Security teams invest millions in identity and access management tools, yet most can't answer basic questions: What percentage of our privileged accounts use phishing-resistant MFA? How quickly do we revoke access after termination? Which service accounts haven't rotated credentials in 90+ days?
Without clear IAM metrics, organizations operate blind—unable to demonstrate compliance, justify investments, or more importantly, prevent the credential-based attacks that dominate today's breach landscape. This guide provides the key metrics, formulas, and benchmarks that transform identity security from guesswork into measurable, continuous improvement.
Executive summary
Identity and Access Management (IAM) metrics provide the quantifiable foundation for security posture assessment and continuous improvement. The most critical metrics organizations should track include:
- MFA coverage
- Phishing-resistant MFA adoption
- Legacy authentication rates
- SSO adoption
- Time-to-deprovision (TTDv)
- Orphaned account rates
- Just-in-time (JIT) privileged access coverage
- Non-human credential rotation compliance
- Risky sign-in rates
- Account takeover (ATO) incident response times
- Mean Time to Contain (MTTC)
These metrics enable organizations to measure progress toward Zero Trust principles, demonstrate compliance with frameworks like NIST SP 800-63 and PCI DSS v4.0, and most importantly, reduce the likelihood of credential-based breaches—which remain the leading attack vector in enterprise compromises.
Why IAM metrics matter: Standards and risk context
The importance of IAM metrics extends far beyond compliance checkboxes. They represent the measurable difference between security theater and actual reduction of security risks.
NIST SP 800-63 establishes the foundational framework for digital identity, defining Authentication Assurance Levels (AAL) and Federation Assurance Levels (FAL) that translate directly into measurable security requirements. The framework's emphasis on phishing-resistant authenticators at AAL2 and AAL3 provides clear targets for MFA adoption metrics.
Key NIST SP 800-53 controls map directly to IAM metrics:
- AC-2 (Account Management): Drives orphaned account and time-to-deprovision metrics
- AC-5 (Separation of Duties) and AC-6 (Least Privilege): Underpin privileged access metrics
- IA-2 (Authentication) and IA-5 (Authenticator Management): Define MFA coverage and authenticator lifecycle requirements
NIST SP 800-207's Zero Trust Architecture elevates continuous verification from nice-to-have to essential, while CISA's Zero Trust Maturity Model provides a roadmap for advancing from initial to optimal implementations. For federal agencies, OMB M-22-09 mandates phishing-resistant MFA, setting a clear precedent for all organizations handling sensitive data.
According to the Verizon 2025 Data Breach Investigations Report, credential abuse remains the primary initial access vector in successful breaches. This isn't changing—it's accelerating. Organizations that can't answer basic questions like "What percentage of our privileged accounts use phishing-resistant MFA?" or "How quickly do we deprovision access after termination?" are operating blind in a threat landscape where adversaries move in hours, not days.
Metric taxonomy and definitions
For each metric below, we provide clear definitions, practical formulas, target benchmarks aligned to industry standards, and recommended reporting cadences. These metrics are organized into four critical domains that span the complete identity lifecycle and security posture.
A. Identity hygiene and lifecycle
Orphaned account rate
- Definition: Active accounts with no current owner or valid business justification, divided by total active accounts.
- Formula: (Active accounts without valid owner) ÷ (Total active accounts) × 100
- Target: 0% for all accounts; maximum 1% during transition periods
- Data sources: Identity provider (IdP), IGA platform, HRIS systems
- Reporting cadence: Weekly operational review; monthly governance reporting
Orphaned accounts represent standing risk—each one is a potential backdoor that bypasses your entire security architecture. These typically emerge from incomplete offboarding, contractor transitions, or service account sprawl.
Dormant account rate
- Definition: Accounts showing no interactive sign-in activity for a defined period, segmented by human vs. non-human identities.
- Formula: (Accounts with no sign-in > N days) ÷ (Total accounts) × 100
- Targets:
- Human accounts: Auto-disable after 90 days inactive
- Service accounts: Documented exception or 180-day review cycle
- Data sources: IdP sign-in logs, PAM solutions
- Reporting cadence: Monthly review with automated alerting for threshold violations
Time-to-Provision (TTPv) and Time-to-Deprovision (TTDv)
- Definitions:
- TTPv: Median time from approved access request to active account
- TTDv: Median time from effective termination/transfer to complete access revocation
- Formula: TTDv = Median(Access revocation timestamp - HR termination timestamp)
- Targets:
- TTDv ≤ 24 hours for standard accounts
- TTDv ≤ 4 hours for privileged roles
- Same-day for critical/high-risk positions
- Data sources: HRIS, ticketing systems, IGA audit logs
- Reporting cadence: Weekly ops; monthly trending; quarterly executive briefing
The 24-hour TTDv benchmark aligns with NIST's RMF assessment cases for AC-2 timeliness, recognizing that terminated users with active access represent an immediate insider threat risk.
