How should organisations measure values-driven IT?

Why This Matters for Security Teams

Values-driven IT is not a branding exercise. It is the practical question of whether service operations reflect the organisation’s stated commitments, such as fairness, transparency, accessibility, privacy, and accountable access decisions. For identity and access teams, the signal is whether users can complete legitimate tasks without repeated friction, unexplained exceptions, or workarounds that undermine policy.

That matters because traditional efficiency metrics often miss governance failure. A team can close tickets quickly while users still re-open them, escalate repeatedly, or avoid the process entirely. Good measurement connects service quality to identity outcomes, which is closer to the intent of the NIST Cybersecurity Framework 2.0: outcomes, not just activity. NHI Management Group’s Ultimate Guide to NHIs shows why this matters in practice, noting that only 5.7% of organisations have full visibility into service accounts. If visibility is weak, service metrics can look healthy while access risk and user frustration continue underneath.

In practice, many security teams discover that “fast” service delivery still leaves people blocked, because the process is optimised for ticket closure rather than trustworthy access outcomes.

How It Works in Practice

Measuring values-driven IT starts by translating abstract values into observable service behaviours. For identity services, that usually means asking whether the process helps people complete legitimate access tasks safely, consistently, and with enough transparency to trust the outcome. The measurement set should therefore combine service experience, control effectiveness, and governance quality.

A practical model usually blends these indicators:

• Task success rate, meaning the share of identity requests completed without rework or escalation.
• Repeat contact rate, meaning how often the same user returns for the same issue.
• Time to trusted access, meaning how long it takes to deliver access with proper approval and traceability.
• Exception rate, meaning how often policy is bypassed for “urgent” cases.
• User confidence signals, gathered through short post-resolution questions about clarity, fairness, and predictability.
• Control hygiene, such as whether provisioning, revocation, and reviews were completed as designed.

This is where operational transparency matters. A service desk may report lower average handling time, but if users do not understand why access was denied, or if approvers keep making inconsistent decisions, the programme is not values-driven. It is merely faster. The measurement should therefore examine the journey end to end, including identity proofing, approvals, exception handling, and offboarding. The NHIMG Ultimate Guide to NHIs reinforces the broader point that identity governance fails when organisations cannot see or manage the full lifecycle of identities, especially non-human ones. That lifecycle view is essential if the organisation wants service quality and access governance to reinforce each other.

Current guidance suggests aligning these measures to the organisation’s stated values, then testing whether those values appear in user outcomes and access records. For example, if “fairness” is a value, then approval outcomes should be explainable and consistent across comparable cases. If “privacy” is a value, then service processes should minimise unnecessary data collection and access disclosure. The NIST Cybersecurity Framework 2.0 is useful here because it encourages outcome-based governance rather than control counting alone. These controls tend to break down when identity services are fragmented across HR, IT, and application teams because no single owner can measure the full user journey.

Common Variations and Edge Cases

Tighter measurement often increases reporting overhead, requiring organisations to balance better governance against the cost of collecting and interpreting service data. That tradeoff becomes especially visible when teams try to measure values that are real but hard to quantify, such as dignity, trust, or perceived fairness.

There is no universal standard for this yet, so best practice is evolving. Some organisations use a small set of operational proxies, while others add qualitative feedback from users, auditors, and service owners. The key is to avoid reducing values-driven IT to vanity metrics. If only ticket volume is tracked, the programme may reward deflection rather than service quality. If only sentiment is tracked, it may ignore policy failures that create hidden risk.

Edge cases matter. A highly regulated environment may accept more friction if the evidence trail is strong and access decisions are clearly justified. A fast-moving product environment may prioritise lower friction, but it still needs guardrails for exception handling and revocation. For NHI-heavy environments, the same logic applies to service accounts, API keys, and automation jobs: values-driven service management should improve visibility, lifecycle control, and accountability, not just human-facing support. In those cases, a service that is pleasant but cannot prove who accessed what, or why, is not aligned with governance values.

Related resources from NHI Mgmt Group

• How do organisations operationalise NHI ownership at scale?
• When should organisations treat an NHI as a high-priority risk?
• How can organisations reduce the blast radius of compromised agent identities?
• Should organisations prioritise external exposure or internal credential governance first?