Zero trust scoring for NHI: measuring progress, not just risk

At a glance

What this is: This is an analysis of why NHI programmes need two metrics, not one, because risk reduction alone can mask worsening credential sprawl.

Why it matters: IAM, NHI, and autonomous identity teams need a way to separate remediation activity from structural maturity, or they will mistake dashboard hygiene for reduced exposure.

By the numbers:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

👉 Read Clutch Security's blog on zero trust scoring for non-human identities

Context

NHI risk scoring is useful for showing what is broken now, but it does not tell security leaders whether the environment is becoming structurally safer. In practice, teams can reduce exposed secrets or overprivileged service accounts while developers continue creating new static credentials, which means the programme is remediating symptoms faster than it is reducing the root cause. That is the measurement gap this post exposes for NHI governance.

For IAM and NHI teams, the distinction matters because static credentials are not just a finding category, they are the architecture that keeps generating findings. A score that tracks only current risk can trend in the right direction even when the underlying identity model is still built on long-lived secrets, broad entitlements, and inconsistent lifecycle control.

Key questions

Q: How should security teams measure progress in NHI governance beyond risk scores?

A: Use two measures. One should track current exposure, such as exposed secrets, stale credentials, and overprivileged identities. The other should track whether the architecture is becoming less dependent on persistent trust. If remediation improves while persistent credential creation stays high, the programme is cleaning up symptoms rather than reducing the cause.

Q: Why do static service accounts and API keys keep undermining NHI programmes?

A: They persist long enough to accumulate permissions, be copied into code, and survive beyond the business need that created them. That makes them a constant source of new findings, even when old ones are fixed. Without lifecycle governance, organisations keep replacing one exposure with the next.

Q: What do security teams get wrong about zero trust in NHI environments?

A: They often treat zero trust as a yes-or-no control state instead of a directional maturity model. For non-human identities, the better question is whether the estate is reducing standing trust, shrinking secret exposure, and limiting reuse over time. If not, the architecture is still dependent on persistent credentials.

Q: How can IAM leaders tell whether remediation is actually reducing future NHI risk?

A: Look for a falling volume of persistent credentials, better ownership, and fewer repeat findings in the same identity classes. If the risk score drops while static credentials continue to grow, future exposure is still being manufactured. Progress exists only when the environment becomes less likely to recreate the same problems.

Technical breakdown

Risk score vs zero trust score in NHI governance

A risk score measures current exposure, such as stale credentials, exposed secrets, and overprivileged identities. A zero trust score measures architectural direction, meaning whether the estate is moving away from persistent, reusable trust and toward tighter identity governance. The two are not interchangeable. One is a snapshot of broken conditions, while the other is a maturity signal for how the NHI estate is changing over time. This distinction matters because remediating findings can improve the first metric without meaningfully changing the second. Practical implication: treat remediation and maturity as separate management objects.

Practical implication: Track current exposure and architectural progress as separate controls so remediation activity does not get mistaken for maturity.

Static credentials as the hidden driver of score drift

Static credentials are long-lived identities or secrets that remain valid across many sessions and usually accumulate risk over time. They are the hidden driver behind score drift because they keep creating new opportunities for exposure, reuse, and privilege creep even after old findings are fixed. When teams rotate one leaked secret but continue issuing new API keys, the denominator grows faster than the numerator shrinks. That is why a clean dashboard can sit beside an expanding attack surface. Practical implication: measure the creation rate of persistent credentials, not just the count of remediated findings.

Practical implication: Monitor the rate at which new persistent credentials are created, because growth there can cancel out remediation gains.

What architectural progress means for non-human identities

Architectural progress in NHI governance means reducing the number of identities that depend on standing secrets and broad default trust. In practical terms, that means moving from reactive cleanup toward tighter lifecycle control, better ownership, and where possible, ephemeral or secretless patterns. The goal is not to make every score green. The goal is to reduce the conditions that keep producing security debt. A maturity metric is valuable only if it shows that the environment is less likely to regenerate the same class of findings. Practical implication: use maturity signals to steer platform decisions, not just quarterly reporting.

Practical implication: Use maturity metrics to drive identity architecture changes that reduce future exposure, not only to report current status.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Risk scores are necessary but incomplete because they describe the state of damage, not the quality of the identity architecture producing it. A programme can remove exposed secrets, scope down service accounts, and still keep creating new static credentials at scale. That means the organisation is learning how to clean up faster, not how to stop generating the problem. For identity governance, the decisive question is whether the environment is still manufacturing the same exposure patterns.

