Subscribe to the Non-Human & AI Identity Journal
Home Glossary Cyber Security Loss Modelling
Cyber Security

Loss Modelling

← Back to Glossary
By NHI Mgmt Group Updated July 12, 2026 Domain: Cyber Security

Loss modelling is the process of estimating how much money a breach could cost under different attack scenarios. It combines direct technical recovery costs with legal, operational, and reputational impacts, which is why incomplete identity and access evidence makes estimates less reliable.

Expanded Definition

Loss modelling is the discipline of translating a likely NHI security event into an estimated financial outcome. In NHI and IAM environments, that means considering direct recovery costs, incident response labour, downtime, legal exposure, customer churn, regulatory impact, and the cost of restoring trust after compromise. It is closely related to risk quantification, but it is narrower in that it focuses on the monetary consequences of specific attack paths rather than broader qualitative risk scoring.

Definitions vary across vendors and risk programs, but in practice the model is only as credible as the evidence behind it. In NHI environments, the strongest inputs are inventory quality, privilege scope, token and secret hygiene, offboarding speed, and blast-radius assumptions. That is why identity telemetry and control evidence matter: without them, a model tends to understate the cost of lateral movement or prolonged secret exposure. For a governance baseline, the NIST Cybersecurity Framework 2.0 helps organisations connect asset visibility, protection, detection, and recovery to business impact. The most common misapplication is treating loss modelling as a one-time spreadsheet exercise, which occurs when teams estimate breach cost without current identity data, control maturity, or attack-path assumptions.

Examples and Use Cases

Implementing loss modelling rigorously often introduces uncertainty and data-collection overhead, requiring organisations to weigh sharper financial insight against the effort needed to maintain trustworthy inputs.

  • An engineering team estimates the cost of an API key compromise by combining incident response hours, service downtime, and customer notification expenses.
  • A security leader models the financial impact of a service account with excessive privilege after reviewing exposed secrets and weak rotation practices described in the Ultimate Guide to NHIs.
  • A compliance group assesses potential breach cost under regulatory investigation, using scenario-based assumptions rather than a single flat number.
  • An IAM team compares the expected loss from delayed offboarding against the operational cost of tighter revocation processes.
  • A board report estimates how a third-party NHI compromise could affect revenue, remediation, and reputational recovery.

These scenarios are more reliable when tied to evidence from identity inventories, secret stores, and access logs rather than broad industry averages. Where organisations use control baselines, mapping the scenario to NIST Cybersecurity Framework 2.0 functions can help show which losses are likely to be reduced by stronger detect and recover practices. The modelling question is not whether a breach costs money, but which attack path is most expensive under current NHI conditions.

Why It Matters in NHI Security

Loss modelling matters because NHI compromise often spreads beyond a single credential. A leaked token, overprivileged workload identity, or unrevoked API key can create persistent exposure that drives long-tail costs well after the initial intrusion. NHIMG reports that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage, which makes financial estimation a governance issue rather than a theoretical exercise. The same guide also shows that only 20% of organisations have formal offboarding and revocation processes for API keys, which increases uncertainty when teams try to predict containment cost. That is why risk committees often need to model not just the breach itself, but the cost of delayed remediation, repeated exposure, and system-wide privilege cleanup.

Loss modelling also helps security leaders justify investment in visibility, rotation, and Zero Trust controls before an incident forces the issue. It turns abstract NHI weaknesses into a cost conversation that business leaders can act on. Organisations typically encounter the true value of loss modelling only after a stolen secret or compromised service account has triggered downstream cleanup, at which point the term becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-02Loss estimates depend on secret exposure and improper credential handling addressed here.
NIST CSF 2.0GV.RM-01Risk management includes understanding business impact and loss exposure from cyber events.
NIST Zero Trust (SP 800-207)PA-2Zero Trust relies on asset and identity context that improves breach impact estimation.
NIST AI RMFAI RMF treats risk as measurable harm, supporting scenario-based loss estimation.
OWASP Agentic AI Top 10A01Agentic systems can amplify damage when identities or tools are overexposed.

Quantify breach scenarios using secret exposure findings and prioritize remediation for exposed NHI credentials.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org