FAIR for identity risk: how to quantify exposure in business terms

At a glance

What this is: FAIR applies probabilistic risk quantification to identity exposure, turning qualitative IAM risk into financial estimates tied to access, credential, and governance failures.

Why it matters: IAM, NHI, and human identity teams need a common risk language because without correlated visibility, backlogs, orphaned access, and OAuth sprawl cannot be prioritised on business impact.

By the numbers:

• The 2024 global average cost of a data breach sits at $4.88 million per incident, with credential-based breaches trending toward the higher end of the distribution.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.

👉 Read Axiad's FAIR analysis for identity risk quantification

Context

Identity risk is hard to manage when every team can see only part of the attack surface. In practice, that means IGA, SSPM, CIEM, and the IdP each report useful signals, but none of them alone can tell you what a user, service account, or linked account can truly reach across the environment.

FAIR gives practitioners a way to translate those fragmented signals into loss frequency and loss magnitude. In the identity context, the model becomes credible only when visibility is broad enough to capture orphaned accounts, OAuth sprawl, exposed credentials, and hidden access paths that qualitative risk matrices routinely miss.

Key questions

Q: How should security teams quantify identity risk in business terms?

A: Security teams should translate identity exposure into expected loss by estimating how often a bad identity event can happen and how much it would cost if it did. The model becomes more useful when it focuses on orphaned access, exposed credentials, and ungoverned OAuth grants rather than broad qualitative ratings. That gives leaders a common financial basis for prioritisation.

Q: Why do siloed IAM tools weaken identity risk quantification?

A: Siloed IAM tools weaken quantification because each one sees only part of the access picture. An IdP sees authentication, IGA sees provisioned accounts, and CIEM sees cloud permissions, but none of them alone can show the full blast radius of a linked identity. FAIR estimates become less reliable when those relationships are missing.

Q: What breaks when orphaned accounts are not included in risk models?

A: Risk models break when orphaned accounts are excluded because the exposed access still exists, even if the HR record has changed. That means the organisation may underestimate both the chance of compromise and the potential loss. The result is a model that looks tidy but ignores some of the highest-value attack paths.

Q: How can organisations decide which identity risks to fix first?

A: Organisations should prioritise the risks that reduce the most expected loss per unit of effort, not the ones that look worst in a dashboard. In practice, that often means starting with exposed credentials, orphaned access, and high-privilege OAuth grants. A financial model helps compare those problems against each other instead of treating them as equal.

Technical breakdown

FAIR loss frequency and loss magnitude in identity risk

FAIR quantifies risk by combining how often a loss event is expected to occur with how large the loss would be if it did. For identity programmes, loss event frequency maps to threats such as credential stuffing, abuse of orphaned access, and exploitation of overprivileged accounts. Loss magnitude includes direct response costs plus secondary impacts such as regulatory exposure and churn. The useful part is not the score itself, but the discipline of estimating each driver separately so teams can compare identity risks using financial terms instead of colour-coded categories.

Practical implication: model identity scenarios as expected loss, not as generic high, medium, or low ratings.

Why identity visibility determines FAIR accuracy

FAIR depends on the quality of the vulnerability estimate, and vulnerability cannot be estimated well when access pathways are fragmented across tools. An IdP may show authentication state, IGA may show provisioned access, and CIEM may show cloud permissions, yet the real risk sits in the connections between those systems. A correlated identity graph closes that gap by tying accounts, entitlements, and risk factors back to one identity. Without that graph, FAIR can look precise while still undercounting exposure.

Practical implication: build a correlated identity inventory before treating FAIR outputs as decision-grade.

OAuth sprawl and orphaned access as measurable loss drivers

The article’s strongest use case is not theory, but scenario modelling. Orphaned accounts, externally granted OAuth connections, and forgotten temporary access all create measurable loss paths because they expand who can access what, and how silently that access can persist. FAIR works here because each scenario can be framed as a combination of threat frequency, exploitability, and financial impact. That makes identity governance a budgeting conversation rather than a compliance-only exercise.

Practical implication: quantify the highest-risk identity scenarios first, especially orphaned access and ungoverned OAuth connections.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

FAIR is most valuable for identity programmes when it replaces intuition with an expected-loss model. High and medium labels do not help leaders decide whether to fund orphaned account remediation, OAuth governance, or phishing-resistant authentication first. FAIR gives those teams a shared financial denominator, which is exactly what governance backlogs need to escape political prioritisation.

