Why do activity-based identity metrics create false comfort?

Why This Matters for Security Teams

Activity-based identity metrics are attractive because they are easy to report, but they often measure process throughput rather than actual exposure. A provisioning queue can move quickly while the underlying entitlement remains oversized, poorly owned, or never revoked. That gap is especially dangerous for NHI estates, where service accounts and API keys can persist long after the change ticket closes. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts in its Ultimate Guide to NHIs.

The problem is not that activity is useless. The problem is that activity alone cannot answer whether access was justified, bounded, and removed on time. Boards and security leaders may see successful reviews, completed rotations, or high certification completion rates and assume risk is under control. In reality, the identity may still carry excessive privilege, remain reachable from automation, or be shared across workloads with weak ownership. This is where metrics create false comfort: they can be accurate and still be misleading.

Current identity guidance from NIST SP 800-63 Digital Identity Guidelines emphasises assurance and binding, not just administrative completion, which is closer to the question security teams should be asking. In practice, many security teams encounter identity exposure only after a compromised secret or an over-permissioned account has already been used, rather than through intentional measurement of entitlement quality.

How It Works in Practice

To avoid false comfort, metrics need to shift from motion to outcome. That means measuring whether access is right-sized, attributable, time-bounded, and revoked when it should be. For NHIs, the useful questions are: who owns the identity, what workloads can use it, how long is it valid, what permissions are actually exercised, and whether the secret or token can be reused outside its intended context. The Top 10 NHI Issues and the 52 NHI Breaches Analysis both show the same pattern: exposure persists when lifecycle controls are weak, even if activity dashboards look healthy.

Practical metrics usually include both operational and risk-based signals:

• percentage of NHIs with named owners and business justification
• median time to revoke unused or orphaned credentials
• share of secrets rotated within policy window
• percentage of entitlements aligned to actual runtime use
• number of long-lived credentials still active in code, CI/CD, or config stores

These are more meaningful than raw counts of approvals, tickets closed, or certifications completed because they link process to exposure. For example, a completed access review is weak evidence if the reviewer cannot tell whether the workload still needs the privilege. Likewise, a rapid provisioning process is not a security win if it creates standing access that lasts for months. A better model is to pair activity metrics with entitlement verification and revocation evidence, then trend those outcomes over time.

For organisations pursuing stronger identity assurance, the NIST guidance above is useful because it separates identity events from trust in the identity itself. That distinction matters most when secrets are embedded in automation and humans never manually touch the access path. These controls tend to break down when identities are shared across pipelines and applications because ownership, runtime use, and revocation evidence become difficult to correlate.

Common Variations and Edge Cases

Tighter identity measurement often increases reporting overhead, requiring organisations to balance operational simplicity against security truth. That tradeoff is real, especially where legacy systems cannot emit reliable entitlement data or where service accounts are reused across multiple jobs. In those environments, activity metrics are still useful as a triage signal, but current guidance suggests they should never be treated as proof of control.

One common edge case is the “green dashboard, red risk” problem: teams track completed reviews, approvals, or rotation jobs while ignoring whether the underlying credential is still valid in downstream systems. Another is shared automation identities, where a single service account supports several pipelines. Activity may look healthy even though no one can prove which workload actually used the privilege. In that situation, the metric becomes an administrative artifact rather than a security measure.

Another practical complication is that some organisations optimise for cadence instead of quality. A monthly review can be worse than a slower but better-scoped review if it produces rubber-stamped approvals. Best practice is evolving, but the direction is clear: measure entitlement quality, revocation latency, and ownership clarity alongside activity. For deeper background, the Ultimate Guide to NHIs explains why visibility and lifecycle control matter more than activity alone in modern estates. In practice, false comfort usually appears when leaders report completion rates without testing whether any risky access actually disappeared.

Related resources from NHI Mgmt Group

• When do IAST and RASP create a false sense of coverage for NHIs?
• Why do mover events create more identity risk than onboarding or offboarding?
• Why do disconnected apps create more identity risk than standardised SaaS applications?
• Who is accountable when privileged access spans VPNs, bastions, and identity-based tooling?