TL;DR: Boards are often shown identity activity metrics such as provisioning speed and certification completion, but those signals do not show whether access is appropriately governed or whether exposure is falling, according to Omada Identity. The real problem is that reporting built for operational efficiency can mask excess privilege, orphaned accounts, and delayed revocation.
At a glance
What this is: This is an analysis of why board-level identity reporting often misses real security exposure and overstates control maturity.
Why it matters: It matters because IAM, NHI, and human identity programmes can look healthy on paper while still leaving excessive access, stale accounts, and weak revocation unaddressed.
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
👉 Read Omada Identity's blog on why boards still struggle to see identity risk
Context
Board reporting on identity risk often confuses process completion with actual exposure reduction. Provisioning speed, certification closure, and ticket throughput can show that work moved through the workflow, but they do not show whether access was right-sized, whether ownership is clear, or whether stale permissions still weaken Zero Trust.
That problem becomes more acute as human identity and non-human identity estates scale together. Service accounts, APIs, bots, and AI agents can expand faster than governance teams can review them, so executive reporting needs to show risk reduction, not just operational motion.
For teams building a more useful identity risk narrative, the issue is not the absence of data. It is the absence of exposure context, which is why board reporting, lifecycle governance, and NHI oversight need to be aligned rather than reported as separate disciplines.
Key questions
Q: How should boards measure identity risk instead of identity activity?
A: Boards should measure whether access exposure is shrinking, not just whether identity workflows are completing. Useful signals include privileged access age, orphaned accounts, revocation lag, and review outcomes. Those measures tell executives whether governance is reducing risk across human and non-human identities, which is the only reporting model that supports real oversight.
Q: Why do activity-based identity metrics create false comfort?
A: Activity-based metrics create false comfort because they show motion, not entitlement quality. A fast provisioning process or a completed certification does not prove that access was right-sized, owned, or removed in time. When boards only see activity, they may assume identity is controlled even though exposure remains in place.
Q: What should security teams do when identity reporting looks healthy but risk remains high?
A: Security teams should redesign the reporting pack around exposure, not around workflow throughput. That means identifying stale access, unowned accounts, and delayed revocation, then showing how those conditions change over time. If the numbers look efficient but exposure stays flat, the governance model is not telling the truth.
Q: How do human and non-human identities change board governance requirements?
A: They force boards to govern access across both people and machine identities, because risk can accumulate in either domain. Service accounts, APIs, bots, and AI agents can carry high privilege and remain invisible to human-centric reporting. A useful board model treats all identity types as part of one exposure picture.
Technical breakdown
Why activity metrics hide identity exposure
Activity metrics measure whether identity workflows executed, not whether the resulting access is safe. Provisioning SLAs, certification completion rates, and ticket counts are easy to aggregate, so they often dominate board packs. The weakness is that these measures say nothing about privilege quality, orphaned accounts, or whether revocation happened soon enough to reduce exposure. In identity governance terms, they describe process motion, not entitlement state. A programme can look efficient while still leaving excessive access in place across human users and NHIs.
Practical implication: replace pure throughput reporting with exposure measures such as orphaned accounts, privileged access age, and revocation lag.
Why scale changes the board reporting model
As identity environments grow, especially through NHI sprawl and automation, the gap between activity and exposure widens. Large volumes of machine identities can be created automatically, then left under-owned or over-privileged even when workflow SLAs are met. Boards then see better operational execution while latent risk increases underneath. This is a governance problem, not a dashboard problem. The reporting model has to reflect the fact that scale amplifies hidden entitlement drift faster than review cycles can correct it.
Practical implication: add volume, ownership, and review completeness metrics for NHIs so scale does not hide control failure.
From access completion to risk reduction
A board-ready identity model should answer a different question: did the control reduce exposure in a meaningful way? That means distinguishing between an access request being closed and the underlying entitlement becoming appropriate. It also means treating revocation timeliness, ownership clarity, and review outcomes as security indicators, not admin statistics. For human identity, NHI, and lifecycle governance alike, the useful measure is whether excess access has been removed or only processed.
Practical implication: structure identity reporting around risk reduction outcomes, not completed workflow activity.
NHI Mgmt Group analysis
Activity metrics create false comfort because they measure workflow completion, not identity risk. Boards are often shown provisioning SLAs, certification closure rates, and ticket volumes because those numbers are easy to collect. But none of them tells executives whether access is appropriate, owned, or still live after the business context changed. The result is an identity programme that appears busy while exposure remains unchanged. The practitioner conclusion is that activity should be treated as an operational signal, not a security outcome.
