Today, Permiso is launching the Risk Score Engine: a model that assigns every identity in your environment a continuous, evidence-backed score from 0 to 100. It doesn’t just tell you an identity is risky. It tells you why, and what to do about it. Powered by Permiso’s Universal Identity Graph, the engine produces three outputs: Identity Risk Scores, Session Scores, and Organization Risk Scores.
Think of a credit score. It works because it’s continuous and it accounts for everything you owe. Leave out the mortgage and the auto loan, and the number stops meaning anything. Identity risk scoring has the same problem. Without a complete identity context, a score isn’t really a score. It’s just another alert with better branding, and that’s what most existing tools are.
The fragmentation is structural. Every identity type is governed by a different program, with different tooling, and no shared risk model to tie them together. IGA platforms rank your human identities by privilege level, but they’ve never heard of the OAuth token your SaaS app grabbed last quarter, or the AI agent your dev team quietly connected to production. CIEM tools catch high-privilege cloud roles from static posture alone, with no idea what those roles actually did last night. ISPM vendors score whatever is in front of them; everything else simply doesn’t exist to the model.
Static scoring tells you what an identity has access to, not what it’s doing with that access, and that gap is where things go wrong. A domain admin who’s logged in from the same laptop for three years and one whose credential just showed up on an unfamiliar network at 3 a.m. can carry the exact same “high privilege” label. One is a Tuesday. The other might be a breach in progress. The same logic holds inside a single tool: an identity with PIM access isn’t inherently high-risk. One that reads PIM every 24 hours and quietly adds itself to global admin is. Coverage gaps don’t show up as missing data. They show up as false confidence.
Two identities can land on the exact same score for completely different reasons, and treating them the same would be a mistake. The Risk Score Engine breaks every identity down across three dimensions:
Two identities can share a composite score and still need completely different responses, and the engine tells you which is which. Your team gets a reason and a next step, not just a ranked list.
Every score blends static posture with live behavioral data: what an identity can do, and what it’s actually doing with that access right now. Most tools stop at configuration. Permiso watches runtime logs instead. If an identity holds 15 permissions but only ever touches six, Permiso knows, because it watched it happen. That runtime signal draws on more than 1,500 detection signals built by P0 Labs, Permiso’s in-house threat research team.
Every score is built on the Universal Identity Graph. A human identity isn’t just an Okta account or an EntraID login. It’s the local Snowflake account nobody remembers creating, the unfederated Slack access nobody’s tracking, the AWS IAM users someone spun up for a project, and the EC2 instances those users created, because those instances have identities of their own. The graph follows that entire chain, unifying human users, service accounts, API keys, OAuth tokens, IAM roles, and AI agents into one continuously updated map. So when an identity lands at the top of your risk queue, that ranking reflects everything the graph knows, not the slice one tool happened to notice.
A credential compromise doesn’t look dangerous until the session actually starts moving. Session scores watch two things: Suspicion (is this session behaving strangely?) and Impact (what could it reach if it’s hostile?). An identity with a spotless track record can still jump straight to the top of the queue if its active session looks wrong, regardless of what its history says.
Score velocity measures how fast a risk score is moving, because the speed of change is itself a signal. An identity whose score jumps 40 points in 10 minutes is telling you something very different than one that’s been drifting upward for a quarter. Both are worth watching. Only one needs someone on it right now. The Risk Score Engine tracks both and tells you which is which.
An Organization Risk Score rolls identity risk across your entire environment up into one trackable number. Permiso benchmarks it against the broader customer base, so when you bring it to the board, you’re not grading your own homework. You can see the score, see exactly how it was derived, and see exactly what would move it.
ISPM and CIEM tools rank what they can see: cloud entitlements usually, SaaS sometimes, non-human identities rarely, AI agents almost never. IGA platforms score the human identity lifecycle and stop there, even though non-human and AI identities now outnumber humans in most enterprise environments. The Risk Score Engine starts from a unified foundation, so when an identity surfaces at the top of your queue, that ranking accounts for every identity type, every environment, and every path it could actually take.
The Risk Score Engine is live now, as part of the Permiso platform. Learn more at permiso.io/risk-score-engine. See your identity risk scored across every dimension, every identity type, and every environment: request a demo.
Your board is going to ask the question. Now you have the answer.