Subscribe to the Non-Human & AI Identity Journal
Home Glossary Governance, Ownership & Risk Behavior, Likelihood, And Impact
Governance, Ownership & Risk

Behavior, Likelihood, And Impact

← Back to Glossary
By NHI Mgmt Group Updated July 9, 2026 Domain: Governance, Ownership & Risk

Three scoring dimensions that separate what an identity is doing, how likely it is to be compromised, and how much damage it could cause. Keeping the dimensions visible preserves explanation, which is essential when a score is used to change access or trigger response.

Expanded Definition

Behavior, likelihood, and impact are three separate scoring dimensions used to avoid collapsing NHI risk into a single opaque number. Behavior describes what the identity is doing now, such as unusual token use, privilege escalation, or atypical service-to-service calls. Likelihood describes how probable compromise is, based on factors like exposure, credential hygiene, and observed attack indicators. Impact describes the damage the identity could cause if abused, which depends on the privileges, systems, and data it can reach.

In NHI governance, this separation matters because the same action can mean different things depending on context. A service account with broad access but normal behavior may warrant a different response than a low-privilege identity showing suspicious activity. Industry usage is still evolving, and no single standard governs this yet, so teams should document how each dimension is calculated and when thresholds trigger access changes. For background on the wider NHI risk environment, see the Ultimate Guide to NHIs and the control expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls.

The most common misapplication is averaging the three dimensions into a single score without preserving the underlying factors, which occurs when access reviews or detections need an explainable rationale.

Examples and Use Cases

Implementing this scoring rigorously often introduces governance overhead, requiring organisations to balance faster automation against the need for explainable decisions and consistent tuning.

  • A CI/CD service account starts making API calls outside its normal deployment window. Behavior rises first, while likelihood depends on whether the key is stored in a secrets manager or in code.
  • An integration token has low observed anomaly, but impact is high because it can write to production data. The score should reflect the blast radius, not just the current activity.
  • A workload identity shows repeated authentication failures from a new region. Likelihood increases because the pattern resembles credential theft, even before access is confirmed.
  • A shared automation account is used by multiple pipelines. Behavior is harder to attribute, so the model must be explicit about the reduced explainability and higher response uncertainty.

These examples align with the operational guidance in the Ultimate Guide to NHIs, especially where NHIs outnumber human identities by 25x to 50x and manual review becomes unsustainable. For identity assurance concepts and control mapping, practitioners often look to NIST SP 800-53 Rev 5 Security and Privacy Controls as a baseline reference, even though it does not define this exact scoring model.

Why It Matters in NHI Security

When organisations blur behavior, likelihood, and impact, they tend to overreact to harmless anomalies or underreact to high-risk identities with stable but dangerous privileges. That creates noisy detections, weak prioritisation, and poor decisions about rotation, revocation, and step-up controls. In NHI environments, where machine identities are often long-lived and widely distributed, this distinction is crucial for deciding whether an issue is a monitoring event, a containment event, or an immediate access crisis.

The risk is not theoretical. NHI Mgmt Group reports that only 5.7% of organisations have full visibility into their service accounts, which means many teams cannot reliably tell whether a score reflects actual compromise, broad exposure, or simply missing telemetry. The same guide also notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, reinforcing the need for explainable scoring rather than blunt thresholding. See the Ultimate Guide to NHIs for the broader governance context.

Organisations typically encounter the operational failure only after a key has been abused or a service account has moved laterally, at which point behavior, likelihood, and impact become operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Separates behavior, likelihood, and impact for explainable NHI risk scoring.
NIST CSF 2.0GV.RM-01Risk management needs transparent criteria for assessing and prioritizing identity threats.
NIST SP 800-63IAL/AALIdentity assurance concepts inform how confidence and impact are evaluated for credentials.
NIST Zero Trust (SP 800-207)AC-4Zero Trust decisions depend on explicit context, risk, and least-privilege enforcement.
NIST AI RMFMAP-RMRisk framing should separate observed behavior from likelihood and downstream harm.

Keep each scoring dimension visible and use it to drive access, rotation, and response decisions.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org