Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk What metrics should security and identity teams use…
Governance, Ownership & Risk

What metrics should security and identity teams use to judge loyalty programme effectiveness?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 8, 2026 Domain: Governance, Ownership & Risk

Use retention rate, churn rate, customer lifetime value, engagement depth, and net promoter score together. No single number gives the full picture. The best programmes connect these measures to cohorts and interventions so teams can see which offers or journeys actually change customer behaviour over time.

Why This Matters for Security Teams

For security and identity teams, “effectiveness” is not a feel-good loyalty metric. It is a test of whether a programme changes behaviour in ways that reduce friction, increase repeat engagement, and support durable customer value without creating avoidable risk. The same discipline used in identity governance applies here: teams need leading indicators, cohort analysis, and clear attribution between interventions and outcomes. The NIST Cybersecurity Framework 2.0 is useful here because it emphasises outcomes, measurement, and continuous improvement rather than single-point checks.

Security teams often over-index on redemption counts or enrolment growth, but those numbers can hide shallow engagement, discount dependency, or churn after a promotion ends. A better view combines retention rate, churn rate, customer lifetime value, engagement depth, and net promoter score, then checks whether a specific offer changed behaviour for a specific cohort. That approach is closer to how NHI programmes are judged in practice: it is not enough to know something was used, only whether it measurably improved trust, control, and durability. NHI Mgmt Group’s Ultimate Guide to NHIs notes that 71% of NHIs are not rotated within recommended time frames, which is a reminder that activity without lifecycle discipline rarely equals effectiveness. In practice, many teams discover weak programme design only after churn and margin erosion have already followed the campaign uplift.

How It Works in Practice

The practical model is to treat loyalty metrics as a portfolio, not a scoreboard. Retention rate shows whether customers keep coming back. Churn rate shows where the programme is failing to sustain participation. Customer lifetime value indicates whether the programme is attracting profitable behaviour or simply subsidising low-value activity. Engagement depth captures whether customers are interacting across channels or only responding to one-off incentives. Net promoter score adds a sentiment layer, but it should never stand alone because advocacy does not always translate into repeat purchase.

Security and identity teams should segment these measures by cohort and intervention. For example, compare customers exposed to onboarding rewards, tier upgrades, or targeted recovery journeys against similar customers who were not. Then measure whether the behaviour change persists after the incentive ends. Where possible, connect metrics to identity events such as sign-in success, step-up challenge completion, fraud friction, or account recovery success so the programme can be evaluated alongside trust and access experience.

  • Use baseline, post-intervention, and 30/60/90-day follow-up windows.
  • Measure changes by cohort, not just by global average.
  • Pair satisfaction metrics with business outcomes such as repeat purchase or spend frequency.
  • Watch for gaming, where customers optimise rewards without building loyalty.

For governance, the 52 NHI Breaches Analysis is a useful reminder that programmes fail when signals are collected but not operationalised, while the NIST Cybersecurity Framework 2.0 reinforces the need to turn metrics into repeatable review cycles. These controls tend to break down when teams rely on short campaign windows or single-channel data, because loyalty behaviour is usually fragmented across journeys, devices, and time.

Common Variations and Edge Cases

Tighter measurement often increases analytical overhead, requiring organisations to balance speed of reporting against attribution quality. That tradeoff is real, especially when data is incomplete or when finance, marketing, and identity teams define success differently. Current guidance suggests that no universal standard exists for weighting these metrics, so the right blend depends on whether the programme is meant to drive retention, frequency, cross-sell, or trust.

There are also edge cases where standard metrics mislead. A high NPS can coexist with poor retention if customers like the brand but find the programme too complex. Strong engagement depth may reflect gaming rather than loyalty. Low churn can mask inertia if switching costs are high but sentiment is weak. In regulated or high-risk environments, teams may need to add controls such as fraud loss rate, authentication friction, or account recovery abandonment so the programme is not judged purely on revenue proxies.

For identity-led organisations, the most useful pattern is to review metrics as a causal chain: exposure, engagement, conversion, retention, and value. That makes it easier to see whether an offer is strengthening durable relationships or just pulling forward demand. The Top 10 NHI Issues can be helpful as a governance analogue because it shows why visibility and lifecycle discipline matter when outcomes are being measured across many moving parts. Best practice is evolving, but the core rule is stable: if a metric cannot be tied to a customer cohort and a concrete intervention, it is not yet a decision-grade measure.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.ME-1Measurement and reporting align with judging programme effectiveness over time.
NIST CSF 2.0ID.BE-3Business environment understanding supports segmenting loyalty cohorts and outcomes.
NIST AI RMFAI RMF helps govern metric selection, monitoring, and unintended outcome detection.

Define outcome metrics, review them on a cadence, and use them to drive continuous improvement.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org