Introducing the Risk Score Engine: identity risk you can quantify
Hear Ye, Hear Ye
Subscribe to Cloud Chronicles for the latest in cloud security!
TL;DR
- Permiso is launching the Risk Score Engine: a continuous, evidence-backed score from 0 to 100 for every identity in your environment.
- Every score breaks down across three dimensions, Behavior, Likelihood, and Impact, so two identities with the same score can still need different responses.
- Scores are built on the Universal Identity Graph and cover every identity type, human, non-human, and AI, not just the slice one tool happens to see.
- Score velocity tracks how fast a score is moving, because the rate of change is often the earliest sign something’s wrong.
- Organization Risk Scores roll everything into one board-ready number, benchmarked against your peers. It’s available now as part of the Permiso platform.
Today, Permiso is launching the Risk Score Engine: a model that assigns every identity in your environment a continuous, evidence-backed score from 0 to 100. It doesn’t just tell you an identity is risky. It tells you why, and what to do about it. Powered by Permiso’s Universal Identity Graph, the engine produces three outputs: Identity Risk Scores, Session Scores, and Organization Risk Scores.
Think of a credit score. It works because it’s continuous and it accounts for everything you owe. Leave out the mortgage and the auto loan, and the number stops meaning anything. Identity risk scoring has the same problem. Without a complete identity context, a score isn’t really a score. It’s just another alert with better branding, and that’s what most existing tools are.
Why can’t existing tools score identity risk accurately?
The fragmentation is structural. Every identity type is governed by a different program, with different tooling, and no shared risk model to tie them together. IGA platforms rank your human identities by privilege level, but they’ve never heard of the OAuth token your SaaS app grabbed last quarter, or the AI agent your dev team quietly connected to production. CIEM tools catch high-privilege cloud roles from static posture alone, with no idea what those roles actually did last night. ISPM vendors score whatever is in front of them; everything else simply doesn’t exist to the model.
Static scoring tells you what an identity has access to, not what it’s doing with that access, and that gap is where things go wrong. A domain admin who’s logged in from the same laptop for three years and one whose credential just showed up on an unfamiliar network at 3 a.m. can carry the exact same “high privilege” label. One is a Tuesday. The other might be a breach in progress. The same logic holds inside a single tool: an identity with PIM access isn’t inherently high-risk. One that reads PIM every 24 hours and quietly adds itself to global admin is. Coverage gaps don’t show up as missing data. They show up as false confidence.
Testimonials
“Before Permiso, we had no way to quantify identity risk across our environment in a single view. The Risk Score Engine changed that. We can now see exactly which identities carry the most risk, why, and how that risk is trending over time. It has fundamentally improved how we prioritize.”
Brian Salomon
Security Engineer at Yageo GroupHow does the Risk Score Engine measure identity risk?
Two identities can land on the exact same score for completely different reasons, and treating them the same would be a mistake. The Risk Score Engine breaks every identity down across three dimensions:
- Behavior looks at whether an identity is acting out of character, weighing runtime signals, live anomalies, and authentication context against its own baseline.
- Likelihood estimates whether an identity is actually compromised, weighing threat intelligence matches and indicators tied to known attacker tradecraft. It’s the difference between assessing what an identity could do and knowing whether someone’s already inside it.
- Impact scores how much damage a compromise would cause: the access it holds, the blast radius, and how far that reach extends across every connected environment.
Two identities can share a composite score and still need completely different responses, and the engine tells you which is which. Your team gets a reason and a next step, not just a ranked list.

How does the Risk Score Engine compute risk scores?
Every score blends static posture with live behavioral data: what an identity can do, and what it’s actually doing with that access right now. Most tools stop at configuration. Permiso watches runtime logs instead. If an identity holds 15 permissions but only ever touches six, Permiso knows, because it watched it happen. That runtime signal draws on more than 1,500 detection signals built by P0 Labs, Permiso’s in-house threat research team.
Every score is built on the Universal Identity Graph. A human identity isn’t just an Okta account or an EntraID login. It’s the local Snowflake account nobody remembers creating, the unfederated Slack access nobody’s tracking, the AWS IAM users someone spun up for a project, and the EC2 instances those users created, because those instances have identities of their own. The graph follows that entire chain, unifying human users, service accounts, API keys, OAuth tokens, IAM roles, and AI agents into one continuously updated map. So when an identity lands at the top of your risk queue, that ranking reflects everything the graph knows, not the slice one tool happened to notice.

What is a session risk score?
A credential compromise doesn’t look dangerous until the session actually starts moving. Session scores watch two things: Suspicion (is this session behaving strangely?) and Impact (what could it reach if it’s hostile?). An identity with a spotless track record can still jump straight to the top of the queue if its active session looks wrong, regardless of what its history says.
What is score velocity in identity security?
Score velocity measures how fast a risk score is moving, because the speed of change is itself a signal. An identity whose score jumps 40 points in 10 minutes is telling you something very different than one that’s been drifting upward for a quarter. Both are worth watching. Only one needs someone on it right now. The Risk Score Engine tracks both and tells you which is which.
What is an Organization Risk Score?
An Organization Risk Score rolls identity risk across your entire environment up into one trackable number. Permiso benchmarks it against the broader customer base, so when you bring it to the board, you’re not grading your own homework. You can see the score, see exactly how it was derived, and see exactly what would move it.
ISPM and CIEM tools rank what they can see: cloud entitlements usually, SaaS sometimes, non-human identities rarely, AI agents almost never. IGA platforms score the human identity lifecycle and stop there, even though non-human and AI identities now outnumber humans in most enterprise environments. The Risk Score Engine starts from a unified foundation, so when an identity surfaces at the top of your queue, that ranking accounts for every identity type, every environment, and every path it could actually take.
Testimonials
“We built the Risk Score Engine on top of the Universal Identity Graph because risk scoring without unified identity context is just another alerting system. When you can see every identity, trace how they connect across environments, and layer behavioral baselines with threat intelligence, you can compute a score that actually means something. That is what separates a risk score from a risk guess.”
Sanjeev Williams
SVP of Product at Permiso SecurityAvailable now
The Risk Score Engine is live now, as part of the Permiso platform. Learn more at permiso.io/risk-score-engine. See your identity risk scored across every dimension, every identity type, and every environment: request a demo.
Your board is going to ask the question. Now you have the answer.


