including whether the identity uses workload identity or long-lived secrets
  • Runtime anomalies, such as unusual API volume, new geographies, or tool chaining
  • Exposure context, including internet reachability, third-party access, and blast radius

For non-human identities, evidence should be grounded in lifecycle controls like inventory, rotation, offboarding, and vault hygiene. The Top 10 NHI Issues and the Ultimate Guide to NHIs both support this operational view. For policy precision, teams often map the score to control expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls, then feed the score into PAM, SOAR, or ticketing workflows.

The important design choice is explainability. If a score rises, analysts should see why: stale secrets, excessive privilege, failed rotations, new external exposure, or suspicious runtime behaviour. These controls tend to break down when telemetry is fragmented across vaults, cloud platforms, and CI/CD systems because the score becomes stale before it can change.

Common Variations and Edge Cases

Tighter continuous scoring often increases operational overhead, requiring organisations to balance better prioritisation against telemetry quality and engineering effort. That tradeoff is real, especially where there are thousands of ephemeral service accounts, shared automation identities, or systems that cannot emit clean runtime logs.

Current guidance suggests treating “tier” as a coarse reporting label, not the security decision itself. In some environments, teams use separate scores for posture risk and behaviour risk, then combine them only at escalation time. That can work well when different owners control different data sources. In others, a single composite score is simpler, but it must be recalculated often enough to avoid stale outcomes.

There is no universal standard for this yet. Some teams weight secret age heavily because leaked credentials are the dominant issue; others weight runtime anomalies more heavily because behavioural misuse is the earliest sign of compromise. The right answer depends on whether the identity is a dormant integration, a high-volume automation job, or a customer-facing API principal. NHIMG’s 52 NHI Breaches Analysis is a useful reminder that compromise paths vary widely, so the scoring model should adapt to the environment rather than forcing every identity into the same static tier.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Risk scoring must reflect secret rotation and exposure, not a fixed tier.
NIST CSF 2.0 ID.RA-01 Requires ongoing risk identification using current evidence, not stale labels.
NIST SP 800-53 Rev 5 AC-2 Account management supports continuous review of active identities and entitlements.
NIST AI RMF AI RMF supports explainable, monitored, and continuously updated risk treatment.

Continuously recalculate NHI risk from credential age, leakage, and privilege changes.