TL;DR: Permiso is framing identity risk as a continuous 0 to 100 score built on a Universal Identity Graph, with separate behavior, likelihood and impact dimensions, plus score velocity and organization-level benchmarking, according to Permiso Security. The real shift is not the number itself, but the move away from fragmented tooling that cannot see across human, NHI, and AI agent identity context.
At a glance
What this is: This is a product announcement about a continuous identity risk scoring engine that quantifies risk across human, non-human, and AI identities using behavior, likelihood, impact, and score velocity.
Why it matters: It matters because IAM, IGA, PAM, and NHI teams cannot govern what they cannot consistently see, and a single risk score only helps if the underlying identity graph is complete enough to support action.
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
👉 Read Permiso Security's introduction to the Risk Score Engine
Context
Identity risk scoring is only useful if the model can see the identity, understand its behaviour, and place its access in context. In most enterprises, that is exactly where current programmes break down: humans live in IGA, NHIs live in secrets managers or cloud tooling, and AI agents are often tracked somewhere else entirely, if at all.
Permiso’s announcement matters because it treats identity risk as a continuous measurement problem rather than a static entitlement problem. For practitioners, the key question is whether the underlying graph is broad enough to support governance across human identities, NHIs, and agentic systems without turning missing context into false confidence.
The most relevant benchmark for this topic is the NHI control gap itself: the Ultimate Guide to NHIs shows how often identity scope exceeds operational visibility, which is why unified scoring becomes a governance problem, not just a detection feature.
Key questions
Q: How should teams use identity risk scores without oversimplifying governance?
A: Use identity risk scores as prioritisation inputs, not as automatic decisions. Separate the score into behavior, likelihood, and impact so investigation, triage, and containment can follow different paths. The score is useful only when the underlying identity graph is broad enough to represent the full access chain, including NHIs and connected cloud identities.
Q: Why do fragmented identity tools create weak risk scoring?
A: Fragmented tools only score the identities they can see, which means they miss linked access paths, runtime behaviour, and downstream privilege. That creates false confidence because the score reflects a local view, not the full identity relationship set. Unified identity context is what turns a score into evidence instead of a guess.
Q: When should organisations prioritise score velocity over static thresholds?
A: Prioritise score velocity when identities can change trust posture quickly, such as privileged cloud roles, service accounts, and AI-connected accounts. A sharp rise in risk often signals abuse or abnormal activity before the final score becomes extreme. Static thresholds still matter, but fast movement should trigger earlier review.
Q: What does an organisation-level identity risk score actually tell the board?
A: It tells the board how exposure is trending across the environment, provided the inputs are complete and explainable. The number is only credible when teams can show what identities are included, how the score was calculated, and what changes would move it. Without that context, it is just a summary metric.
How it works in practice
Why continuous identity risk scoring depends on complete identity context
A risk score only has meaning when the system understands what an identity is connected to across environments. That means linking human accounts, service accounts, API keys, OAuth tokens, cloud roles, and AI agents into a single identity graph. Without that context, scoring degenerates into a localised alert model that ranks whatever happens to be visible in one tool. The technical problem is not calculation, it is completeness. A score built on partial identity data can look precise while missing the real blast radius. Practical implication: treat graph coverage as a prerequisite for any scoring model you plan to operationalise.
Practical implication: Validate identity graph coverage before using risk scores for prioritisation or board reporting.
Behavior, likelihood, and impact are different control questions
Breaking a score into behavior, likelihood, and impact avoids collapsing very different security questions into a single label. Behavior asks whether the identity is acting outside its baseline. Likelihood asks whether compromise is plausible based on threat signals. Impact asks what damage the identity could cause if abused. Those three dimensions matter because an identity can be highly privileged without being compromised, or actively compromised without broad reach. The value is not the number alone, but the reason behind it. Practical implication: require separate response paths for anomalous activity, compromise probability, and blast radius.
Practical implication: Map each score dimension to a different remediation workflow instead of using one generic threshold.
Score velocity turns identity change into an early warning signal
Score velocity measures how quickly an identity’s risk posture is changing, and that timing often matters more than the current value. A slow drift may reflect privilege accumulation or access sprawl. A sharp jump can indicate credential abuse, abnormal session activity, or a rapid change in trust posture. This is useful because many identity incidents are detectable in the transition, not only at the endpoint state. A static score can miss that window. Practical implication: alert on rapid score movement separately from high absolute scores, especially for privileged and third-party identities.
Practical implication: Create escalation rules for rapid score movement, not just for high absolute risk values.
NHI Mgmt Group analysis
Identity risk scoring is only as good as the identity model underneath it. A continuous number can improve prioritisation, but only if the programme has already solved identity discovery, classification, and lineage across humans, NHIs, and AI-connected systems. If the model cannot see the full chain of access, the score becomes a confidence layer over fragmentation. The practitioner conclusion is straightforward: scoring is an outcome of governance maturity, not a substitute for it.
Identity visibility gap: Security teams are still operating with partial identity coverage while modern environments now mix humans, service accounts, OAuth tokens, and AI-linked access paths. That is the real reason static access reviews and isolated tooling fail to produce trustworthy risk rankings. A score can only be evidence-backed if the evidence includes runtime identity behaviour, not just entitlement data. Practitioners need to judge whether their current programme can support cross-domain identity correlation at all.
