TL;DR: IT risk assessment helps organisations prioritise IT threats, vulnerabilities, likelihood, and impact, but the Zluri article shows how that process still depends on what is discovered, documented, and reviewed. For identity programmes, the weak point is not the scoring model, but incomplete visibility into human and non-human access paths.
NHIMG editorial — based on content published by Zluri: Security & Compliance IT Risk Assessment - All You Need to Know
Questions worth separating out
Q: How should security teams assess identity risk in cloud and SaaS environments?
A: Start with discovery of every identity that can act on enterprise systems, including users, service accounts, tokens, certificates, and delegated OAuth access.
Q: Why do unmanaged non-human identities create more risk than their numbers suggest?
A: Because the issue is not only quantity, it is governance coverage.
Q: What do organisations get wrong about IT risk assessments for access control?
A: They often treat access risk as a static checklist instead of a changing set of identity relationships.
Practitioner guidance
- Map identity scope before scoring risk Build the assessment around human accounts, service accounts, API keys, certificates, and OAuth grants so criticality reflects actual access paths rather than system labels.
- Separate discovered from governed identities Tag every identity that has been discovered but not yet reviewed, assigned an owner, or placed into a lifecycle process so the backlog is visible in the risk register.
- Tie privilege to impact ratings Rate each identity by the sensitivity of the systems and data it can reach, then use that rating to prioritise review, remediation, and offboarding.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of how Zluri structures SaaS discovery across SSO, IdP, finance, and browser-based signals.
- Detailed walkthrough of how applications are categorised by risk, compliance status, and management state.
- User-monitoring examples that show how risky behaviour is detected and flagged in practice.
- Policy-enforcement descriptions for remediating weak passwords, suspicious sharing, and other access issues.
👉 Read Zluri's guide to IT risk assessment for security and compliance →
IT risk assessment for identity security: what IAM teams miss?
Explore further
Risk assessment fails when identity discovery is treated as a one-time inventory exercise. The article frames discovery as the first step, but identity risk is dynamic: SaaS sprawl, service account creation, and OAuth delegation change faster than annual review cycles. That means the assessment can be technically complete and still be wrong the moment it is signed off. Practitioners should treat incomplete discovery as an active control gap, not a data-quality nuisance.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: How can teams make risk assessments more useful for audits and remediation?
A: Document the decision trail, not just the final score. Each high-risk identity should have an owner, a review date, an approved control action, and evidence of completion. That makes the assessment actionable for auditors, security teams, and lifecycle owners rather than a report that sits unused.
👉 Read our full editorial: IT risk assessment for identity security: where current models fail