TL;DR: Identity security posture scoring can help teams orient themselves, but in hybrid environments it only works when it is interpreted against configuration reality, legacy dependencies, and permissions context, according to Semperis. The practical issue is not the score itself, but whether it reflects how identity, access, and control relationships actually behave across the estate.
At a glance
What this is: This analysis argues that identity security posture in hybrid environments cannot be measured in isolation because cloud and on-premises controls are tightly coupled.
Why it matters: For IAM and NHI practitioners, the lesson is that posture scoring, permissions management, and least privilege only improve outcomes when they reflect the full identity topology.
👉 Read Semperis's analysis of identity security posture in hybrid environments
Context
Identity security posture is the state of an organisation's identity controls, permissions, and dependencies across cloud and on-premises systems. In hybrid environments, that posture is easy to misread because directories, endpoints, legacy applications, and access policies all interact, which means a narrow score can hide real exposure.
The article's core point is that identity security posture management has to be viewed as an operating model problem, not a dashboard problem. That matters for IAM and NHI governance because service accounts, tokens, and administrative permissions all inherit the same environment-specific complexity that human identities do, often with less visibility and slower remediation.
This framing is typical for mature hybrid estates: the organisations that struggle most are usually the ones with the most legacy debt, inconsistent controls, and incomplete visibility into who or what has rights where.
Key questions
Q: How should security teams use identity security posture scores in hybrid environments?
A: Use posture scores as prioritisation signals, not as a final measure of security. Teams should validate them against actual permissions, dependency paths, and legacy system constraints. A score is only useful when it leads to remediation work that reduces real exposure across both human and non-human identities.
Q: Why do hybrid environments make identity governance harder?
A: Hybrid environments mix cloud controls, on-premises directories, legacy systems, and inconsistent security defaults. That combination makes identity relationships harder to map and access harder to review. NHI governance becomes more difficult because machine credentials and service accounts often follow the same fragmented paths as human access, but with less oversight.
Q: What is the difference between posture scoring and permissions management?
A: Posture scoring measures how well selected controls appear to be configured, while permissions management shows who or what can actually access systems. In practice, permissions management is the stronger operational layer because it exposes excess rights, inherited entitlements, and high-risk access that scores can miss.
Q: How can organisations reduce identity risk before buying more tools?
A: Start by establishing security defaults, cleaning up stale rights, and mapping identity dependencies across the environment. Those steps reduce exposure faster than adding more monitoring on top of a fragmented baseline. For NHIs, the same approach means inventorying service accounts and rotating or revoking credentials that no longer serve a clear purpose.
Technical breakdown
Why posture scores miss hybrid identity risk
Posture scores are abstractions built from control checks, not a full representation of identity risk. In hybrid environments, they often underweight configuration drift, legacy integrations, and permissions that span multiple trust boundaries. That makes them useful as a starting point, but weak as a decision engine. For NHI governance, the same problem appears when service accounts and machine credentials are scored without understanding where they are used, what they can reach, and how long they persist.
Practical implication: Treat posture scoring as a triage input, then validate it against actual identity paths and privilege boundaries.
How permissions management changes the posture picture
Permissions management turns identity posture from a compliance snapshot into an access model. It asks who or what can reach which systems, through what rights, and under what conditions. In hybrid estates, that includes cloud roles, on-premises directory groups, inherited entitlements, and high-risk NHI credentials such as API keys and service principals. The important technical point is that least privilege only works if the entitlement model is continuously reconciled with actual usage and business dependency.
Practical implication: Use permission mapping to identify excess rights before attempting any broader posture scoring programme.
Why technical debt weakens identity controls
Technical debt in identity environments is usually a mix of legacy protocols, older applications, and inconsistent security defaults. These conditions make it harder to deploy modern controls such as passwordless authentication, consistent logging, or automated remediation across the whole estate. They also create blind spots in NHI management, where old service accounts and embedded secrets can remain in place long after the systems that created them have changed. The result is a control environment that looks modern in parts but remains fragile overall.
Practical implication: Prioritise the oldest identity dependencies first, because they often carry the most persistent and least visible risk.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity posture is an operating model, not a score. The central failure in many hybrid environments is treating posture metrics as if they describe the whole system. They do not. They describe selected controls under selected assumptions, which means leaders can end up optimising for measurement rather than resilience. Practitioners should use scores to drive investigation, not to declare maturity.
