Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk What do organisations get wrong about risk appetite…
Governance, Ownership & Risk

What do organisations get wrong about risk appetite and risk tolerance?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: Governance, Ownership & Risk

They often use the terms interchangeably, which hides the difference between strategic willingness to take risk and the numeric boundary where action is required. Appetite sets the direction, while tolerance defines the trigger points. Without both, governance becomes subjective and hard to audit.

Why This Matters for Security Teams

Risk appetite and risk tolerance are not semantics. They shape how security decisions are made, how exceptions are approved, and when leadership must be escalated. When organisations blur the two, controls drift from measurable thresholds into opinion, which makes governance difficult to defend. That problem is especially visible in identity-heavy environments, where exposure can scale quickly across service accounts, API keys, and automation pathways.

The issue is not limited to NHI programmes, but the same pattern shows up there clearly: NHIMG notes that 68% of organisations do not know how to fully address NHI risks in the Ultimate Guide to NHIs — Key Challenges and Risks. That is what happens when appetite is stated as a principle but tolerance is never translated into measurable boundaries. The NIST Cybersecurity Framework 2.0 reinforces that risk decisions need repeatable governance, not ad hoc interpretation. In practice, many security teams encounter the problem only after an exception has already become normalised rather than through intentional governance.

How It Works in Practice

Risk appetite should describe the level and type of risk the organisation is willing to accept in pursuit of its objectives. Risk tolerance should define the operational thresholds that indicate whether a control failure, exception, or exposure is still acceptable. In practice, appetite is strategic and tolerance is measurable. Good governance connects the two so that executives can say what matters most, and security teams can say when the line has been crossed.

That distinction matters across cyber, cloud, and identity controls. For example, an organisation may have a high appetite for delivery speed but a low tolerance for unmanaged secrets in code or long-lived privileged credentials. In NHI governance, that means setting limits on secret age, rotation delays, orphaned identities, and excessive privilege. NHIMG’s Top 10 NHI Issues is useful here because it frames the practical failure points that should become measurable tolerance thresholds.

  • Use appetite to define acceptable strategic trade-offs, such as speed versus control friction.
  • Use tolerance to set numeric thresholds, such as maximum privileged accounts without owners.
  • Map each tolerance to an owner, review cadence, and escalation trigger.
  • Track exceptions separately from baseline risk so temporary waivers do not become permanent drift.

For broader control mapping, NIST CSF 2.0 can anchor governance and monitoring expectations, while identity and secrets management policies define the specific thresholds that matter in the environment. These controls tend to break down when risk statements are written for auditors but not converted into operational metrics for engineering, IAM, or cloud teams.

Common Variations and Edge Cases

Tighter risk tolerance often increases operational overhead, requiring organisations to balance resilience against delivery speed and administrative burden. That tradeoff is real, and current guidance suggests it should be explicit rather than hidden inside vague policy language. Best practice is evolving toward separate tolerance thresholds for different asset classes, because a single number rarely fits cloud infrastructure, customer data, and NHI estates equally well.

Edge cases appear when organisations treat appetite as a fixed annual statement instead of a living governance input. That approach breaks down in fast-changing environments such as M&A, cloud migration, or agentic AI deployments, where new tool access and machine identities appear faster than policy reviews can keep up. It also fails when leaders approve broad appetite but never define the tolerance that should trigger remediation, escalation, or shutdown.

For NHI-heavy environments, the gap is often sharper because service accounts and API keys are easy to provision but hard to inventory and retire. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now explains why unmanaged identity sprawl changes the risk picture quickly. The practical test is simple: if a team cannot state what threshold requires action, it does not yet have a usable tolerance model.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.RM-01Risk appetite and tolerance sit inside organisational risk management governance.
OWASP Non-Human Identity Top 10NHI governance often fails when limits are not defined for secrets and service accounts.
NIST Zero Trust (SP 800-207)5.1Tolerance settings should support continuous verification and limited trust.

Set explicit thresholds for rotation, privilege, ownership, and exposure of non-human identities.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org