- Identity Jedi Newsletter
- Posts
- Identity Risk Is the New Security Metric
Identity Risk Is the New Security Metric
The 105th Edition of the Identity Jedi Newsletter
David Lee
May 14, 2025
Hey Jedi , welcome to the 105th Edition of the Identity Jedi Newsletter! This week we are talking risk, CyberArk’s strong numbers, AI security, and passkeys.
Let’s get to the Good Stuff
Table of Contents
Let’s Talk Identity RiskLet’s talk about what actually gets attention in the boardroom: Risk. Not entitlements. Not provisioning times. Risk.. And for years, we’ve let the IAM space operate without meaningful risk metrics. We track technical things. We generate beautiful PowerPoint slides. But ask yourself: Can I show our top 5 identity risks in under 30 seconds? Can I quantify the impact of that last certification campagin? Can I prove our privileged access policy made us safer? For most identity leaders, the answer is no. And that’s a problem. | So in this edition, I’m breaking down why identity risk is becoming the core metric CISOs care about—and how your program can start reporting like security, not just IT. Let’s dig in 👇🏽 |
Why Identity Risk Is the Metric That Matters
Every major breach in the last 24 months has had one thing in common—access.
And while the SOC monitors lateral movement, and IT tracks entitlements, identity teams often sit in the middle, quietly holding the keys… with no map.
It’s time to change that.
Identity metrics that matter in 2025
Number of accounts with standing privileged access
Dormant identities with active access
Orphaned accounts by system
Percentage of access certified vs. revoked
% of lifecycle actions automated
Identity risks resolved vs. discovered
Notice the shift?
It’s not just what you did. It’s what changed because of it.
How to Operationalize Identity Risk
Want to start speaking risk fluently?
Here’s how to make the shift:
Reframe every IAM initiative as a risk-reduction play.
Provisioning faster? That’s reducing excessive access windows.
Improving role design? That’s eliminating privilege creep.
Work with your risk and GRC teams.
Most have identity risk metrics—they’re just buried in audit logs or spreadsheets. Partner with them.
Start with low-hanging metrics.
If you don’t have ISPM, you can still build heat maps, dashboards, and risk counts from your current IGA tool.
Tie every report to a potential business impact.
“25 dormant accounts with access to customer data” hits differently than “25 accounts were deprovisioned late.”
Try This: Identity Risk Heat Map
If you’re not sure where to start, try this simple internal heat map exercise:
List your top 10 applications by user count or data sensitivity.
For each one, ask:
Who owns access decisions?
When was the last access review?
How many accounts haven’t logged in in 90 days?
Do we monitor for abnormal access behavior?
The redder that chart gets… the louder your voice becomes in security meetings.
A MUST READ
I absolutely loved this article by Nishant Kaushik! My summary wouldn’t even do it justice; trust me, you’ll want to read it!
Industry News
CyberArk Reports Strong Q1 2025 Earnings Amid Subscription Model Shift  | UK Government to Implement Passkey Technology Across Digital Services  | Okta Introduces Security Tools for Generative AI Systems  |
The Last Word
SEASON THREE IS LIIIIVE! That’s right we’re back for Season Three of the Identity Jedi Show podcast. Make sure to check it out, AND we are weeks away from Identiverse! And yes there are plans in place, it’s not quite official yet, but here’s what I can say. There will be an exclusive Identity Jedi Event happening at Identiverse, in partnership with Saviynt. The sign-up page is being baked RIGHT NOW, but because you are my people, I’m going to give you early access. Just reply to this email, with “I’m In!” and we’ll reach out and ensure you are on the VIP list.
See you in Vegas friends!
Be Good to each other, Be Kind to each other, Love each other
What did you think of this weeks newsletter? |
Reply