Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Clarity Aperture and adaptive trust: what changes for IAM teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: 97% of organizations with an AI-related breach lacked proper AI access controls, and periodic governance alone cannot continuously close identity risk across humans, NHIs, and AI agents, according to Clarity Security and IBM’s 2025 Cost of a Data Breach report. The real issue is that access review processes expose compliance state, not live exposure, so risk-driven remediation becomes the missing control.

NHIMG editorial — what this means for NHI practitioners

By the numbers:

Questions worth separating out

Q: How should security teams govern non-human identities that change risk continuously?

A: Security teams should treat non-human identities as active exposure points, not static records.

Q: Why do periodic access reviews miss the real NHI risk?

A: Periodic reviews miss the real risk because they measure entitlement state at a point in time, while NHI exposure can change between cycles.

Q: What breaks when NHI governance stops at compliance evidence?

A: What breaks is closure.

Practitioner guidance

  • Separate evidence production from risk reduction Keep access reviews, audit exports, and compliance attestations, but add a parallel control path that can close risky access as soon as it is identified.
  • Build ownership for every non-human identity Assign a named owner to service accounts, API keys, OAuth apps, and bots, then require ownership to survive environment changes and team turnover.
  • Prioritise remediation by blast path, not inventory order Use nested permissions, federated links, and exposure mapping to sort the identities most likely to expand access across systems.

What's in the full announcement

Clarity Security's full announcement covers the operational detail this post intentionally leaves for the source:

  • How the dynamic risk scoring engine weights inherent and contextual identity risk across connected systems
  • How read and write remediation workflows are executed across legacy mainframes, SaaS, cloud, and on-premise environments
  • How the NHI and AI Security module maps permission chains, ownership, and accountability at scale
  • How Clarity measures posture improvement against the OWASP Non-Human Identity Top 10

👉 Read Clarity Security's announcement on adaptive trust and NHI governance →

Clarity Aperture and adaptive trust: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Compliance-first identity governance leaves the highest-risk access untouched. Programs built around periodic reviews answer the auditor’s question, not the attacker’s question. They can confirm that access exists, but they do not continuously determine whether that access is still appropriate or exploitable. The practical conclusion is that risk reduction and evidence production need separate control logic, especially where non-human identities accumulate quietly.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting only partial visibility.

A question worth separating out:

Q: Who should be accountable when risky non-human access is found?

A: The accountable party should be the business or technical owner of the identity, not a periodic review queue. Accountability must be structural, because service accounts and API keys outlive meetings, tickets, and staffing changes. Clear ownership is what allows remediation to happen before exposure turns into an incident.

👉 Read our full editorial: Clarity Aperture reframes identity governance around continuous risk



   
ReplyQuote
Share: