Notifications
Clear all
Topic starter
14/05/2026 2:33 pm
TL;DR: SailPoint argues that identity security programs should be measured by cost reduction, risk reduction, and business agility rather than audit pass rates, citing its Horizons of Identity Security report. The real shift is from proving minimum compliance to showing measurable operational and financial value that justifies continued investment.
NHIMG editorial — based on content published by SailPoint: Beyond the checkbox: How to measure real value in identity security
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams measure the business value of identity security?
A: Security teams should measure identity security by its effect on cost, risk, and delivery speed.
Q: Why is compliance not enough to judge identity security maturity?
A: Compliance proves that a control exists at a point in time, but it does not prove that access is well governed in daily operations.
Q: What is the difference between compliance metrics and identity value metrics?
A: Compliance metrics answer whether a policy or control was satisfied.
Practitioner guidance
- Build a value scorecard for identity controls Track onboarding cycle time, access request resolution time, deprovisioning speed, help desk volume, and the number of high-risk entitlements removed each month.
- Tie NHI lifecycle events to measurable control outcomes Record when service accounts, API keys, tokens, and certificates are created, rotated, reissued, and revoked.
- Prioritise cleanup of toxic access and orphaned credentials Review accounts with excessive privileges, unused credentials, and access combinations that should never coexist.
For NHI-heavy environments, that pressure is stronger because machine credentials tend to persist after the workflow that created them has moved on?
👉 Read SailPoint's analysis of how to measure identity security value beyond compliance →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 2:36 pm
A few things worth adding from our research at NHI Mgmt Group.
Compliance-only identity programmes create a measurement blind spot: passing an audit says little about whether access is actually governed well. Identity security must be judged by how quickly access is provisioned and removed, how much manual work is eliminated, and how much privilege is left exposed between lifecycle events. Practitioners should treat audit success as a floor, not the definition of value.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How can organisations prove that identity automation reduces risk?
A: Organisations can prove risk reduction by showing that automation shortens the time to revoke access, removes standing privilege faster, and cuts down on orphaned accounts or stale entitlements. They should also track reductions in high-risk access combinations and compare those changes to breach exposure models.
👉 Read our full editorial: Identity security value should be measured beyond compliance checkboxes