Static credential proliferation is the real governance signal, not the green dashboard. When developers can keep provisioning new API keys and hardcoded credentials while remediation work lowers visible risk, the control model is losing the race at the source. This is a lifecycle problem, not a point-in-time hygiene problem. The practitioner conclusion is straightforward: measure how many persistent identities are being created, governed, and retired, not just how many are fixed.

Zero trust scoring introduces a more honest view of NHI maturity because it measures whether the estate is moving away from standing trust. That makes it more useful for boards, auditors, and IAM leaders than a one-dimensional risk count. The category needs both answers: what is broken now, and whether the architecture is getting less dependent on persistent secrets over time. Practitioners should treat maturity scoring as the control plane for identity design decisions.

Standing credential exposure window: The underlying failure mode is not simply exposed secrets, but the fact that many NHI programmes still assume credentials live long enough to be discovered and fixed before they are abused. That assumption breaks when static identities are created continuously and live indefinitely. The implication is that governance must be evaluated by how quickly it shrinks persistent trust, not by how fast it clears incidents.

Two-score measurement is becoming the right model for NHI governance because one score cannot represent both remediation and architectural change. A single metric collapses two different management questions into one noisy number. Separating them makes it easier to see whether the programme is actually reducing future exposure or only managing this quarter’s findings. Practitioners should build reporting that distinguishes hygiene from structural progress.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
• For a deeper lifecycle view, see NHI Lifecycle Management Guide for the provisioning, rotation, and offboarding controls that turn measurement into governance.

What this signals

Standing credential exposure window: As long as organisations keep creating new static credentials faster than they retire old ones, a declining risk score can coexist with growing exposure. That is why NHI programmes need a maturity lens, not only a remediation lens, and why lifecycle controls matter more than quarterly cleanup.

With 27 days as the average time to remediate a leaked secret in our research, the gap between detection and removal is large enough for scorecards to mislead leadership. Security teams should expect board questions to shift from how many issues were fixed to whether the environment is still producing the same issues.

That shift aligns with NIST SP 800-207 Zero Trust Architecture, which treats trust as continuous and conditional rather than static. For identity programmes, the forward signal is clear: measure whether credentials are becoming shorter-lived, more owned, and harder to reuse.

For practitioners

• Separate remediation and maturity reporting Report current NHI risk findings and architectural progress as two different programme outcomes. Use one view for exposed secrets, overprivileged identities, and policy violations, and a second view for the rate of persistent credential creation and retirement.
• Track persistent credential growth Measure how many new static API keys, service accounts, and hardcoded credentials are created each cycle. If that number keeps rising, a falling risk score may only mean the team is remediating faster, not governing better.
• Tie scorecards to lifecycle ownership Assign owners for identity creation, rotation, review, and retirement so the programme can show which teams are adding structural risk. Segment reporting by owner, identity type, and environment to expose where maturity is stalled.
• Use maturity metrics for architecture decisions Use zero trust maturity signals to decide where to replace standing credentials with ephemeral or tightly governed identity patterns. That keeps board reporting linked to actual reduction in future exposure, not just to cleanup activity.

Key takeaways

• A single NHI risk score can improve even while the underlying identity architecture keeps producing new exposure.
• The scale problem is not only leaked secrets, but the continued creation of static credentials that regenerate risk faster than remediation clears it.
• Practitioners should separate remediation metrics from maturity metrics so leadership can see whether the programme is reducing future trust, not just cleaning up current findings.

Key terms

• Risk Score: A risk score is a point-in-time measure of what is currently exposed or misconfigured in an identity environment. In NHI programmes it is useful for remediation, but it does not tell you whether the architecture is becoming safer over time or just clearing today’s backlog.
• Zero Trust Score: A zero trust score is a maturity measure that reflects how far an environment has moved away from persistent, reusable trust. For non-human identities, it helps show whether the estate is shrinking static credential dependence and adopting tighter lifecycle control.
• Static Credential: A static credential is a long-lived secret, key, token, or certificate that remains usable across sessions until it is revoked or rotated. These credentials create repeated exposure because they can be copied, reused, and forgotten, which makes them a structural risk in NHI estates.
• Standing Trust: Standing trust is access or credential validity that persists beyond a single task, session, or business need. In identity governance, it is the opposite of zero trust thinking because it allows non-human identities to remain continuously usable instead of being constrained by context.

Deepen your knowledge

NHI scorecard design and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to separate remediation from maturity in the same programme, it is worth exploring.

This post draws on content published by Clutch Security: Why We Built Two Scores: Introducing Zero Trust Scoring for Non-Human Identities. Read the original.