Notifications
Clear all
Topic starter
07/06/2026 8:17 pm
TL;DR: Traditional NHI risk scores can improve even as static API keys, service accounts, and hardcoded credentials continue to multiply, so the dashboard looks better while attack surface expands, according to Clutch Security. The real governance problem is not only fixing today’s findings, but measuring whether the identity architecture is actually moving toward less static credential exposure.
NHIMG editorial — based on content published by Clutch Security: Why We Built Two Scores: Introducing Zero Trust Scoring for Non-Human Identities
Questions worth separating out
Q: How should security teams measure progress in NHI governance beyond risk scores?
A: Use two measures. One should track current exposure, such as exposed secrets, stale credentials, and overprivileged identities. The other should track whether the architecture is becoming less dependent on persistent trust. If remediation improves while persistent credential creation stays high, the programme is cleaning up symptoms rather than reducing the cause.
Q: Why do static service accounts and API keys keep undermining NHI programmes?
A: They persist long enough to accumulate permissions, be copied into code, and survive beyond the business need that created them.
Q: What do security teams get wrong about zero trust in NHI environments?
A: They often treat zero trust as a yes-or-no control state instead of a directional maturity model.
Practitioner guidance
- Separate remediation and maturity reporting Report current NHI risk findings and architectural progress as two different programme outcomes.
- Track persistent credential growth Measure how many new static API keys, service accounts, and hardcoded credentials are created each cycle.
- Tie scorecards to lifecycle ownership Assign owners for identity creation, rotation, review, and retirement so the programme can show which teams are adding structural risk.
What's in the full article
Clutch Security's full blog covers the operational detail this post intentionally leaves for the source:
- How Clutch defines the difference between Risk Score and Zero Trust Score across NHI estates
- Examples of how the two metrics are segmented by owner, identity type, and custom labels
- The maturity logic behind moving identities from static credentials toward secretless or ephemeral states
- The product framing Clutch uses to explain architectural progress versus symptom cleanup
👉 Read Clutch Security's blog on zero trust scoring for non-human identities →
Zero trust scoring for NHI identities: what changes for teams?
Explore further
07/06/2026 10:08 pm
Risk scores are necessary but incomplete because they describe the state of damage, not the quality of the identity architecture producing it. A programme can remove exposed secrets, scope down service accounts, and still keep creating new static credentials at scale. That means the organisation is learning how to clean up faster, not how to stop generating the problem. For identity governance, the decisive question is whether the environment is still manufacturing the same exposure patterns.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: How can IAM leaders tell whether remediation is actually reducing future NHI risk?
A: Look for a falling volume of persistent credentials, better ownership, and fewer repeat findings in the same identity classes. If the risk score drops while static credentials continue to grow, future exposure is still being manufactured. Progress exists only when the environment becomes less likely to recreate the same problems.
👉 Read our full editorial: Zero trust scoring for NHI: measuring progress, not just risk
