Subscribe to the Non-Human & AI Identity Journal

What do security teams get wrong about using risk scores in SIEM?

They often treat the score as the answer rather than the prioritisation layer. A useful score must reflect privilege depth, business criticality, and delegation chains. If it only counts alerts or attributes without modelling identity consequence, analysts still end up chasing noise instead of containing meaningful risk.

Why This Matters for Security Teams

Risk scores in SIEM are supposed to help analysts decide what matters first, but many teams still use them as if they were a verdict. That creates blind spots when the scored entity is an NHI, because the real question is not just whether something is noisy, but whether it can move laterally, inherit trust, or trigger sensitive actions. NHI risk needs to be tied to identity consequence, not alert volume alone.

This is why current guidance in Top 10 NHI Issues and the broader NIST Cybersecurity Framework 2.0 both point toward prioritisation, not automation by score. A score that ignores privilege depth, delegation chains, and business criticality will over-rank harmless noise and under-rank a token that can reach production systems. NHIMG research on the OWASP NHI Top 10 reinforces that identity context must be part of triage, especially where non-human access is distributed across SaaS, cloud, and automation layers.

In practice, many security teams discover the score was misleading only after a low-scoring identity has already been used to touch sensitive systems.

How It Works in Practice

Effective SIEM scoring for NHIs should be a contextual ranking layer built from identity telemetry, asset criticality, and privilege relationships. The score should answer: what can this identity do, where can it act, and what happens if it is abused? That means enriching events with ownership, workload type, credential age, scopes, token delegation, and whether the identity is tied to production or internet-facing services.

For example, a token used by an internal batch job should not score the same as a service account that can deploy code, access secrets, or call admin APIs. Current practice is to combine static signals, such as known risky permissions, with runtime signals, such as unusual access path, impossible sequence, or new delegation chain. This aligns with NIST SP 800-53 Rev. 5 Security and Privacy Controls, which emphasizes monitoring, authorization, and least privilege, but operational teams still need to translate those controls into a scoring model that reflects NHI consequence.

Useful implementations typically include:

  • Privilege weighting, so admin-capable identities score higher than read-only ones.
  • Business criticality mapping, so production and regulated systems raise the score.
  • Delegation chain tracking, so a token inherited through OAuth, CI/CD, or API exchange is not treated as isolated.
  • Freshness and rotation signals, because stale secrets and long-lived credentials are more dangerous than short-lived ones.
  • Behavioral baselines, so anomalous tool use can raise priority even when no signature matches.

NHIMG’s research on the Ultimate Guide to NHIs — Key Challenges and Risks shows why this matters: identity sprawl and weak visibility make it easy to mis-rank real exposure. These controls tend to break down in highly dynamic cloud environments where ownership is unclear and delegation changes faster than the SIEM enrichment pipeline can update.

Common Variations and Edge Cases

Tighter scoring often improves analyst focus, but it also increases tuning overhead, requiring organisations to balance precision against the risk of stale rules. That tradeoff is especially hard in multi-cloud, SaaS-heavy, or agentic environments where identities are created on demand and their privileges shift frequently. There is no universal standard for this yet, so teams should treat score design as an evolving operational control rather than a fixed metric.

One common edge case is when high-volume automation is mistaken for high-risk abuse simply because it generates many alerts. Another is when a low-frequency identity is assigned a low score despite having broad delegation rights or direct access to secrets. A third is when teams score the alert source instead of the acted-upon asset, which causes the SIEM to miss the real blast radius.

Where this gets most fragile is in environments with federated identity, ephemeral workloads, and third-party integrations. In those settings, identity consequence changes faster than static enrichment can track, so a score should be periodically recalculated from live relationships rather than stored as a durable label. The State of Non-Human Identity Security makes the broader point clearly: visibility gaps and over-privilege are common enough that scoring must be tied to actual access paths, not just event counts.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Risk scoring must reflect credential freshness and rotation gaps.
OWASP Agentic AI Top 10 A-04 Autonomous agents can amplify risk through unexpected tool use and delegation.
CSA MAESTRO IAM-02 Agent and workload identity context is central to meaningful risk ranking.
NIST AI RMF AI RMF supports contextual risk evaluation for dynamic, adaptive systems.
NIST CSF 2.0 DE.CM-01 Continuous monitoring must distinguish meaningful exposure from generic noise.

Enrich SIEM scoring with workload identity, trust boundaries, and privilege chains.