TL;DR: Identity security teams still rely on static tiers and alert volume, even though those methods miss how identities behave in real time; Permiso’s analysis argues for continuous, evidence-backed scoring across posture, likelihood, and impact, with score velocity as an early compromise signal. Static labels and queue-based triage are no longer enough when human, NHI, and AI identities all move at machine speed.
At a glance
What this is: This is an analysis of why identity risk cannot be managed with static tiers, and why continuous scoring tied to live behaviour is becoming the practical baseline.
Why it matters: IAM, NHI, and PAM teams need a measurable risk model that reflects current behaviour, because static entitlements and alert queues do not show which identities are becoming unsafe right now.
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
👉 Read Permiso Security's analysis of continuous identity risk scoring and score velocity
Context
Identity risk is the gap between what an identity can do and what it is doing right now. In most programmes, that gap is still described with static labels, manual reviews, or alert counts, which makes risk look tidy even when behaviour is changing faster than governance can react. That is why identity risk measurement has become a core IAM and NHI problem, not just a reporting problem.
The article argues that a useful risk score must be continuous, multi-dimensional, and evidence-backed across human users, service accounts, API keys, OAuth grants, IAM roles, and AI agents. That framing matters because identity governance now spans both human and non-human actors, and the same measurement model has to tell security teams what is changing, why it matters, and how quickly it is moving.
Key questions
Q: How should security teams measure identity risk instead of using static tiers?
A: Security teams should measure identity risk continuously, using posture and runtime behaviour together rather than assigning a fixed label once and revisiting it later. The score must be evidence-backed, explainable, and updated as the identity changes so that prioritisation reflects current exposure, not stale entitlement data.
Q: Why do static identity labels fail to reflect real exposure?
A: Static labels fail because they describe permission at a point in time, not the identity’s present behaviour or compromise likelihood. A privileged account that logs in from a new location at an odd hour may be far riskier than its tier suggests, while another identity with the same label may be perfectly normal.
Q: How do security teams know if identity risk scoring is working?
A: Identity risk scoring is working when the programme can explain why scores changed, when score movement predicts incidents before they become obvious, and when remediation measurably lowers exposure. If the score cannot be defended, tracked, or tied to action, it is only a dashboard number.
Q: Who should use identity risk scores in an enterprise programme?
A: CISOs, IAM leads, SOC teams, PAM owners, and NHI practitioners should all use the same identity risk view because the attack surface now includes human accounts, service identities, API keys, and AI agents. Shared measurement makes the programme consistent across governance, detection, and enforcement.
Technical breakdown
Why static identity tiers fail to measure real risk
Static identity tiers describe entitlement, not current exposure. A privileged account can look identical in a quarterly review even if its behaviour has drifted, its access has expanded, or its authentication context has changed in ways that materially alter risk. The technical failure is that the scoring unit is the identity label, not the evidence stream. That creates blind spots in IAM and NHI governance because the programme cannot distinguish stable access from active compromise. In practice, static scoring turns identity security into classification management instead of risk measurement.
Practical implication: replace one-time labels with continuously updated scoring inputs tied to live identity behaviour.
What score velocity reveals that alerts miss
Score velocity is the rate at which an identity’s risk changes over time. A single alert may be noisy, but a rising score across multiple small events shows compounding exposure that looks benign in isolation. This matters because identity attacks often progress through plausible steps such as unusual login context, new access grants, and incremental data access. The architecture is useful because it converts scattered detections into a risk trend the SOC can act on before the sequence completes. In other words, the unit of concern becomes change, not just threshold breach.
Practical implication: use score movement as a trigger for step-up checks, session restriction, or investigation before the attack chain matures.
Why multi-dimensional scoring is better than one composite number
A single risk number is only defensible if it can be decomposed. Behaviour shows whether the identity is acting unusually, likelihood estimates whether compromise is plausible, and impact measures the blast radius if the identity is abused. Those dimensions matter because two identities can carry the same headline score for completely different reasons, which require different responses. For IAM, PAM, and NHI teams, the key architectural point is that measurement must preserve explanation, not hide it. Without that structure, the score becomes a dashboard metric rather than a control input.
Practical implication: require every score to be explainable by component signals before you trust it for enforcement.
Threat narrative
Attacker objective: The attacker wants to move an identity through low-friction actions that evade isolated alerts until the account can be used for broader access or data exposure.
- Entry occurs when an identity authenticates from an unusual context or through compromised credentials that still look valid to static controls.
- Escalation follows as small, individually plausible actions accumulate into a rising risk profile that alert-driven triage does not correlate in time.
- Impact occurs when the score spike would have justified session restriction or step-up control, but the programme only sees isolated events after the damage path has progressed.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Coupang Signing Key Breach — Unrevoked signing key credentials expose 33.7 million records after employee offboarding failure at Coupang.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Static identity tiers are a measurement failure, not a governance model. Static labels say what an identity was allowed to do at review time, but they do not tell you whether that identity is now behaving like an exposed credential, a dormant privilege, or an active compromise. That is why static tiering persists as a reporting habit while failing as operational risk management. The implication is that identity governance needs continuous evidence, not periodic categorisation.
