CVSS vs EPSS for NHI risk: where severity still misleads

At a glance

What this is: This is a practitioner analysis of CVSS and EPSS for non-human identity risk scoring, showing why severity and exploit likelihood answer different security questions.

Why it matters: It matters because IAM, PAM, and NHI teams need to prioritise fixes by real exposure, not just by vulnerability scores that ignore how credentials, access paths, and exploitability interact.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

👉 Read Entro Security's analysis of CVSS vs EPSS for NHI risk prioritisation

Context

CVSS and EPSS are both vulnerability scoring systems, but they answer different governance questions. CVSS measures how severe a flaw is in the abstract, while EPSS estimates how likely that flaw is to be exploited in the wild. For NHI programmes, that distinction matters because service accounts, tokens, and workload identities are often exposed through the surrounding control plane rather than the vulnerability itself.

Identity teams too often inherit vulnerability scores without the access context needed to act on them. A high CVSS number may describe technical severity, but it does not say whether an exposed secret, delegated OAuth grant, or privileged workload path turns that flaw into a real identity incident. The result is a prioritisation problem, not just a scoring problem.

For NHI governance, the practical question is not which score is more correct. It is which score changes remediation order when identity exposure, privilege, and exploit likelihood collide. That is why scoring must be treated as input to governance, not as a substitute for it.

Key questions

Q: How should security teams prioritise vulnerabilities in NHI environments?

A: Prioritise by combining CVSS severity, EPSS exploit likelihood, and identity context. A flaw with moderate severity can become urgent if it sits behind standing privilege, exposed secrets, or a broadly trusted service account. The right queue ranks by likely blast radius, not by score alone.

Q: Why do CVSS scores often mislead NHI remediation decisions?

A: CVSS measures severity, not whether the vulnerable identity path is reachable or useful to an attacker. In NHI environments, reachability, privilege scope, and secret exposure often matter more than the raw vulnerability score, so teams can over-prioritise theoretical issues and under-prioritise active access risk.

Q: How can teams tell whether EPSS is improving vulnerability governance?

A: EPSS is helping when it changes remediation order in a way that matches real attack pressure. If the same assets keep rising to the top because they are both exploitable and identity-exposed, the model is working. If scores are used without access context, EPSS becomes another dashboard number.

Q: What is the difference between vulnerability severity and exploit likelihood?

A: Severity describes the potential impact of a flaw, while exploit likelihood describes how probable it is that the flaw will be used in the wild. Security teams need both views because a severe but unreachable issue may wait, while a less severe flaw on an exposed identity path may need immediate action.

Technical breakdown

CVSS severity and why context changes the result

CVSS is built to score the intrinsic severity of a vulnerability using base, temporal, and environmental metrics. Base metrics describe the flaw itself, temporal metrics reflect exploit code and remediation status, and environmental metrics let organisations adjust for local impact. The limitation is structural: CVSS can tell you how bad a vulnerability could be, but not whether it is likely to be used against your NHI estate. In identity-heavy environments, that omission matters because exposure paths are often mediated by permissions, secrets, and integration sprawl.

Practical implication: tie CVSS to identity context before setting remediation priority.

EPSS exploit likelihood and what it adds to NHI triage

EPSS is designed to estimate the probability that a vulnerability will be exploited in the wild. It uses historical exploitation patterns and current threat signals rather than severity alone, which makes it useful for narrowing the remediation queue. For NHI environments, that matters because exploit likelihood often depends on whether a secret is reachable, whether a service account is over-privileged, and whether external connectivity makes the vulnerable system attractive. EPSS does not replace severity, but it does answer the operational question that CVSS cannot: what is most likely to be attacked next.

Practical implication: use EPSS to separate theoretical exposure from likely exploitation.

Why NHI governance needs both scores in the same workflow

NHI risk is rarely just a vulnerability problem. It is usually a compound problem involving exposed credentials, standing privilege, delegated access, and a vulnerable component that can be reached and abused. CVSS helps describe the flaw, while EPSS helps estimate attack pressure, but neither score alone captures whether the identity path is actually exploitable in your environment. The useful governance pattern is to place both inside the same triage model, alongside entitlement scope and secret lifecycle controls, so remediation reflects real blast radius rather than score inflation.

Practical implication: build remediation queues that combine vulnerability score, exploit likelihood, and entitlement exposure.

NHI Mgmt Group analysis

CVSS overstates certainty when identity context is missing. The score is useful for standardised severity reporting, but it was not designed to tell NHI teams whether a service account, token, or workload path is actually exposed in a way attackers can use. That gap is not a defect in CVSS so much as a mismatch between a vulnerability model and an identity governance problem. Practitioners should treat CVSS as one signal, not the decision.

