Active identity risk versus static findings: what should teams do?

TL;DR: Identity teams often face a backlog of orphaned accounts, stale credentials, and policy violations, but Hydden argues that dormant misconfigurations and actively exercised identity gaps should not be prioritised the same way because live usage changes the risk profile. The real shift is from static discovery to active observability, where usage signals determine what gets fixed first.

NHIMG editorial — based on content published by Hydden: identity risk prioritisation needs active usage, not static severity

By the numbers:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• Only 5.7% of organisations have full visibility into their service accounts.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should identity teams prioritise findings in a large backlog?

A: Start with activity, not just severity.

Q: Why do active identity gaps create more risk than dormant ones?

A: Active gaps matter because they are already being exercised, which means the organisation may depend on them operationally.

Q: What do teams get wrong about identity backlog triage?

A: They often treat discovery as the main problem when prioritisation is the real bottleneck.

Practitioner guidance

• Split backlog queues by activity state Classify findings as dormant, intermittently used, or actively exercised before assigning remediation priority.
• Correlate identity configuration with event telemetry Join account inventory, entitlement data, and authentication activity so a static policy violation can be evaluated against real usage patterns.
• Escalate daily-used exceptions first Move shared accounts, stale contractor access, and repeated policy violations to the front of the queue when they appear in critical system logs.

What's in the full article

Hydden's full article covers the operational detail this post intentionally leaves for the source:

• How its data mesh correlates account creation, authentication, and entitlement events into a single prioritisation view.
• The mechanics of pushing actively exercised policy violations ahead of dormant findings in a remediation queue.
• Examples of how identity observability changes triage when access has become part of a production workflow.
• The underlying event visibility model that separates configuration state from live identity behaviour.

👉 Read Hydden's analysis of active identity risk versus static findings →

Active identity risk versus static findings: what should teams do?

Explore further

View Full Forum →  |  NHI Foundation Course →