Clarity Aperture reframes identity governance around continuous risk

At a glance

What this is: Clarity Security’s launch argues that identity governance alone is not enough because it does not continuously close identity risk across human, non-human, and agentic identities.

Why it matters: IAM teams need to see where compliance workflows end and operational risk reduction begins, because the same governance gap now spans service accounts, OAuth apps, and AI agents.

By the numbers:

• 97% of organizations that reported an AI-related breach lacked proper AI access controls.
• By conservative industry estimates, NHIs now outnumber human identities by 20 to 50 times in most environments.

👉 Read Clarity Security's announcement on adaptive trust and NHI governance

Context

Identity governance programs are often built to prove who has access, not to decide whether that access should still exist. In practice, periodic reviews and audit evidence can document entitlement state while leaving exposure untouched, which is why compliance and risk reduction are not the same control objective for NHI governance, AI agents, or human IAM.

Clarity Security’s launch is really about that gap: the move from static governance to continuous risk assessment and closed-loop remediation. For teams managing service accounts, OAuth apps, and emerging agentic identities, the question is no longer only visibility. It is whether the governance model can act fast enough to reduce blast radius before the next review cycle. For background on the broader NHI problem space, see the Ultimate Guide to NHIs and the NHI Lifecycle Management Guide.

Key questions

Q: How should security teams govern non-human identities that change risk continuously?

A: Security teams should treat non-human identities as active exposure points, not static records. That means pairing discovery with ownership, risk scoring, and an executable remediation path so risky access can be reduced immediately. If the only outcome is a report or review artifact, the programme is documenting risk rather than controlling it.

Q: Why do periodic access reviews miss the real NHI risk?

A: Periodic reviews miss the real risk because they measure entitlement state at a point in time, while NHI exposure can change between cycles. A service account, token, or OAuth app may remain valid long after its purpose has shifted. Continuous visibility and action matter more than retrospective certification.

Q: What breaks when NHI governance stops at compliance evidence?

A: What breaks is closure. Compliance evidence can prove that access was reviewed, but it cannot prove that unnecessary access was removed or that blast radius was reduced. Without a remediation path, governance becomes descriptive instead of preventive, which leaves the most dangerous entitlements in place.

Q: Who should be accountable when risky non-human access is found?

A: The accountable party should be the business or technical owner of the identity, not a periodic review queue. Accountability must be structural, because service accounts and API keys outlive meetings, tickets, and staffing changes. Clear ownership is what allows remediation to happen before exposure turns into an incident.

How it works in practice

Risk scoring across identity relationships

Clarity describes a dynamic risk scoring model that evaluates inherent and contextual risk across identity and access relationships. In technical terms, this means the platform is not only cataloguing entitlements, but weighting them by exposure, connectivity, and privilege propagation. That matters because nested permissions, federated access, and blast path analysis are the mechanisms that turn a simple entitlement into a path to wider compromise. The operational value is in prioritisation: not every identity needs equal attention, and remediation is only useful if it can be aimed at the riskiest chains first.

Practical implication: map privilege chains and remediation queues to risk, not to review date.

Closed-loop remediation for non-human identities and AI agents

The NHI and AI security module is positioned around discovery, ownership, and executable remediation for service accounts, API keys, OAuth apps, bots, and AI agents. The architectural point is that finding an identity without a path to change it leaves risk management half-finished. Continuous governance depends on linking detection to enforced action, especially where identities span cloud, SaaS, on-premise, and legacy systems. For autonomous or machine-run access, the core failure is not just hidden sprawl, but unmanaged persistence across systems that were never designed to self-correct.

Practical implication: require every NHI finding to have an owner and a remediation path before it is considered actionable.

Adaptive trust as a governance model

Adaptive Trust, as framed here, is a model in which identity security becomes continuous and stateful rather than episodic. The platform logic is that audit evidence should be a byproduct of daily control activity, not the primary control itself. That shifts identity governance from retrospective attestation toward live assurance. For practitioners, the important technical distinction is between observing access and changing access. The former supports compliance. The latter reduces risk. Mature programmes need both, but they are not interchangeable.

Practical implication: measure whether governance outputs actually change entitlements, not just generate evidence.

NHI Mgmt Group analysis

Compliance-first identity governance leaves the highest-risk access untouched. Programs built around periodic reviews answer the auditor’s question, not the attacker’s question. They can confirm that access exists, but they do not continuously determine whether that access is still appropriate or exploitable. The practical conclusion is that risk reduction and evidence production need separate control logic, especially where non-human identities accumulate quietly.

NHI governance fails when ownership is an annual exercise instead of a structural property. Service accounts, OAuth apps, API keys, and bots are not made safer by being documented once a year. If accountability is only assigned during review cycles, the environment will always outrun the process. The implication is that entitlement ownership must be continuous, not ceremonial, for machine identities.

