Clarity Aperture and adaptive trust: what changes for IAM teams?

TL;DR: 97% of organizations with an AI-related breach lacked proper AI access controls, and periodic governance alone cannot continuously close identity risk across humans, NHIs, and AI agents, according to Clarity Security and IBM’s 2025 Cost of a Data Breach report. The real issue is that access review processes expose compliance state, not live exposure, so risk-driven remediation becomes the missing control.

NHIMG editorial — what this means for NHI practitioners

By the numbers:

• 97% of organizations that reported an AI-related breach lacked proper AI access controls.

Questions worth separating out

Q: How should security teams govern non-human identities that change risk continuously?

A: Security teams should treat non-human identities as active exposure points, not static records.

Q: Why do periodic access reviews miss the real NHI risk?

A: Periodic reviews miss the real risk because they measure entitlement state at a point in time, while NHI exposure can change between cycles.

Q: What breaks when NHI governance stops at compliance evidence?

A: What breaks is closure.

Practitioner guidance

• Separate evidence production from risk reduction Keep access reviews, audit exports, and compliance attestations, but add a parallel control path that can close risky access as soon as it is identified.
• Build ownership for every non-human identity Assign a named owner to service accounts, API keys, OAuth apps, and bots, then require ownership to survive environment changes and team turnover.
• Prioritise remediation by blast path, not inventory order Use nested permissions, federated links, and exposure mapping to sort the identities most likely to expand access across systems.

What's in the full announcement

Clarity Security's full announcement covers the operational detail this post intentionally leaves for the source:

• How the dynamic risk scoring engine weights inherent and contextual identity risk across connected systems
• How read and write remediation workflows are executed across legacy mainframes, SaaS, cloud, and on-premise environments
• How the NHI and AI Security module maps permission chains, ownership, and accountability at scale
• How Clarity measures posture improvement against the OWASP Non-Human Identity Top 10

👉 Read Clarity Security's announcement on adaptive trust and NHI governance →

Clarity Aperture and adaptive trust: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →