They often treat scores as a reporting outcome instead of a remediation engine. A useful score must separate noisy issues from identity paths that materially increase escalation or lateral movement risk, otherwise teams spend effort on low-value fixes while the real exposure remains open.
Why This Matters for Security Teams
Directory security scores are useful only when they reflect actual attack paths, not just hygiene indicators. Security teams often mistake a higher score for lower exposure, even when privileged groups, stale service accounts, or nested trust relationships still make escalation easy. That creates a dangerous gap between reporting and real risk, especially in environments where identity sprawl grows faster than review cycles. NHI Management Group’s Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into service accounts, which helps explain why score-based reporting can miss the identities that matter most.
For security teams, the main failure is treating the score as an outcome instead of a prioritisation engine. A score that cannot distinguish between low-value misconfigurations and paths that enable lateral movement will drive busywork, not risk reduction. Current guidance in NIST Cybersecurity Framework 2.0 emphasises continuous risk management, which is a better fit than static scorekeeping for identity-heavy environments. In practice, many security teams encounter the real weakness only after a privilege path has already been used, rather than through intentional score-driven remediation.
How It Works in Practice
A useful directory score should weight identity conditions by how much they increase compromise impact, not just how many issues exist. That means separating cosmetic findings from exposures that affect privilege, reachability, and persistence. For example, a stale account with no trust relationships should not carry the same urgency as a disabled-looking account that still sits in an administrative path, has a live token chain, or can authenticate into sensitive systems.
The best scoring models usually combine three layers:
- Privilege depth, such as admin roles, delegated rights, and inheritance through groups
- Reachability, meaning whether the identity can actually touch critical systems or cloud workloads
- Exploitability, such as whether the issue enables token theft, lateral movement, or persistence
That is why modern directory scorecards increasingly look like remediation graphs instead of audit dashboards. They should tell analysts which identities to fix first, which dependencies to break, and which paths can be closed with one change. The NIST framework’s focus on governance, protection, and continuous improvement supports this approach, but it does not prescribe one universal scoring formula. There is no universal standard for directory security scores yet, so organisations should treat scores as an internal prioritisation method, not an industry metric.
NHIMG research shows the scale of the problem: 97% of NHIs carry excessive privileges and 71% are not rotated within recommended time frames, which means identity exposure is usually structural, not incidental. When that reality is fed into a score, the output should push teams toward the identities that unlock the most movement, not the ones that are easiest to clean up. These controls tend to break down when the directory is fragmented across cloud, SaaS, and machine identities because the scoring engine cannot reliably see the full trust graph.
Common Variations and Edge Cases
Tighter scoring often increases operational overhead, requiring organisations to balance precision against the effort needed to maintain the model. That tradeoff matters because some environments need fast reporting for executives, while others need deep analytical scoring for incident response and identity hardening. If the score becomes too complex, teams may stop trusting it; if it is too simple, it will miss the exposures that drive real breaches.
One common edge case is service accounts and other non-human identities. These identities often do not fit human-centric directory assumptions, so a score that works for workforce access can badly understate their risk. Another is environments with heavy third-party integrations, where the directory may look clean while OAuth grants, API keys, or delegated tokens preserve hidden access paths. The Ultimate Guide to NHIs highlights that 92% of organisations expose NHIs to third parties, which makes hidden trust relationships a scoring blind spot.
Best practice is evolving toward context-aware scoring that can separate remediation urgency from raw issue counts. But current guidance suggests teams should validate any score against attack-path analysis, not accept it as proof of safety. If the score cannot explain why one finding matters more than another, it is likely measuring administrative noise rather than directory risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-03 | Scores should drive risk prioritisation, not just reporting. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Directory scores often miss excessive privilege and hidden NHI paths. |
| CSA MAESTRO | ID-02 | Agent and workload identities need context-aware scoring and control. |
Use directory scores to rank identity risks by business impact and review them in continuous risk cycles.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
