This research notes provides a foundation for how to measure non-human identity management platforms and projects.

The importance of metrics are not only for improvement. They help to communicate both risk and success to a broad array of stakeholders - some of which will be non-technical.

Metrics should aim to support coverage, performance and effectiveness objectives.

I. Security Posture and Risk Reduction

These metrics focus on tangible reductions in your non-human identity (NHI) attack surface.

1. Reduction in Over-Privileged Identities:

   • Metric: Percentage reduction in the number of NHIs with excessive or unused permissions (e.g., admin or root access).

   • Goal: Enforce the Principle of Least Privilege across the workload estate.