What Is Identity Risk Score, and How Does It Work?
On this page
See Tech Prescient in Action
Automate access, reduce risk, and stay audit-ready
Last Updated date: June 22, 2026
Every CISO eventually faces the same boardroom question. The security team spends months identifying risk, prioritizing it, and reporting progress, and the directors ask the one question that descriptive labels cannot answer:
Are we actually reducing identity risk, and by how much?
Words like "high," "medium," and "improving" cannot be ranked, compared, or audited, which leaves the answer indefensible either way.
Identity Risk Score changes that. Instead of relying on qualitative ratings, it assigns a calculated numerical value to every account, identity, application, and ultimately the organization itself. The score is built from the ground up, remains fully traceable to its source, and provides a measurable way to quantify identity-related risk.
It is what risk quantification looks like when applied to identity directly, rather than adapted from traditional vulnerability-scoring models.
TL;DR
- Identity Risk Score rolls up across five connected levels, ending in a single enterprise-wide risk number.
- The model uses multiplication rather than addition, ensuring that combinations of risk factors receive the weight they deserve.
- Every multiplier remains visible inside the product, and every score traces back to the accounts and reviews that drove it.
- Most identity risk scoring systems hide the math behind the score, while this one exposes the full calculation.
- The methodology defines an explicit improvement target for identity security posture over the first twelve months.
Why Do CISOs Need a Numerical Identity Risk Score?
Words like "high" and "medium" have been the way teams have worked in identity risk management for years, but they fail at key areas that security leaders now have to get right.
Triage
When a security team finds more risky accounts than they can realistically remediate within a quarter, words give no way to choose between them because every account in the "high" bucket looks equally urgent. A real score sorts the same group by actual exposure, so the team's time goes to the accounts where the impact is biggest.
Measurement
Boards and auditors now expect evidence that controls are improving over time, and improvement is only meaningful when you can measure it against a previous baseline. A risk score that decreases quarter over quarter demonstrates progress. A label that shifts between "high" and "medium" remains subjective and difficult to defend
Communication
The board does not think in terms of entitlements, service accounts, or certification campaigns. They respond to measurable outcomes. A numerical score paired with a defined target enables CISOs to communicate identity risk in language executives already understand.
Accountability
Regulatory expectations continue to increase worldwide. Security leaders are expected to demonstrate that governance controls are operating effectively and consistently. A measurable, repeatable identity risk management process creates an auditable record that supports accountability and strengthens governance oversight.
How Is Identity Risk Score Calculated Across Five Levels?
The Identity Risk Score (IRS) methodology starts at the smallest unit of risk and builds up through four more layers until it reaches one enterprise number. Every factor that shapes the final score stays visible to the team running the platform.
Multipliers Reference
| Factor | Purpose |
|---|---|
| App Tier | How critical the application is |
| User Type | Employee, contractor, guest, or external user |
| Privileged Access | Whether the account has admin rights |
| Identity Type | Human or non-human identity |
| PII Access | Whether the account accesses sensitive personal data |
| NHI Control Category | The type of machine identity |
| UAR Staleness | How recent is the last access review |
The table is a reference. The reason each factor matters is explained inside the levels below, where it actually does its work.
1. How Is a Single Account Scored?
Each account receives a score on its characteristics and associated risk factors. The most important design decision in the model is that these factors multiply rather than add together, which means a contractor with admin rights to a critical application is not just a bit riskier than an employee with the same permission. The contractor is several times more dangerous because the combination itself creates a level of risk that none of the factors carry on their own.
The User Access Review (UAR) lag factor turns access reviews from a calendar task into a real lever in the wider access risk scoring model. A completed review lowers the account's contribution to the score right away, and an overdue one raises it, which gives the team a direct reason to keep certification work current.
2. How Is an Identity Scored Across Multiple Accounts?
Most users interact with multiple accounts. Privileged administrators, contractors, and machine identities often have access across many systems.
