Notifications
Clear all
Topic starter
07/06/2026 8:21 pm
TL;DR: Identity governance should be measured by risk reduction, operational speed, and automation coverage, not by whether reviews were completed or audits passed, according to ConductorOne. As identity expands across humans, NHI, and AI agents, completion metrics alone no longer show whether the programme is scaling safely or reducing exposure.
NHIMG editorial — based on content published by ConductorOne: 10 IGA Metrics Every Security Team Should Use to Measure Success
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams measure whether IGA is reducing risk?
A: Measure whether access is becoming safer, faster, and less manual.
Q: Why do completion metrics fail for identity governance programmes?
A: Completion metrics tell you that work happened, not that risk fell.
Q: What signals show that access review processes are becoming too manual?
A: Look for growing preparation time, high numbers of reviewer actions per campaign, rising overdue reviews, and repeated low-risk decisions that still need human attention.
Practitioner guidance
- Rebuild dashboards around outcome signals Replace completion-only reporting with metrics for revocation speed, privilege duration, automation coverage, and reduction in risky entitlements.
- Measure privileged access as a time-bound exposure Track how long elevated access remains active by system and business function, then review where standing privilege persists beyond task need.
- Standardise governance metrics across human and non-human identities Use the same reporting model for employee access, service accounts, and AI-driven workflows so that risk trends are comparable across actor types.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- A metric-by-metric breakdown of how to instrument access reviews, request handling, and privilege tracking across an IGA programme.
- The practical reporting model behind time-to-onboard, time-to-offboard, and time-to-revoke measurements for audit and leadership reporting.
- How automation and manual effort can be separated in governance dashboards so teams can prove efficiency gains, not just process completion.
- The article's full list of ten metrics, useful if you are building or refining a scorecard for an identity governance programme.
👉 Read ConductorOne's guide to IGA metrics that measure programme success →
IGA metrics that prove your identity program is actually working?
Explore further
07/06/2026 10:13 pm
Identity governance has a measurement problem before it has a tooling problem. Most programmes still report completion because completion is easy to evidence, but that says little about whether risk fell. The deeper issue is that legacy governance models were built to prove process execution, not security outcomes across human and non-human estates. Practitioners should treat outcome metrics as the real control plane.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage.
A question worth separating out:
Q: How do organisations know if privileged access controls are working?
A: They are working when standing privilege declines, privileged sessions are shorter, and elevated access is granted only when needed. If high-risk access remains persistent or repeatedly reappears after review, the control model is not reducing blast radius.
👉 Read our full editorial: IGA metrics that prove risk reduction, not just completion