Score velocity is the most useful concept in identity risk measurement because it turns change into a control signal. A stable score can still hide a bad situation, but a rapidly rising score reveals an attack path that individual alerts may never make obvious. That is a field-level shift from event triage to identity-level trend analysis, and it aligns with how modern compromises actually unfold. Practitioners should treat change rate as part of the risk definition, not a secondary metric.
Identity measurement must span human, NHI, and AI identities on the same scale. The operational problem is no longer confined to user accounts, because service accounts, API keys, OAuth grants, IAM roles, and AI agents all participate in the same trust fabric. A separate measurement model for each class creates inconsistent enforcement and weak comparability. The implication is a unified identity risk plane, not a collection of disconnected scorecards.
Behavior, likelihood, and impact are the right dimensions because they preserve explanation. Security leaders do not need a prettier dashboard, they need a score that can be defended to engineers, auditors, and the board. When the dimensions are explicit, teams can understand why an identity moved up the queue and what kind of intervention fits the case. Practitioners should insist on explainable scoring before they let it drive control decisions.
Identity risk scoring is becoming the missing control plane for modern IAM and NHI programmes. As identity populations expand and attack tempo increases, programmes that cannot quantify exposure will continue to manage by exception. Measurement maturity now determines whether identity security is reactive or enforceable. The practical conclusion is simple: if you cannot score it continuously, you cannot govern it reliably.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to our Ultimate Guide to NHIs.
- From our research: Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still cannot measure their non-human attack surface accurately.
- For related context: NHI Lifecycle Management Guide explains the provisioning, rotation, and offboarding gaps that often sit behind incomplete identity visibility.
What this signals
Identity measurement is now a programme design issue, not a reporting enhancement. If the score only updates during scheduled reviews, it will always lag behind actual exposure. The operational shift is toward continuous telemetry, clearer escalation thresholds, and measurement that can drive action before the compromise path completes.
Identity blind spots will widen unless human and non-human identities are scored together. The enterprise identity perimeter now includes service accounts, OAuth grants, and AI agents, not just users. That means teams need one measurement model for access, behaviour, and blast radius across the whole estate, or they will keep optimising one domain while missing another.
Risk measurement will increasingly depend on lifecycle context. A score is more useful when it reflects whether an identity was recently provisioned, rotated, reviewed, or offboarded, because those lifecycle states change how much trust can be placed in it. Programmes that cannot connect score to lifecycle will struggle to turn measurement into governance.
For practitioners
- Replace static identity tiers with continuous scoring Map your current low, medium, and high labels to live behavioural, likelihood, and impact signals so the score changes as the identity changes. Use the output to drive review priority, not just reporting.
- Treat score velocity as a control trigger Define thresholds for rapid score movement that can initiate step-up authentication, session restriction, or analyst review before an identity reaches its objective.
- Unify scoring across human and non-human identities Apply the same measurement model to users, service accounts, API keys, OAuth grants, IAM roles, and AI agents so the programme can compare exposure consistently.
- Require explainable components behind every score Make behaviour, likelihood, and impact visible in the workflow so security, audit, and engineering teams can understand why an identity moved and what changed.
Key takeaways
- Static identity tiers are too blunt to show which identities are becoming dangerous right now.
- Continuous scoring only becomes operationally useful when it exposes the rate of change, not just the final number.
- Unified measurement across human, NHI, and AI identities is becoming the practical foundation for identity governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | The article is about measuring NHI exposure and privilege drift. |
| NIST CSF 2.0 | GV.RM-01 | Identity risk scoring supports enterprise risk governance and measurement. |
| NIST Zero Trust (SP 800-207) | Continuous verification is aligned with the article's runtime risk model. | |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central to the article's posture-plus-behaviour model. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0011 , Command and Control | The article focuses on credential abuse and live compromise detection. |
Map rising identity risk to credential access patterns and suspicious session behaviour.
Key terms
- Identity Risk Score: A continuous numerical measure of how likely an identity is to be abused and how much damage it could cause. In mature programmes, the score blends entitlement posture with live behaviour so teams can compare identities across human, NHI, and AI categories using the same operational language.
- Score Velocity: The rate at which an identity risk score changes over a defined period. It matters because identity compromise often unfolds as a sequence of small, plausible actions, and the change rate can reveal escalation sooner than a single alert or static score ever will.
- Universal Identity Graph: A correlated identity data model that links activity across systems such as identity providers, cloud accounts, SaaS, and infrastructure. It allows a security team to follow the same identity across sessions and services instead of treating each log source as an isolated event stream.
- Behavior, Likelihood, And Impact: Three scoring dimensions that separate what an identity is doing, how likely it is to be compromised, and how much damage it could cause. Keeping the dimensions visible preserves explanation, which is essential when a score is used to change access or trigger response.
What's in the full article
Permiso Security's full analysis covers the implementation detail this post intentionally leaves for the source:
- How the Risk Score Engine combines posture, runtime behaviour, and impact into a single scoring model.
- How session scoring and organisation-level benchmarking are used in practice for SOC and CISO reporting.
- How score velocity can be turned into response logic such as step-up checks or session restriction.
- How the Universal Identity Graph correlates identity activity across IdPs, cloud, SaaS, and infrastructure.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org