Ask most IAM teams how they prioritise identity risk and you’ll get some version of the same answer: work through the backlog, fix the misconfigurations, close the tickets. It’s a compliance mindset masquerading as a security strategy — and according to Orchid Security’s Chief Product Officer Tal Herman, it fundamentally misunderstands the nature of identity risk in modern enterprises.
The real problem isn’t that identity backlogs are too long. It’s that organisations are treating risk as a binary — configured or not configured — rather than as a compound, contextual exposure. And nowhere is this more dangerous than in the realm of non-human identities (NHIs).
Why NHIs Break Traditional Prioritisation Models
Human identity risk is relatively well-understood. A privileged admin account without MFA is obviously high priority. An inactive contractor account is a known risk pattern. But non-human identities — service accounts, API tokens, machine credentials, agent identities — introduce a layer of complexity that traditional prioritisation frameworks weren’t designed to handle.
NHIs are often created without clear ownership. They accumulate privileges over time as systems evolve. They rarely get cleaned up when a project ends. And critically, they’re frequently invisible to the IAM tools that govern human identities. A service account created three years ago to support a now-deprecated integration might still hold broad database permissions — and nobody knows it exists.
This is the raw material of breaches. Attackers — and, increasingly, autonomous AI agents — don’t attack the identities you’re watching. They attack the ones you’ve forgotten about.
Risk as a Compound Calculation
Herman’s framework treats identity risk across four dimensions: controls posture, identity hygiene, business context, and intent. The dangerous scenarios aren’t those where one dimension is weak — they’re where multiple weaknesses align to create a clean chain from entry to impact.
Consider a non-human identity scenario: a legacy service account (hygiene risk) with no MFA enforcement (controls gap) that has access to a business-critical payment system (high business context) and has been showing unusual access patterns for weeks (intent signal). Each factor alone might not trigger an alert. Together, they represent a critical exposure that should jump to the top of any remediation queue.
The lesson for NHI security is clear: prioritisation must be contextual. A missing control on a low-impact machine identity is not the same risk as the same gap on a service account tied to core infrastructure. Without business context layered on top of technical posture data, organisations will consistently misallocate their remediation effort — fixing the easy, visible problems while leaving the genuinely dangerous exposures untouched.
Getting Prioritisation Right for NHIs
Effective NHI risk prioritisation starts with visibility — you cannot prioritise what you cannot see. From there, organisations need to layer in ownership data (who is accountable for this identity?), access scope (what can it actually reach?), activity signals (is it behaving as expected?), and business criticality (what’s the blast radius if it’s compromised?).
The organisations that get this right will move from reactive ticket-closing to proactive risk management. In a landscape where NHIs are multiplying faster than security teams can track them, that shift isn’t just desirable — it’s essential. (Source: Orchid Security)