Hybrid identity complexity now extends directly into NHI governance. Service accounts, API keys, and workload credentials inherit the same architectural fragmentation as human identities, but they are often reviewed less often and understood less well. That makes a unified identity inventory a governance prerequisite, not a nice-to-have. Teams that cannot map rights across both human and non-human identities will not be able to manage blast radius effectively.
Security defaults still matter because most identity risk is opportunistic. The article is right to resist the idea that only advanced tooling can improve identity resilience. Misconfigurations, outdated systems, and weak baseline controls remain the easiest entry points for attackers. For practitioners, this means the first win is often reducing inherited risk before introducing more sophisticated detection and response layers.
Least privilege remains the right target, but it has to be operationalised against real usage. Rights that are never reviewed, never revoked, or never tied to business context become structural exposure. In hybrid environments, the challenge is not conceptually understanding least privilege, but enforcing it across systems that were built at different times for different control models. Teams should expect entitlement clean-up to be continuous work, not a one-time project.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- From our research: 71% of NHIs are not rotated within recommended time frames, according to Ultimate Guide to NHIs.
- From our research: The NHI Lifecycle Management Guide helps teams move from visibility to provisioning, rotation, and offboarding discipline.
What this signals
Identity security posture will keep fragmenting unless teams unify human and non-human visibility. The practical signal for programmes is that posture scoring cannot remain a human-identity exercise. As service accounts and machine credentials proliferate, the control gap widens unless organisations build a single access model that covers both identities and the systems they touch.
Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs, which means most teams are still managing machine access with partial maps and incomplete ownership. That is not a tooling problem alone. It is a governance gap that will keep surfacing until lifecycle controls, entitlement reviews, and ownership are tied together.
Operational maturity now depends on lifecycle discipline, not just monitoring. If a programme can see rights but cannot reliably revoke, rotate, or offboard them, the posture score will improve faster than the actual risk profile. Teams should align identity telemetry with the NHI Lifecycle Management Guide and with the NIST Cybersecurity Framework 2.0 to turn visibility into action.
For practitioners
- Map identity dependencies across cloud and on-premises systems Build a single inventory of directories, trust relationships, and access paths so posture scoring reflects actual operational dependency rather than isolated control states.
- Reconcile permissions before trusting any score Compare reported entitlements with real usage, then remove or reduce rights that no longer match business need, including dormant NHI credentials and inherited directory access.
- Harden identity baselines before expanding tooling Standardise security defaults, logging, and privileged access review across legacy and cloud estates before layering on advanced detection or automation.
- Review long-lived NHI credentials in legacy systems Identify service accounts, API keys, and embedded secrets that outlast the applications they support, then tie them to explicit owner and rotation requirements.
- Use posture metrics as investigation triggers Set thresholds that force manual review when scores change unexpectedly, because score movement often reveals configuration drift or control gaps that deserve direct verification.
Key takeaways
- Identity security posture in hybrid environments is only meaningful when it reflects real access paths, not just control checklists.
- Hybrid complexity and technical debt make permissions management a better operational signal than posture scoring alone.
- Teams should treat NHI visibility, entitlement review, and lifecycle cleanup as core identity work, not side projects.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access control is central to posture and permissions review. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential rotation and ownership gaps are relevant to dormant NHI risk. |
| NIST CSF 2.0 | GV.RM-01 | Posture scoring is useful only when tied to risk decisions and priorities. |
Map hybrid entitlements to PR.AC-4 and remove excess rights during each access review.
Key terms
- Identity Security Posture: The condition of an organisation's identity controls, permissions, and supporting processes at a given point in time. In practice, it reflects how well access, configuration, and governance align across cloud and on-premises systems, including the identities that are not human and are often harder to see.
- Hybrid Identity Environment: An environment where cloud identity services and on-premises directories, applications, and controls must work together. This arrangement increases complexity because access paths, trust boundaries, and remediation workflows are spread across systems with different assumptions and operating models.
- Permissions Management: The discipline of identifying who or what can access systems, what level of access they have, and whether those rights are still justified. It is a practical control layer for reducing excess privilege across human and non-human identities, especially where inheritance and legacy access obscure ownership.
- Security Defaults: Baseline identity and access configurations that reduce exposure before advanced tooling is added. They are especially valuable in fragmented environments because they establish minimum protections, consistent logging, and safer starting conditions for both human and machine identities.
Deepen your knowledge
Identity security posture management is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to connect visibility, permissions, and lifecycle control in a hybrid estate, it is worth exploring.
This post draws on content published by Semperis: Understanding Identity Security Posture in Hybrid Environments. Read the original.
Published by the NHIMG editorial team on 2026-02-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
