TL;DR: Permiso is framing identity risk as a continuous 0 to 100 score built on a Universal Identity Graph, with separate behavior, likelihood and impact dimensions, plus score velocity and organization-level benchmarking, according to Permiso Security. The real shift is not the number itself, but the move away from fragmented tooling that cannot see across human, NHI, and AI agent identity context.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should teams use identity risk scores without oversimplifying governance?
A: Use identity risk scores as prioritisation inputs, not as automatic decisions.
Q: Why do fragmented identity tools create weak risk scoring?
A: Fragmented tools only score the identities they can see, which means they miss linked access paths, runtime behaviour, and downstream privilege.
Q: When should organisations prioritise score velocity over static thresholds?
A: Prioritise score velocity when identities can change trust posture quickly, such as privileged cloud roles, service accounts, and AI-connected accounts.
Practitioner guidance
- Validate graph completeness before trusting scores Check whether your identity risk model includes humans, NHIs, OAuth-linked access, cloud roles, and AI-connected identities, then document where each source of truth enters the graph.
- Separate response paths by score dimension Route behavior anomalies to detection and investigation, likelihood spikes to compromise triage, and high impact scores to access restriction or containment.
- Track score velocity for privileged identities Set escalation rules for identities whose scores move sharply within a short window, especially if they hold administrative, third-party, or cloud runtime access.
What's in the full announcement
Permiso Security's full post covers the product-level detail this analysis intentionally leaves for the source:
- The underlying Universal Identity Graph model and how it unifies human, NHI, and AI identity signals
- The distinct scoring logic behind Identity Risk Scores, Session Scores, and Organization Risk Scores
- The runtime and behavioural signals used to drive score velocity and session suspicion
- The board-facing workflow for turning an aggregate risk number into an operational queue
👉 Read Permiso Security's introduction to the Risk Score Engine →
Identity risk scoring across humans, NHIs and AI agents: does it work?
Explore further
Identity risk scoring is only as good as the identity model underneath it. A continuous number can improve prioritisation, but only if the programme has already solved identity discovery, classification, and lineage across humans, NHIs, and AI-connected systems. If the model cannot see the full chain of access, the score becomes a confidence layer over fragmentation. The practitioner conclusion is straightforward: scoring is an outcome of governance maturity, not a substitute for it.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why any identity risk model built on partial data will overstate confidence.
A question worth separating out:
Q: What does an organisation-level identity risk score actually tell the board?
A: It tells the board how exposure is trending across the environment, provided the inputs are complete and explainable. The number is only credible when teams can show what identities are included, how the score was calculated, and what changes would move it. Without that context, it is just a summary metric.
👉 Read our full editorial: Identity risk scoring needs a unified model, not another alert layer