The second level combines all accounts belonging to the same human or non-human identity into a single identity-level score. Identity governance metrics at this level weigh an identity's riskiest accounts the most, then compress the total through a bounded scale so a handful of dangerous accounts can't get diluted by dozens of harmless ones, but the result still reflects total exposure, not just the single worst account.
3. How Is an Application Scored Across Many Users?
Each application has many user accounts with different risk levels, and the application score reflects the riskiest group inside that population rather than the average. Attackers do not target averages. They target the weakest accounts holding access to the most valuable systems, so an average-based score would consistently understate the exposure that actually matters.
This gives the team one comparable measure of identity security posture for every application across the estate, including ones sitting behind different identity providers or under different ownership.
4. How Is Department-Level Risk Calculated?
Departments group identities under the manager responsible for them, which turns the department score into a manager-level governance metric: how well does each leader control the access of their team, and where do the patterns of risk show up across the organization? This is one of the few identity governance metrics that ties a measurable outcome to a named non-security owner.
5. How Is the Enterprise Risk Score Built?
The final layer rolls risk up from application into a single enterprise-wide score.
Application-level roll-up matches how attackers approach a target, how most regulations are organized, and how accountability is assigned inside large organizations.
The CISOs see one number for the whole estate, and from that number can drill down through every layer to the exact account that drove the result.
Why Does Identity Risk Score Use Multiplication Instead of Addition?
The most important choice at the account level, where every score originates, is that risk factors multiply the base score rather than add to it. Every level above account uses a different aggregation method: logarithmic scaling for identities, peak-weighted averaging for applications, and criticality-weighted averaging for the enterprise number.
An additive approach treats each factor as a separate contribution, which produces scores that look reasonable on paper but consistently miss the dangerous edge cases in practice. Multiplication matches how experienced security practitioners reason about the same accounts by hand, where a contractor with privileged access to a critical system raises far more concern than additive math would suggest. The model turns that intuition into a repeatable calculation, which is what putting a real number on identity risk needs to deliver if the score is going to stand up to audits and board questions.
How Is Identity Risk Score Auditable and Transparent?
What sets this identity risk score apart from most others is that every number on screen carries the math behind it. Clicking any score shows the accounts that contributed, the factors that applied, and the reviews that are overdue right now.
This matters most under audit. When an outside assessor asks why a particular user holds a score in the high band, the answer is not that the system produced it. It is those four specific factors applied; three specific accounts contributed most of the risk, and one specific review has been overdue for several weeks. The assessor moves on, the team holds the story, and the record is defensible with real evidence rather than just claims.
A risk score is only as reliable as the reviews feeding it.
Score your access review program against audit-ready standards and find out where the gaps are.
What Is the Goal of Identity Risk Score Deployment?
The model sets one clear improvement goal: to reduce the enterprise score below 40, the medium risk band, within twelve months of full deployment.
That is the point where the worst accounts have been cleaned up, the worst applications tightened, the most exposed identities reviewed, and manager-level governance settled into a steady pattern across departments.
Reaching that point is not a finish line, since identity environments keep changing. It is a steady, defensible state where the score is documented, repeatable, and measurable against every future audit cycle. The identity governance metrics feeding it stop being a one-time check and start working as a real posture.
How Does Identity Risk Score Connect to Daily Governance?
Identity Risk Score is the measurement layer that sits on top of every governance action Identity Confluence takes. Every certification campaign, every ownership change, every revocation feeds back into the score. Completed reviews flow into the Evidence Center as audit-ready proof, and even applications without a direct integration enter the governance perimeter through the disconnected application workflow. The score moves visibly as the work happens.
This is what identity security posture looks like when identity risk scoring is built into the platform from the start, rather than added on later as a reporting layer.
GET A PERSONALIZED DEMO
See Identity Confluence in Action
“One platform to govern identities, automate access decisions, and prove compliance; across every app, user, and system in your environment.”
Murli Ramsunder
Senior Architect, Vonage