Measure admin hours, refresh cadence, facilities cost, bridge dependencies and the number of separate consoles used to manage access. Those indicators show where the current model is consuming labour and creating complexity. If those figures are high, the existing directory is already acting like a cost multiplier.
Why This Matters for Security Teams
Modernising identity infrastructure is not just a technology refresh. It is a measurement exercise that exposes where identity is already consuming labour, slowing operations, and widening risk. If teams only track project cost, they miss the operational drag created by credential sprawl, manual approvals, and fragile bridge dependencies. That is especially true for NHI estates, where service accounts and secrets often outnumber human identities by orders of magnitude, as outlined in the Ultimate Guide to NHIs.
The right baseline shows whether the current model is worth preserving or is already acting like a cost multiplier. NIST’s Cybersecurity Framework 2.0 treats identity as an operational capability, not a static directory function, which is why measurement has to include both security and service delivery impacts. For organisations extending identity control to non-human systems, the gap is often larger than expected: NHIMG research shows only 5.7% of organisations have full visibility into their service accounts. In practice, many security teams discover that the real problem is not directory licensing, but the hidden cost of manual identity work that has already become embedded in day-to-day operations.
How It Works in Practice
Before any modernisation decision, security teams should build a baseline around the effort required to keep identity functioning. That means measuring admin hours spent on provisioning, deprovisioning, exception handling, access reviews, break-glass recovery, and directory troubleshooting. It also means counting how often teams must touch the system just to keep business services alive. The goal is to quantify friction, not just control spend.
A practical baseline usually includes:
- Admin hours per month for access changes, rotations, and incident recovery
- Refresh cadence for passwords, keys, certificates, and tokens
- Facilities cost for legacy infrastructure, colocation, or DR support
- Bridge dependencies, including connectors, sync jobs, and manual workarounds
- Number of separate consoles used to manage the same access lifecycle
Those metrics help teams compare the current state against target-state identity controls such as central policy enforcement, automated lifecycle workflows, and stronger NHI governance. The Ultimate Guide to NHIs shows why this matters: 71% of NHIs are not rotated within recommended time frames, and 97% carry excessive privileges, which means labour-heavy identity operations often coexist with weak control. The operational question is whether the organisation is paying people to compensate for architectural debt.
Use those measurements to create a before-and-after model for modernisation. If automation reduces admin hours, shortens recovery time, and eliminates bridge layers, the business case is stronger than a pure licence comparison. Current guidance suggests this approach should be paired with identity governance objectives, not treated as a standalone cost exercise. These controls tend to break down when identity is fragmented across multiple directories and each platform team owns a different access process, because no single team can accurately measure the full operational burden.
Common Variations and Edge Cases
Tighter measurement often increases operational overhead at first, requiring organisations to balance visibility against the time needed to collect it. That tradeoff is real, especially in mixed environments where legacy directories, cloud IAM, and NHI tooling all report differently. Best practice is evolving here: there is no universal standard for identity modernisation baselines, so teams should focus on repeatable measures that can be compared before and after change.
For large estates, the biggest edge case is not human identity volume but machine identity sprawl. NHIMG research shows 96% of organisations store secrets outside secrets managers in vulnerable locations, and 80% of identity breaches involve compromised non-human identities. In that environment, measuring only human help desk effort misses the true cost centre. A more useful model includes service account sprawl, secret rotation failures, and the number of systems that depend on manual credential handling.
Teams should also distinguish between temporary project burden and structural inefficiency. A high refresh cadence may be necessary in a regulated environment, but if it is enforced manually across many consoles, it becomes a labour tax. That is where modernisation planning should shift from “How much does identity cost?” to “How much hidden work is identity absorbing to stay safe?”
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity sprawl and unmanaged secrets drive hidden NHI cost and risk. |
| NIST CSF 2.0 | ID.IM-01 | Baseline measurement supports identity-related improvement tracking. |
| NIST CSF 2.0 | PR.AC-1 | Access administration effort reflects how well access is governed. |
Track identity operations metrics before and after modernisation to prove improvement.
Related resources from NHI Mgmt Group
- What do security teams get wrong about simplifying identity infrastructure?
- How should security teams evaluate Centrify alternatives for identity governance?
- How should security teams compare Microsoft 365 admin tools with broader identity governance platforms?
- How should security teams reduce identity risk in compliance automation programmes?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
