Permiso launches risk score engine for identity security
Fri, 10th Jul 2026 (Today)
Permiso has launched a Risk Score Engine for identity security that assigns risk scores to human, machine and AI identities across an organisation's environment.
The system generates three outputs: Identity Risk Scores, Session Scores and Organisation Risk Scores. Identity Risk Scores help security teams rank which identities present the greatest risk. Session Scores flag activity that may need immediate investigation. Organisation Risk Scores aggregate identity risk into a single tenant-level metric with peer benchmarking.
Permiso is positioning the launch around a common problem for security teams: measuring identity risk across a mix of cloud, on-premise and other environments. Many organisations, it argues, still rely either on fixed risk tiers based on privilege levels or on alert-driven tools that highlight an identity only when a detection is triggered.
Scoring model
The scoring model uses a 0-to-100 scale across three dimensions: behaviour, likelihood and impact. According to Permiso, behaviour shows whether an identity is doing something unusual, likelihood estimates whether an identity may be compromised, and impact measures the potential damage that identity could cause.
The approach is intended to distinguish between identities that may share the same overall score but pose different forms of risk. That should allow teams to choose different responses based on the underlying profile rather than relying on a single aggregated number alone.
A separate session-level scoring model looks at suspicion and impact in active sessions. It is meant to help security operations teams triage live activity independently of an identity's historical record.
Graph context
The product is built on Permiso's Universal Identity Graph, which maps relationships between identities across environments. It combines static posture information, including privilege levels, credential hygiene and entitlement scope, with runtime signals such as anomalies, threat intelligence matches and authentication context.
The engine also includes score velocity detection, designed to flag situations where the rate of change in a score becomes a signal in itself. According to Permiso, that can help identify identity compromise sequences that develop over minutes rather than days.
The release comes as security vendors focus more closely on non-human and AI-linked identities alongside traditional employee and contractor accounts. Permiso said its model covers service accounts, API keys, OAuth tokens, IAM roles and AI agents, as well as human users.
Market view
Research firm IDC sees broader significance in that shift. "The identity security market has lacked a consistent, quantifiable way to measure risk across all identity types. Continuous scoring that combines posture, behavior, and context into a single model is where the industry needs to go, and it is a meaningful step beyond what legacy ITDR and ISPM tools offer today," said Chris Kissel, Research Vice President, Security Products, IDC.
One customer pointed to the operational value of having a single view of identity risk. "Before Permiso, we had no way to quantify identity risk across our environment in a single view. The Risk Score Engine changed that. We can now see exactly which identities carry the most risk, why, and how that risk is trending over time. It has fundamentally improved how we prioritize," said Brian Salomon, Security Engineer, YAGEO Group.
Company view
Permiso's leadership framed the launch as a response to the growth in global workforces, sprawling non-human identities and AI-driven automation. "Static labels and one-alert-at-a-time triage do not scale when you are managing a global employee base, sprawling NHIs, and a growing agentic workforce. The Risk Score Engine gives every identity a continuous, evidence-backed score that tells you not just that something is risky, but why, and what to do about it," said Paul Nguyen, Co-Founder and CEO, Permiso.
The company also tied the scoring model directly to its graph-based identity mapping. "We built the Risk Score Engine on top of the Universal Identity Graph because risk scoring without unified identity context is just another alerting system. When you can see every identity, trace how they connect across environments, and layer behavioral baselines with threat intelligence, you can compute a score that actually means something. That is what separates a risk score from a risk guess," added Sanjeev Williams, SVP of Product, Permiso.