Unique‑ID coverage (no shared IDs)
- Definition: Percentage of users authenticating with unique, individual identities rather than shared accounts.
- Formula: (Users with unique IDs) ÷ (Total users) × 100
- Target: 100% with documented, time-boxed exceptions
- Data sources: IdP user directories, PAM solutions, application audit logs
- Reporting cadence: Quarterly compliance review
Third‑party/vendor identity coverage
- Definition: External partners and vendors properly provisioned in identity systems with appropriate controls.
- Formula: (Vendors in IdP with MFA + time-boxed access) ÷ (Total vendor accounts) × 100
- Targets:
- 100% in centralized IdP
- 100% MFA enforcement
- 100% time-boxed access reviews
- Data sources: Vendor management systems, IdP, IGA platforms
- Reporting cadence: Monthly operational; quarterly business review
B. Authentication and federation
MFA coverage (workforce and privileged)
- Definition: Active users with MFA enforced as a percentage of total user population, segmented by standard and privileged access.
- Formula: (Users with MFA enforced) ÷ (Total active users) × 100
- Targets:
- ≥95% overall workforce (allowing for exception handling)
- 100% for privileged/admin accounts
- 100% for access to PCI DSS v4.0 CDE environments
- Data sources: IdP MFA registration reports, conditional access policies
- Reporting cadence: Weekly ops dashboard; monthly trend analysis
Phishing‑resistant MFA coverage
- Definition: Users enforced on FIDO2/WebAuthn or PIV/CAC authenticators that meet NIST AAL2/AAL3 phishing resistance requirements.
- Formula: (Users with FIDO2/PIV/certificate auth) ÷ (Total users) × 100
- Targets:
- 100% for privileged accounts
- 50%+ for general workforce within 12 months
- 100% for federal agencies per OMB M-22-09
- Data sources: IdP authenticator inventory, enrollment reports
- Reporting cadence: Monthly progress tracking; quarterly executive updates
The shift to phishing-resistant MFA isn't optional; it's essential for combating modern adversary-in-the-middle and social engineering attacks that bypass SMS and TOTP codes.
Note that passkeys, as syncable FIDO credentials, represent an emerging phishing-resistant option that balances security with usability. Per NIST's guidance on syncable authenticators, these can meet phishing-resistant requirements when properly implemented with cloud provider protections.
Legacy/basic authentication use
- Definition: Authentication attempts using legacy protocols (NTLM, Basic Auth, LDAP simple bind) or methods that cannot enforce MFA.
- Formula: (Legacy auth attempts) ÷ (Total auth attempts) × 100
- Target: 0% with documented exceptions and compensating controls
- Data sources: IdP sign-in logs, email gateway logs, application logs
- Reporting cadence: Weekly tracking; monthly remediation planning
Authentication success rate and error distribution
- Definition: Ratio of successful to total authentication attempts, with analysis of failure patterns.
- Formula: (Successful authentications) ÷ (Total attempts) × 100
- Targets:
- >95% success rate for legitimate users
- <1% account lockout rate
- Investigation triggers for anomalies
- Data sources: IdP logs, SIEM correlation
- Reporting cadence: Real-time monitoring; daily operations review
SSO adoption (apps and users)
- Definition: Applications integrated with modern federation protocols and users authenticating via SSO.
- Formulas:
- App SSO = (SAML/OIDC integrated apps) ÷ (Total apps) × 100
- User SSO = (SSO authentications) ÷ (Total authentications) × 100
- Targets:
- >80% application coverage
- >90% user authentication via SSO
- Data sources: IdP federation logs, application inventory
- Reporting cadence: Monthly integration progress; quarterly portfolio review
C. Authorization and governance (IGA)
Access review completion rate and remediation time
- Definition: Percentage of access certification campaigns completed on schedule and time to revoke inappropriate access.
- Formulas:
- Completion = (Reviews completed on time) ÷ (Total scheduled reviews) × 100
- Remediation = Median(Revocation time - Finding time)
- Targets:
- 100% completion rate
- <48 hours remediation for critical findings
- <7 days for standard findings
- Data sources: IGA certification modules, ticketing systems
- Reporting cadence: Campaign-based reporting; monthly aggregate metrics
Direct entitlement exception rate
- Definition: Users with access rights outside their defined roles, indicating role model health. This metric directly supports Zero Trust principles by measuring how well your organization adheres to role-based access control (RBAC) versus ad-hoc permissions—a key indicator of least-privilege maturity.
- Formula: (Users with direct entitlements) ÷ (Total users) × 100
- Target: <10% with documented business justification
- Data sources: IGA role analytics, entitlement reports
- Reporting cadence: Quarterly role mining review
Joiner‑Mover‑Leaver (JML) SLA adherence
- Definition: Percentage of identity lifecycle events processed within policy-defined timeframes.
