Why We Built Two Scores: Introducing Zero Trust Scoring for Non-Human Identities

The Measurement Problem

The NHI security industry has been measuring the wrong thing.

For years, the standard approach has been straightforward: discover risks, count them, assign severity, remediate, repeat. Risk scores go down. Dashboards turn green. Security teams report progress to leadership.

But there is a fundamental question that risk scoring does not answer: are you actually building toward a more secure architecture, or just running in place?

The Risk Score Illusion

Consider a common scenario.

Your team remediates 100 identity risks this quarter. Overprivileged service accounts get scoped down. Stale API keys get rotated. Exposed secrets get remediated. Your risk score improves by 15 points.

Meanwhile, across the organization, developers provision 500 new static API keys. New integrations spin up service accounts. CI/CD pipelines get hardcoded credentials. The denominator grows faster than the numerator shrinks.

Your dashboard shows progress. Your actual attack surface expanded.

This is the risk score illusion. You are remediating symptoms while the underlying condition worsens.

Why Risk Scoring Alone Fails

Risk scoring measures what is broken today. It is inherently reactive: something must be wrong before it registers.

What risk scoring does not capture is the underlying architecture that produces these problems. Static, long-lived credentials are the root cause of most NHI security issues. They persist indefinitely. They accumulate permissions over time. They get copied, shared, hardcoded, and forgotten. Every static credential is a future risk waiting to materialize.

An organization can achieve an excellent risk score while simultaneously increasing its inventory of static credentials. The risks get remediated. New static credentials get created. The cycle continues indefinitely.

This is not security improvement. It is a treadmill.

Two Scores, Two Questions

This is why we built two distinct metrics.

Risk Score answers: What is broken in my NHI environment right now? It captures overprivileged identities, stale credentials, exposed secrets, policy violations. The problems that need immediate attention.

Zero Trust Score answers a different question: Am I actually making architectural progress, or am I just remediating while the problem grows behind me?

The first metric tells you where you are. The second tells you whether you are moving forward or treading water.

Stopping the Bleeding vs. Healing the Wound

Think of it this way.

Risk Score measures how effectively you are stopping the bleeding. You find problems, you fix them. The bleeding slows.

Zero Trust Score measures whether you are also healing the wound. Are you addressing the architectural conditions that cause the bleeding in the first place? Or are you just applying bandages while new cuts appear?

An improving Risk Score with a stagnant Zero Trust Score is a warning sign. You are keeping up with remediation, but the underlying problem is not getting better. You are running to stand still.

An improving Zero Trust Score means you are making structural progress. The architecture itself is becoming more secure. Fewer static credentials. More governance. Less surface area for future risks to emerge.

Both metrics together tell the complete story.

What Zero Trust Score Measures

Zero Trust Score tracks your progression toward an architecture where static credential risk is structurally minimized.

Every non-human identity exists somewhere on a maturity spectrum. On one end: static, long-lived credentials with no behavioral governance. On the other end: tightly governed identities with behavioral controls, or ephemeral credentials that eliminate static risk entirely.

Clutch evaluates where each identity sits on this spectrum and actively drives progression toward its optimal state. For some identities, that means behavioral governance and hardening. For others, it means migration to a true secretless, ephemeral architecture where static credentials no longer exist.

Throughout this progression, Clutch monitors behavior at scale across every identity, detecting anomalies and violations in real time. Customers gain visibility into threats even as they make the architectural shift. Security does not pause while maturity advances.

The Zero Trust Score reflects the aggregate maturity of your entire NHI estate. As identities reach their optimal states and static credentials are eliminated, the score rises. As new ungoverned credentials proliferate, it falls.

What This Reveals

The dual scoring model exposes patterns that single-metric approaches miss.

It reveals credential sprawl. If your Risk Score is improving but Zero Trust Score is declining, you are creating static credentials faster than you are maturing them. The underlying exposure is growing.

It reveals governance gaps. A low Zero Trust Score with frequent risk findings indicates identities are being created without systematic management. Discovery is happening, but maturation is not.

It reveals true progress. When both scores improve together, you are both remediating current issues and building toward an architecture that produces fewer issues over time. That is a real security improvement.

What This Means for Security Programs

For security leadership, Zero Trust Score provides a strategic metric for board-level reporting. It answers the question executives actually care about: are we getting structurally more secure, or just managing symptoms?

For IAM and security teams, it provides clarity on where to focus. Remediation handles immediate risks. Maturation efforts drive Zero Trust Score. Both matter, and now both are measurable.

For compliance, it demonstrates architectural maturity. Zero trust is increasingly an audit expectation. Zero Trust Score provides quantifiable evidence of progress.

Across all of these audiences, scores can be viewed and segmented by owner, identity type, or custom labels. Making it easy to understand exactly where architectural progress is advancing, and where gaps remain, across the organization.

The Metric That Was Missing

Risk scoring was never designed to measure architectural progress. It measures current problems. It does that well.

But NHI security requires more. It requires knowing whether the work is producing structural improvement or just keeping pace with a growing problem. It requires a metric that distinguishes between remediation and actual progress.

That is what Zero Trust Score provides.

Risk Score tells you where you are. Zero Trust Score tells you where you are headed.

Both are now in Clutch.