Identity visibility debt is the real quantification problem. A FAIR model is only as strong as the visibility behind it, and siloed tools systematically miss the cross-account relationships that matter most. When the exposure lives in the white space between IGA, SSPM, CIEM, and the IdP, the risk estimate is structurally incomplete, not just slightly imprecise.

Orphaned access is a loss-engine, not a housekeeping issue. The article’s examples show that departed employees, M&A leftovers, and temporary grants can combine with exposed credentials to produce credible loss estimates. That is why lifecycle governance and risk quantification belong in the same conversation: one explains the control gap, the other explains the budget impact.

OAuth permission sprawl is a governance problem, not just an application problem. User-granted third-party access can persist long after business need changes, and that persistence creates a measurable downstream breach pathway. The implication is simple: if the organisation cannot inventory and score those connections, it cannot defend the financial case for managing them.

Quantifying identity risk only works when the programme can tie accounts back to accountable people and workflows. That is where identity visibility platforms change the conversation. They do not remove the need for governance, but they make the cost of weak governance harder to dismiss at executive level.

From our research:

• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirming one, according to Oasis Security & ESG.
• For a broader breach lens, see 52 NHI Breaches Analysis for recurring failure patterns across compromised credentials and governance gaps.

What this signals

Identity risk programmes are moving from visibility debates to budget debates. Once a team can express orphaned access, OAuth sprawl, and credential exposure in loss terms, backlog prioritisation becomes easier to defend and harder to defer. The next maturity step is not another scorecard, but a measurement model that can survive CFO scrutiny.

Identity visibility debt will continue to distort risk estimates until programmes correlate access across systems. Teams that still evaluate IGA, CIEM, SSPM, and IdP outputs independently are likely underestimating exposure in precisely the places attackers exploit. The governance signal is clear: if the data is fragmented, the risk estimate is probably fragmentary too.

As exposed credentials and cross-account access remain common, the operational question shifts to how fast remediation can be justified. Our research shows more than 1 in 5 non-human identities are believed to be insufficiently secured, which makes prioritisation and loss modelling more than a reporting exercise. Practitioners should expect identity quantification to become a standard board-level control conversation, not a niche risk workshop.

For practitioners

• Model the highest-loss identity scenarios first Start with orphaned accounts, exposed credentials, and third-party OAuth grants because these are the scenarios most likely to produce a defendable expected-loss estimate. Use those estimates to compare remediation work against other security investments and to show the financial value of reducing access sprawl.
• Correlate identity data before presenting FAIR outputs Tie IGA, IdP, SSPM, CIEM, and cloud access data back to the same identity so the vulnerability estimate reflects actual access pathways. If the programme cannot see linked accounts, the model will understate exposure and produce misleadingly confident numbers.
• Treat OAuth governance as a financial exposure problem Inventory active third-party connections, flag admin-scoped grants, and score them against the business systems they can reach. The goal is to produce a risk narrative that the CFO can compare to the cost of remediation.
• Use lifecycle events to update risk estimates Re-run the model when employees leave, contractors end, or M&A identities are imported so the risk estimate reflects the current state of access. Stale access makes the loss estimate stale as well.

Key takeaways

• FAIR makes identity risk financeable, but only when the programme can measure access pathways accurately.
• Siloed identity tools undercount exposure because they miss the linked accounts and hidden permissions that shape real loss.
• The practical value of quantification is prioritisation, because orphaned access and OAuth sprawl can now compete for funding on business terms.

Key terms

• Factor Analysis Of Information Risk: FAIR is a risk quantification method that turns security uncertainty into financial estimates. It separates how often a loss event may occur from how much money that event could cost, which makes it useful when identity teams need to compare competing risks in budget conversations.
• Identity Visibility: Identity visibility is the ability to see how identities, accounts, and entitlements connect across systems. It goes beyond a single tool view and is necessary for understanding the true blast radius of users, service accounts, and linked access paths.
• Orphaned Account: An orphaned account is an account that no longer matches a current business need or accountable owner, even though it still exists and may still be active. In identity risk modelling, orphaned accounts matter because they create access that is easy to miss and hard to justify.
• OAuth Sprawl: OAuth sprawl is the accumulation of third-party application connections and delegated permissions over time, often without central governance. It becomes a security issue when permissions outlive their business purpose and create hidden paths into sensitive systems.

Deepen your knowledge

Identity risk quantification and governance prioritisation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to turn identity backlog work into a defensible funding case, it is worth exploring.

This post draws on content published by Axiad: FAIR: How to Quantify Your Identity Risk in Business Terms. Read the original.