EPSS is closer to operational reality, but it still stops short of governance. Exploit likelihood is more actionable than abstract severity when teams are deciding what to fix first, especially in environments with high credential density. But EPSS does not know whether the vulnerable asset sits behind a dormant account, a stale secret, or a tightly scoped integration. The implication is that prioritisation must remain identity-aware, not score-led.

Exploitability without entitlement scope produces the wrong remediation queue. A vulnerability that is easy to exploit matters far more when it sits behind standing privilege or broad third-party access. That is why NHI governance cannot separate vulnerability management from identity control design. Practitioners need a queueing model that reflects access reach, not just technical severity.

Score-driven workflows can hide the real control failure: unmanaged access paths. Many programmes optimise for patch urgency while leaving the surrounding identity fabric untouched. In NHI environments, the failure is often not the flaw alone but the combination of an exploitable issue and an access path that should never have remained live. The practitioner takeaway is to govern the access path first, then score the flaw inside it.

Identity blast radius is the more useful concept than vulnerability rank. The same CVSS or EPSS value can mean very different things depending on whether the affected identity is low privilege, delegated to third parties, or embedded in automation. That is why the identity layer should drive prioritisation conversations, with vulnerability scoring used to refine them. Security teams should re-rank work by likely blast radius, not by score in isolation.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• A separate finding shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, including 38% with no or low visibility.
• That visibility gap is a signal to pair vulnerability scoring with entitlement and secret discovery, and to revisit the broader NHI controls covered in Ultimate Guide to NHIs.

What this signals

Identity severity debt: when vulnerability scoring is detached from access scope, remediation queues accumulate work that looks urgent but does little to reduce real exposure. Teams should expect more pressure to rank fixes by exploitability and blast radius together, especially where NHIs carry reused secrets and broad delegation.

The most practical programme shift is to treat CVSS and EPSS as inputs to identity governance rather than as standalone truth. That means connecting scoring to secret inventory, entitlement review, and lifecycle controls so the organisation can see which vulnerabilities actually sit on live access paths.

NHI teams that want to mature beyond score reporting should align their triage model with NIST Cybersecurity Framework 2.0 and the access visibility lessons in Top 10 NHI Issues. The direction of travel is clear: prioritisation is becoming a governance discipline, not a vulnerability spreadsheet.

For practitioners

• Combine severity and exploitability in one triage queue Score vulnerabilities with CVSS and EPSS together, then add identity context such as secret exposure, privilege scope, and external reachability before assigning remediation priority.
• Overlay entitlement scope on every high-risk finding Check whether the affected NHI has standing privilege, broad OAuth grants, or reusable credentials that would turn a medium flaw into a high-impact access path.
• Separate patch urgency from identity remediation Treat patching, secret rotation, and privilege reduction as linked but distinct workstreams so a vulnerable workload does not retain unnecessary access while waiting for a fix.

Key takeaways

• CVSS and EPSS answer different questions, so using either one alone can distort NHI remediation priorities.
• The real risk signal comes from combining exploit likelihood with identity exposure, privilege scope, and secret reachability.
• NHI programmes should rank remediation by likely blast radius, not by vulnerability score in isolation.

Key terms

• CVSS: The Common Vulnerability Scoring System is a standard way to rate how severe a software vulnerability is. It scores the flaw itself using base, temporal, and environmental factors, but it does not tell you how likely the issue is to be exploited in your specific identity environment.
• EPSS: The Exploit Prediction Scoring System estimates the likelihood that a vulnerability will be exploited in the wild. It is useful for prioritisation because it reflects observed threat patterns, but it still needs local identity context such as privilege scope, secret exposure, and reachability.
• Identity Blast Radius: Identity blast radius is the amount of access, data, and downstream trust that can be affected when a non-human identity is abused. It is shaped by privilege scope, delegation, and the placement of credentials, and it is often a better prioritisation lens than severity alone.
• Standing Privilege: Standing privilege is access that remains continuously available instead of being granted only when needed. For NHIs, it increases the value of a stolen credential or exploited service because attackers inherit persistent reach without needing to wait for a human approval step.

What's in the full article

Entro Security's full blog covers the operational detail this post intentionally leaves for the source:

• A side-by-side explanation of how CVSS base, temporal, and environmental metrics are applied in practice.
• A clearer breakdown of how EPSS uses threat data to estimate exploitation likelihood across vulnerable assets.
• Implementation context for teams deciding when to use one score for reporting and the other for remediation ordering.
• The vendor's own view on how its NHI audience should interpret the two scoring models together.

👉 The full Entro Security post explains the scoring trade-offs and implementation considerations in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.