Continuous remediation is the named control gap this launch is trying to address. The interesting issue is not that governance exists, but that it often stops before closure. That gap is what lets identity risk persist between review windows, and it is why blast radius stays larger than leaders expect. Practitioners should treat closed-loop remediation as the dividing line between governance theatre and operational security.

Adaptive trust is a useful concept because it exposes the flaw in treating audit output as security output. Audit readiness can coexist with dangerous exposure, particularly in environments where nested permissions and federated access obscure the true attack path. The field needs to stop treating certification as evidence of safety. The conclusion is simple: if access cannot be reduced in the flow of work, it is not governed in any meaningful sense.

Human, non-human, and agentic identities now sit on the same risk graph, but they do not share the same governance cadence. That mismatch is where most identity programmes become brittle. Human review cycles are slow by design, while machine identities and AI agents can expand privilege far faster than a committee can certify it. The implication is that one governance model must span all three actor types, or none of them will be fully controlled.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting only partial visibility.
• For lifecycle context, NHI Lifecycle Management Guide is the next step for teams translating discovery into ownership, rotation, and offboarding.

What this signals

Continuous remediation will become the differentiator between identity programmes that merely attest and those that actually reduce exposure. The market is moving toward control loops that can act on entitlement risk in real time, because review cycles are too slow for cloud and SaaS sprawl. Teams that still depend on quarterly evidence collection will find that their visibility is better than their control.

Adaptive trust will pressure practitioners to unify human IAM, NHI governance, and emerging agent governance under one operating model. That does not mean one process for all identities, but it does mean one risk standard and one ownership model. The organisations that separate these domains too aggressively will keep rediscovering the same gap in different places.

NHI sprawl is now a governance problem as much as a detection problem. If identities outnumber human accounts by 20 to 50 times in many environments, the task is no longer just finding them. The practical challenge is deciding which exposures matter first and which controls can actually close them before they become persistent attack paths.

For practitioners

• Separate evidence production from risk reduction Keep access reviews, audit exports, and compliance attestations, but add a parallel control path that can close risky access as soon as it is identified. If remediation waits for the next certification cycle, exposure persists by design.
• Build ownership for every non-human identity Assign a named owner to service accounts, API keys, OAuth apps, and bots, then require ownership to survive environment changes and team turnover. No NHI should exist without a current accountable party.
• Prioritise remediation by blast path, not inventory order Use nested permissions, federated links, and exposure mapping to sort the identities most likely to expand access across systems. Fix the entitlements that can cascade first, even if they are not the loudest findings.
• Treat AI agents as first-class identities in governance flows Place agent identities into the same access lifecycle and risk scoring process as other NHIs, then verify that their permissions can be changed, revoked, and attributed quickly across connected systems.

Key takeaways

• The central risk is not the absence of identity governance, but the belief that compliance evidence is the same thing as exposure reduction.
• Clarity Security cites IBM’s finding that 97% of organisations with an AI-related breach lacked proper AI access controls, which underscores how quickly identity risk now outpaces review cycles.
• Practitioners should pair discovery with ownership and executable remediation so high-risk access can be closed before the next audit window.

Key terms

• Adaptive Trust: An operating model where identity access is continuously assessed against current risk rather than certified only at intervals. In practice, it combines discovery, ownership, and remediation so entitlement state and exposure state stay aligned across human, non-human, and agentic identities.
• Closed-loop remediation: A control pattern where a risk finding can be turned into an access change without leaving the platform or waiting for a later review cycle. For non-human identities, this matters because exposure is only reduced when the system can actually revoke, constrain, or rotate access.
• Blast path analysis: A way of tracing how one identity or entitlement can lead to broader access across systems and datasets. It helps practitioners prioritise the identities most likely to expand compromise, especially where nested permissions and federated relationships hide the true exposure chain.
• Non-human identity: A machine-run identity used by a service, workload, bot, API integration, certificate, token, or AI agent. These identities usually operate without human interaction at runtime, which makes ownership, lifecycle control, and remediation speed central to governance.

What's in the full announcement

Clarity Security's full announcement covers the operational detail this post intentionally leaves for the source:

• How the dynamic risk scoring engine weights inherent and contextual identity risk across connected systems
• How read and write remediation workflows are executed across legacy mainframes, SaaS, cloud, and on-premise environments
• How the NHI and AI Security module maps permission chains, ownership, and accountability at scale
• How Clarity measures posture improvement against the OWASP Non-Human Identity Top 10

👉 The full Clarity Security post covers the platform details, NHI and AI module scope, and customer evaluation context.

Deepen your knowledge

Clarity Aperture, continuous risk scoring, and NHI lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building an identity programme that needs to move beyond periodic review, it is worth exploring.