Notifications
Clear all
Topic starter
06/06/2026 1:58 am
TL;DR: Only 8% of organisations are highly confident their legacy IAM tools can manage AI and NHI risk, while NHIs outnumber human identities by more than 80:1, according to Oasis Security and the CSA. Board reporting now needs metrics that expose visibility, ownership, rotation, and policy enforcement gaps rather than human-only IAM signals.
NHIMG editorial — based on content published by Oasis Security: Identity Security Posture Metrics: 15 NHI KPIs Your Board Needs
By the numbers:
- Only 8% of organizations express high confidence that their legacy IAM tools can effectively manage AI and NHI risks.
- NHIs outnumber human identities by more than 80 to 1 in modern enterprises.
- 23.77 million new secrets were leaked on GitHub in 2024, representing a 25% year-over-year increase.
Questions worth separating out
Q: How should security teams build board reporting for NHI risk?
A: Start with a small set of metrics that cover visibility, privilege, rotation, ownership, and response.
Q: Why do NHIs complicate zero trust and identity governance programs?
A: NHIs complicate governance because they are numerous, non-human, and often machine-owned rather than user-owned.
Q: What do organisations get wrong about measuring non-human identity risk?
A: They often measure NHI risk with human identity proxies such as login counts or generic access reviews.
Practitioner guidance
- Build an NHI posture scorecard around five dimensions Use visibility, risk, governance, operations, and compliance as separate reporting lenses so executives can see whether the issue is discovery, privilege, credential hygiene, or evidence readiness.
- Tie each metric to a remediation owner and decision Assign ownership for privileged inventory accuracy, rotation frequency, orphaned identity reduction, and anomaly response so every metric changes a control action rather than only a dashboard value.
- Track NHI ownership alongside secrets hygiene Do not report secret rotation in isolation.
What's in the full article
Oasis Security's full article covers the operational detail this post intentionally leaves for the source:
- A breakdown of all 15 NHI KPIs and how each one maps to board reporting needs
- The full five-dimension posture model for visibility, risk, governance, operations, and compliance
- Examples of executive dashboard formatting, including colour-coded risk tiers and trend reporting
- The article's framing for automated discovery, rotation enforcement, and audit evidence generation
👉 Read Oasis Security's framework for board-level NHI posture metrics →
NHI posture metrics: what boards need from IAM teams?
Explore further
06/06/2026 3:21 am
Board metrics are now an NHI governance control, not a reporting layer. Once non-human identities outnumber human identities by more than 80:1, posture reporting becomes the only way most organisations can prove they know what exists, who owns it, and where risk is concentrated. That makes metrics part of governance architecture, not just executive communication. Teams that still treat NHI dashboards as cosmetic reporting are missing the fact that measurement is the control surface. The implication is that board reporting must be designed as an operational input to identity governance, not an after-the-fact summary.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Which NHI metrics matter most for executive reporting?
A: The most useful metrics are privileged inventory accuracy, MTTD for NHI threats, secrets rotation frequency, least-privilege adoption, and compliance alignment. Together they show whether the organisation can see identities, control them, respond quickly, and prove the controls are working.
👉 Read our full editorial: Identity security posture metrics for board-level NHI governance