Behavior, likelihood, and impact should be treated as three different identity control lenses, not one blended score. That separation is analytically useful because it preserves the distinction between suspicious activity, probable compromise, and blast radius. The governance mistake is to turn that distinction into a single threshold and then expect a single response path. Practitioners should map each lens to its own operational decision, from monitoring to triage to containment.
Organisation-level risk scores will push identity governance toward board-readable metrics, but metrics only work when they are defensible. The category is moving from entitlement inventory toward continuous exposure measurement, which is a useful direction only if teams can explain the score’s inputs and blind spots. That raises the bar for IGA, PAM, and NHI programmes at the same time. Practitioners should expect pressure to justify not only access, but the confidence in the measurement model itself.
Score velocity is the more interesting control signal than the score itself in fast-moving environments. A rapidly changing risk posture is often the earliest indicator that an identity has crossed from normal to suspicious. That matters especially for privileged service accounts and AI-connected identities, where runtime behaviour can shift before a traditional review cycle would ever notice. Practitioners should build escalation around rate of change, not just severity.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why any identity risk model built on partial data will overstate confidence.
- The next control question is not whether a score exists, but whether the underlying identity lifecycle, visibility, and revocation model can support it, as set out in 52 NHI Breaches Analysis.
What this signals
Identity risk scoring will become more common, but the programme impact is usually underestimated: once teams can quantify identity exposure, they will be expected to justify why certain classes of access remain unmeasured. That pressure is strongest where NHIs and SaaS-connected identities still sit outside the same governance workflow.
Identity score velocity: fast-moving risk is likely to become a more actionable signal than static entitlement depth in environments with heavy cloud and automation usage. Teams should prepare to route rapid identity change into detection and triage paths before those changes are normalised by monthly review cycles.
A practical benchmark remains whether your organisation can explain identity exposure in a way that survives audit, incident response, and board scrutiny. If the answer depends on three different tools and manual correlation, the score is describing fragmentation rather than managing it.
For practitioners
- Validate graph completeness before trusting scores Check whether your identity risk model includes humans, NHIs, OAuth-linked access, cloud roles, and AI-connected identities, then document where each source of truth enters the graph. If the graph misses a major class of identity, do not use the score for prioritisation without qualification.
- Separate response paths by score dimension Route behavior anomalies to detection and investigation, likelihood spikes to compromise triage, and high impact scores to access restriction or containment. One threshold should not drive every action because the same score can mean very different things operationally.
- Track score velocity for privileged identities Set escalation rules for identities whose scores move sharply within a short window, especially if they hold administrative, third-party, or cloud runtime access. Rapid change is often the earliest sign that an identity is being misused or has changed trust state.
- Benchmark organisation-level risk carefully Use any board-level aggregate score only with a clear explanation of its inputs, exclusions, and identity coverage. A single number is useful for communication, but it must not hide blind spots in NHIs, SaaS access, or AI-linked credentials.
Key takeaways
- Identity risk scoring is useful only when the underlying graph can see across humans, NHIs, and AI-linked access paths.
- Behavior, likelihood, impact, and score velocity are distinct signals, and they should drive different operational responses.
- Board-readable metrics help only when teams can explain inputs, blind spots, and the identity classes excluded from the model.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity discovery and coverage are central to the score's trustworthiness. |
| NIST CSF 2.0 | ID.AM-1 | Asset and identity inventory underpin any defensible risk scoring model. |
| NIST Zero Trust (SP 800-207) | The article's unified identity context aligns with continuous verification principles. | |
| NIST SP 800-53 Rev 5 | AU-6 | Runtime signals and score velocity rely on audit and monitoring data. |
Use continuous verification to ensure risk scores reflect current identity state, not stale entitlements.
Key terms
- Identity Risk Score: A numerical measure that estimates how risky a specific identity is based on evidence from access, behaviour, and surrounding context. In practice, the score is only as reliable as the identity sources feeding it, especially when humans, NHIs, and AI-linked accounts share the environment.
- Score Velocity: The rate at which an identity risk score changes over time. A fast increase can be more important than the final value because it often signals a trust shift, privilege abuse, or active compromise before static thresholds would normally trigger review.
- Universal Identity Graph: A connected model that links identity entities and their relationships across systems. For governance purposes, it matters because it gives analysts a way to see how human users, service accounts, tokens, and agent-linked access paths relate to each other.
- Session Score: A risk measure focused on what is happening in the active session rather than just what an identity is allowed to do. It is useful when a credential may look normal on paper but the live session shows suspicious behaviour or unexpected reach.
What's in the full announcement
Permiso Security's full post covers the product-level detail this analysis intentionally leaves for the source:
- The underlying Universal Identity Graph model and how it unifies human, NHI, and AI identity signals
- The distinct scoring logic behind Identity Risk Scores, Session Scores, and Organization Risk Scores
- The runtime and behavioural signals used to drive score velocity and session suspicion
- The board-facing workflow for turning an aggregate risk number into an operational queue
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org