Ask a CISO how many critical vulnerabilities their organization carries, and they will pull up a dashboard. Ask about endpoint coverage, patch latency, or phishing failure rates, and they will give you a number.
Ask what their overall identity risk is, and what specifically is driving it, and the conversation changes. Most teams cannot answer it. Not because they lack tools, but because the identity security industry never built a real measurement system. Vulnerabilities got CVSS. Credit got FICO. Identity risk got a dropdown with three values: low, medium, and high.
That gap matters more now than at any point in the last decade. Identity has become the primary attack surface, and most breaches now involve compromised credentials rather than malware. Meanwhile, service accounts, API keys, OAuth grants, and IAM roles already outnumber employees in most enterprises, and AI agents are being deployed on top of all of it, authenticating and acting at machine speed. The asset class grew faster than anyone's ability to measure the risk it carries.
You cannot prioritize what you cannot compare. You cannot report progress on what you cannot quantify. And you cannot manage what you cannot score.
The most common approach to identity risk today is the static label. An identity gets classified once, usually based on privilege level, and keeps that classification until someone remembers to review it.
The problem is that static labels describe what an identity is allowed to do, not what it is doing. A domain admin who has behaved identically for three years and a domain admin whose credential just authenticated from an unfamiliar network at 3 a.m. carry the same label. One of them is business as usual. The other might be an active breach. The tier cannot tell you which.
Static classification also ages badly. Permissions accumulate, roles change, projects end, and the label stays. Most organizations that finally get visibility into actual permission usage discover that a large share of granted access is never used at all. The tier system quietly misstates the entire risk picture.
The other common approach swings to the opposite extreme: treat every detection as its own event and triage the queue. This at least looks at behavior, but it fails at scale for a reason every SOC analyst knows personally. Alerts arrive as isolated data points with no cumulative memory.
An identity that triggers one medium-severity alert today, another tomorrow, and a third next week looks like three routine tickets. Viewed as a sequence attached to one identity whose risk is compounding, it looks like exactly what it often is: a slow-moving compromise. Alert-driven triage has no way to hold that context, because the unit of work is the alert, not the identity.
The result is a strange industry blind spot. One approach ignores behavior entirely. The other drowns in behavior without accumulating it. Neither produces what security leaders actually need: a number that reflects the current, evidence-backed risk of every identity.
Other industries solved measurement problems like this long ago. Credit scoring is the obvious reference point: FICO turned subjective lending judgments into a continuous, comparable, evidence-backed number. But the lesson isn't the score itself, it's the properties that made it work.
A meaningful identity risk score needs three of them.
Continuous. The score updates when behavior changes, not when a quarterly review happens to run. An identity's risk on Tuesday afternoon should reflect what it did Tuesday morning.
Multi-dimensional. A single number hides more than it reveals. Two identities can carry the same composite score for completely different reasons, one because it holds enormous privilege, the other because its behavior just deviated sharply from baseline. Those two situations demand different responses, so the score has to expose its dimensions, not just its total.
Evidence-backed. Every score should decompose into the specific signals that produced it. A score an analyst cannot explain is a score a security program cannot defend, not to auditors, not to the board, and not to the engineer whose access is about to be restricted.
This is the model Permiso built. The Risk Score Engine, launching as part of the Permiso platform, assigns every identity in the environment a continuous score from 0 to 100, computed across three dimensions: Behavior (is this identity doing something unusual), Likelihood (is this identity likely compromised), and Impact (how much damage could this identity cause).
The engine draws on two layers of evidence. Static posture covers what the identity can do: privilege levels, credential hygiene, entitlement scope. Runtime signals cover what it is doing: behavioral anomalies, threat intelligence matches, authentication context. Both layers run through the Universal Identity Graph, which correlates identity activity across IdPs, cloud accounts, SaaS, and infrastructure, and through 1,500+ detection signals built from P0 Labs threat research.
Three outputs come from the same model. Identity Risk Scores rank every identity so teams work from the top of the risk list instead of the top of the alert queue. Session Scores rate active sessions on suspicion and impact, so the SOC can triage what is happening right now. Organization Risk Scores roll everything into a single tenant-level number with peer benchmarking, finally giving CISOs an identity risk metric they can track quarter over quarter and take to the board.And critically, every identity type runs through the same model. Human users, service accounts, API keys, OAuth tokens, IAM roles, and AI agents all land on the same 0 to 100 scale. As agents become the fastest-growing identity class in the enterprise, scoring them with the same rigor as everything else stops being a nice-to-have and becomes the whole point of unified measurement.
Here is where scoring stops being a dashboard and starts being a defense. A risk score of 74 is information. A score that jumped from 41 to 74 in under an hour is an emergency, even though neither individual event along the way looked alarming on its own.
Sophisticated identity attacks are built from individually plausible actions: a new login location, an access grant, a data pull that is large but not impossible. Each step slides under alert thresholds. But the cumulative movement of a single identity's score, measured against a long stable baseline, is very hard to disguise. The rate of change is itself the signal.
Score velocity gives security teams an enforcement trigger that individual detections cannot provide. A sharp spike can drive step-up authentication, restrict an identity's access scope, or freeze a session while an analyst investigates, before the sequence reaches its objective. That is the shift from "we tell you what happened" to "we tell you in real time how much to trust this identity, and we can prove why."
There is a management truism that what gets measured gets managed. Identity security has been the exception for years, not because the risk wasn't real, but because the measurement didn't exist.
Continuous, evidence-backed scoring changes the daily mechanics of a security program. Prioritization becomes ranked instead of reactive. Board reporting gets a trend line instead of an anecdote. Remediation gets validated by watching a score drop instead of assuming a ticket closed the gap. And the growing population of non-human and AI identities gets held to the same measurable standard as everyone else.
The Permiso Risk Score Engine is available now as part of the Permiso platform. Learn more at permiso.io/risk-score-engine.
What is identity risk scoring?
Identity risk scoring is the practice of assigning every identity in an environment a continuous, quantifiable risk value based on both its posture (what it can do) and its runtime behavior (what it is doing). It replaces static risk tiers and alert-by-alert triage with a comparable, evidence-backed measurement across all identity types.
How is the Permiso Risk Score Engine different from static risk classification?
Static classification assigns a fixed tier based mostly on privilege and rarely updates. The Risk Score Engine computes scores continuously on event triggers, combines static posture with live behavioral signals, and exposes three dimensions (Behavior, Likelihood, Impact) so teams know not just how risky an identity is, but why and what to do about it.
Does the Risk Score Engine cover non-human and AI identities?
Yes. Human users, service accounts, API keys, OAuth tokens, IAM roles, and AI agents are all scored with the same model on the same 0 to 100 scale, unified through Permiso's Universal Identity Graph. AI agents, the fastest-growing identity class in the enterprise, are treated as first-class identities rather than a separate category.
What is score velocity and why does it matter?
Score velocity is the rate at which an identity's risk score changes. A compromise often unfolds as a sequence of individually plausible actions that never trip an alert, but the cumulative score movement from a stable baseline is an unmistakable signal. Velocity thresholds can trigger real-time responses such as step-up authentication or access restriction before an attack completes.
Can CISOs use identity risk scores for board reporting?
Yes. The Organization Risk Score rolls identity risk into a single tenant-level metric with peer benchmarking, giving security leaders a trackable, comparable number for quarter-over-quarter reporting, program justification, and communicating identity risk to the board in business terms.