Identity exposure is the board-level problem, not identity throughput. When organisations discuss unused privilege, orphaned accounts, and delayed revocation in the same language as finance or operational resilience, executive attention becomes more durable. That shift matters because boards fund what they can understand as risk. The implication is that identity leaders need to translate governance into exposure, because motion alone will never justify sustained investment.
Board reporting must cover both human and non-human identities because scale breaks the old governance boundary. Service accounts, APIs, bots, and AI agents now contribute materially to identity risk, yet many executive reports still focus on people alone. That leaves a gap between what the programme governs and what the business actually runs on. The practitioner conclusion is that identity oversight has to be cross-actor by default, not human-centric by habit.
Latency in revocation is a governance signal, not an administrative inconvenience. If access remains valid after role change, departure, or system retirement, the organisation has already lost control of the entitlement. That is why lifecycle metrics belong in board reporting alongside privileges and ownership, not hidden in operational dashboards. The practitioner conclusion is that boards should ask how quickly access stops being valid, not just how quickly tickets are closed.
Board-ready identity reporting needs a named concept: exposure-led governance. Exposure-led governance means executive reporting is built around whether access risk is falling, rather than whether identity work is being completed. It aligns IAM, NHI, and lifecycle controls under one risk lens and gives boards a stable basis for oversight. The practitioner conclusion is to replace activity narratives with exposure narratives if identity is to be managed as a security discipline.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why board reporting often misses the largest sources of exposure.
- Use Ultimate Guide to NHIs , Regulatory and Audit Perspectives to frame identity risk in the language of oversight, auditability, and accountability.
What this signals
Exposure-led governance will matter more than throughput reporting as identity estates keep expanding. Boards will continue to ask for simple indicators, but the programmes that survive scrutiny will be those that can show how quickly risk falls after access changes, not how many tickets closed.
As NHI populations grow, the board conversation has to move from human-centric process health to cross-actor entitlement control. That shift will expose weak ownership, slow revocation, and hidden privilege accumulation in places where traditional IAM dashboards rarely look.
The practical signal for practitioners is clear: if your board pack cannot distinguish completed work from reduced exposure, you are still managing identity as administration. Link that reporting to the Top 10 NHI Issues and to NIST Cybersecurity Framework 2.0 functions for govern, identify, and protect.
For practitioners
- Add exposure metrics to the board pack Include privileged access age, orphaned account counts, revocation lag, and review outcomes so executives can see whether identity risk is actually falling.
- Separate operational throughput from security outcomes Keep provisioning and certification metrics, but place them beside indicators that show whether excess access was removed or only processed.
- Report non-human identity ownership explicitly Track who owns service accounts, APIs, bots, and AI agents, and flag any identity without a clear accountable owner for review.
- Use lifecycle events as risk checkpoints Treat joiner, mover, leaver, system retirement, and vendor offboarding as moments to verify that access became invalid quickly enough.
Key takeaways
- Boards often see identity activity rather than identity exposure, which makes operational progress look safer than it is.
- The strongest risk signals are privileged access age, orphaned accounts, revocation lag, and ownership clarity across both people and machines.
- Identity reporting becomes more useful when it shows whether access risk fell, not just whether workflow work got done.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-01 | Board reporting should reflect risk management, not only task completion. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Excessive privilege and poor visibility are core NHI governance failures. |
| NIST CSF 2.0 | PR.AC-4 | Access rights need periodic review and timely adjustment across identity types. |
Tie board oversight to access review outcomes and revocation timeliness for all identities.
Key terms
- Identity exposure: Identity exposure is the measurable security risk created by access that is too broad, too old, or no longer justified. It includes excessive privileges, orphaned accounts, delayed revocation, and poorly owned machine identities, all of which can remain hidden if reporting focuses only on process completion.
- Activity metric: An activity metric shows whether an identity process moved or completed, such as a certification being closed or a ticket being resolved. It is useful for operations, but it does not prove that access became safer, more appropriate, or better governed.
- Exposure-led governance: Exposure-led governance is the practice of managing identity by the risk that access creates rather than by the volume of work completed. It shifts executive reporting toward ownership, privilege quality, and revocation speed across human and non-human identities.
- Non-human identity: A non-human identity is a machine or software identity used by services, applications, bots, APIs, or AI systems. It often carries credentials and privileges that need the same lifecycle discipline as human access, but at far greater scale and with weaker natural ownership.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Omada Identity: Why Boards Still Struggle to See Identity Risk. Read the original.
Published by the NHIMG editorial team on 2026-02-19.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