- Formula: (JML events within SLA) ÷ (Total JML events) × 100
- Targets:
- Joiners: 100% Day 1 readiness
- Movers: 24-48 hour transition
- Leavers: Same-day termination
- Data sources: HRIS events, IGA workflows, ticketing systems
- Reporting cadence: Weekly operations; monthly SLA reporting
D. Privileged access and secrets
JIT privileged access coverage vs standing privilege:
- Definition: Percentage of administrative access granted just-in-time with approval workflows versus persistent privileged accounts.
- Formula: (JIT-activated privileges) ÷ (Total privileged access grants) × 100
- Target: >90% JIT coverage for human administrators
- Data sources: PAM solutions, cloud provider IAM, ticketing systems
- Reporting cadence: Weekly privileged access review; monthly governance
Standing privileges are standing risks. Every permanent admin account is a beacon for attackers and a compliance red flag.
PAM session logging coverage
- Definition: Privileged sessions captured with full keystroke and screen recording.
- Formula: (Recorded privileged sessions) ÷ (Total privileged sessions) × 100
- Target: 100% with defined break-glass procedures
- Data sources: PAM session managers, jump servers, bastion hosts
- Reporting cadence: Daily audit; monthly compliance reporting
Break‑glass account usage and test pass rate
- Definition: Emergency access account activations and success rate of quarterly testing.
- Metrics:
- Usage count (target: near zero except for documented emergencies)
- Test success rate (target: 100%)
- Data sources: PAM emergency access logs, test documentation
- Reporting cadence: Real-time alerting on usage; quarterly test reports
Microsoft's emergency access account guidance recommends maintaining at least two emergency accounts with different authentication methods.
Non‑human identity key/secret rotation age distribution
- Definition: Age distribution of API keys, service account passwords, and certificates.
- Metrics:
- Percent exceeding policy maximum age
- Median age of active credentials
- Percentile distribution (P50, P90, P99)
- Targets:
- 0% exceeding policy (typically 90 days)
- Automated rotation for cloud workloads
- Data sources: Cloud provider APIs, secret vaults, certificate stores
- Reporting cadence: Weekly aging reports; monthly remediation tracking
Instrumentation and data sources (where to pull and how to stitch)
Effective IAM metrics require data correlation across multiple systems. Here's where to find the truth:
Identity Provider (IdP) and federation
Modern IdPs like Microsoft Entra ID and Okta provide rich telemetry through built-in reporting dashboards and APIs. Key data points include:
- Sign-in logs with authentication methods
- MFA registration and enforcement states
- Conditional access policy outcomes
- Risk detection events
- Federation transaction logs
IGA and PAM platforms
Identity governance platforms aggregate the full lifecycle view:
- Access request and approval workflows
- Role assignments and exceptions
- Certification campaign results
- Privileged session recordings
- Emergency access audit trails
Cloud provider APIs
Native cloud IAM services expose critical non-human identity data:
- IAM user and access key inventory
- Access Analyzer findings (AWS example)
- Service account and workload identity configurations
HRIS and ticketing systems
The authoritative source for identity lifecycle events:
- Joiner/mover/leaver timestamps
- Organizational hierarchy and reporting structures
- Access request approval chains
SIEM/UEBA integration
Per NIST SP 800-92 (Log Management) and SP 800-137 (Continuous Monitoring), centralize and correlate:
- Authentication logs across all systems
- Privilege escalation events
- Anomaly detection and risk scoring
- Account takeover indicators
Stitching it together: The key to unified IAM metrics is establishing common identifiers across systems—typically email, employee ID, or UPN. Most organizations leverage their SIEM or a dedicated identity analytics platform to correlate data using these anchors. Start by creating a daily ETL job that pulls user lists from your IdP, joins them with HRIS data for lifecycle context, enriches with IGA role assignments, and finally maps to authentication events.
Conclusion: Moving forward with IAM metrics
The metrics outlined here aren't theoretical—they're the operational efficiency indicators that separate organizations that talk about security from those that achieve it. Start with the basics: MFA coverage, phishing-resistant MFA adoption, and time-to-deprovision. These three alone will dramatically improve your security posture.
For organizations using Prelude's platform, many of these data points are automatically surfaced through our control monitoring capabilities—from tracking MFA enforcement gaps to identifying orphaned accounts and authentication policy misconfigurations. The key is moving from periodic assessment to continuous visibility.
Remember: You can't secure what you can't measure. These IAM metrics provide the quantitative foundation for reducing identity-based risk, meeting compliance requirements, and ultimately answering the board's question: "Are we protected?"
Every percentage point improvement in MFA coverage, every hour reduction in deprovisioning time, and every standing privilege converted to just-in-time access measurably reduces your attack surface. In an era where identity is the new perimeter, these metrics aren't just numbers—they're the difference between resilience and breach.
