FAIR for identity risk: what IAM teams can actually quantify

TL;DR: Identity risk remains difficult to translate into business terms, but FAIR gives security teams a way to model loss event frequency and loss magnitude in dollar values, according to Axiad. The real shift is that identity visibility now determines whether risk estimates are credible, because siloed IAM tools miss cross-account access pathways and overstate control coverage.

NHIMG editorial — based on content published by Axiad: FAIR: How to Quantify Your Identity Risk in Business Terms

By the numbers:

• The 2024 global average cost of a data breach sits at $4.88 million per incident, with credential-based breaches trending toward the higher end of the distribution.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.

Questions worth separating out

Q: How should security teams quantify identity risk in business terms?

A: Security teams should translate identity exposure into expected loss by estimating how often a bad identity event can happen and how much it would cost if it did.

Q: Why do siloed IAM tools weaken identity risk quantification?

A: Siloed IAM tools weaken quantification because each one sees only part of the access picture.

Q: What breaks when orphaned accounts are not included in risk models?

A: Risk models break when orphaned accounts are excluded because the exposed access still exists, even if the HR record has changed.

Practitioner guidance

• Model the highest-loss identity scenarios first Start with orphaned accounts, exposed credentials, and third-party OAuth grants because these are the scenarios most likely to produce a defendable expected-loss estimate.
• Correlate identity data before presenting FAIR outputs Tie IGA, IdP, SSPM, CIEM, and cloud access data back to the same identity so the vulnerability estimate reflects actual access pathways.
• Treat OAuth governance as a financial exposure problem Inventory active third-party connections, flag admin-scoped grants, and score them against the business systems they can reach.

What's in the full article

Axiad's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step FAIR scenario construction for orphaned accounts, OAuth sprawl, and forgotten temporary access
• Illustrative financial modelling inputs, including how identity visibility changes loss estimates
• Examples of how an IVIP correlates access paths across SaaS, cloud, and human identity estates
• A vendor-specific walkthrough of the embedded FAIR report and how it is presented to executives

👉 Read Axiad's FAIR analysis for identity risk quantification →

FAIR for identity risk: what IAM teams can actually quantify?

Explore further

View Full Forum →  |  NHI Foundation Course →