Subscribe to the Non-Human & AI Identity Journal

Profit Not Captured

Revenue lost when legitimate customers are wrongly declined and do not return. This is a fraud governance metric, not just a finance metric, because it captures the hidden business cost of overly aggressive controls and helps teams balance prevention with customer experience.

Expanded Definition

Profit Not Captured measures the revenue and margin that disappear when legitimate customers are incorrectly declined, then do not come back. In fraud governance, it is treated as a control outcome, not a purely financial one, because the decision threshold for blocking suspicious activity can also block good transactions. That makes the term especially relevant in card payments, account onboarding, loan origination, and any risk engine that uses rules, machine learning, or manual review to stop abuse. Definitions vary across vendors, but the core idea is consistent: a decline is only “safe” if the business can tolerate the lost conversion and the customer attrition it creates.

Used properly, the metric helps teams compare false-positive fraud prevention against customer abandonment, chargeback exposure, and downstream lifetime value. It also connects to governance frameworks such as the NIST Cybersecurity Framework 2.0, where risk decisions should support business objectives rather than undermine them. The most common misapplication is treating every decline as a fraud win, which occurs when teams optimise only for loss prevention and ignore the customers who silently churn after a bad experience.

Examples and Use Cases

Implementing Profit Not Captured rigorously often introduces measurement and attribution complexity, requiring organisations to weigh fraud loss reduction against conversion, customer trust, and analyst workload.

  • A card issuer blocks a genuine first-time purchase because the device is unfamiliar, and the customer never retries after the decline.
  • An e-commerce merchant tightens velocity rules after a fraud spike, then sees an increase in legitimate checkout abandonment from repeat buyers.
  • A fintech onboarding flow rejects a real applicant during step-up verification, causing the prospect to choose a competitor instead of resubmitting.
  • A review queue clears too slowly, so valid transactions time out and the business loses sales even when the fraud model is technically accurate.
  • A team analyses a breach pattern like the Microsoft Midnight Blizzard breach alongside a standards-based response model from NIST Cybersecurity Framework 2.0, then tunes controls to avoid overblocking while still reducing abuse.

At NHI Management Group, research on the Ultimate Guide to NHIs shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is a reminder that aggressive fraud controls do not remove the need for precise identity governance. The same governance mindset appears when organisations investigate incidents such as the Schneider Electric credentials breach, where access decisions and credential handling directly affect business continuity.

Why It Matters for Security Teams

Security teams need this metric because overblocking can create a hidden control failure: the organisation may look safer while quietly losing valid revenue and customer trust. That is especially important where fraud tooling, IAM signals, and identity verification are interconnected, because rigid rules can penalise legitimate users who resemble risky behavior only in one narrow signal. In practice, Profit Not Captured helps reconcile security with growth by showing whether a control is preventing fraud or simply transferring cost into abandonment, support volume, and churn.

This also matters for NHI governance and agentic AI systems. If an autonomous workflow, service account, or decision engine can decline, block, or route customers, then poor threshold design can scale the impact of false positives much faster than manual review ever could. NHIMG research notes that 97% of NHIs carry excessive privileges, which means misconfigured automated decision paths can amplify both fraud losses and customer harm if they are not constrained carefully.

Organisations typically encounter the consequences after a fraud surge, when retention drops or complaint volumes rise, at which point Profit Not Captured becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.RM-01 Risk decisions must align with business objectives, not just loss prevention.
NIST AI RMF AI governance emphasizes balancing risk mitigation with intended outcomes and impact.
NIST SP 800-63 3.2.7 Identity proofing decisions can reject valid users when assurance is set too conservatively.
OWASP Agentic AI Top 10 Agentic workflows can over-enforce controls and block legitimate actions at scale.
OWASP Non-Human Identity Top 10 NHI governance is relevant when service accounts or APIs trigger customer-facing declines.

Limit automated privileges and audit decision logic that can negatively affect valid transactions.