Who it is: the service account, OAuth app, workload identity, or API principal — flagged over-privileged when the ingested policy is wildcard, admin, or owner-scoped. Discovered from identity signal you already uploaded, never from anything running on your boxes.
NHI Blast Radius — If one service account leaks, what does it reach — and what is that worth?
Your service accounts outnumber your people. If one leaks, what does it reach?
NHI Blast Radius flips every service account, OAuth app, and workload identity into a hypothetical foothold — what it reaches, in dollars, and the one cut that stops it.
Everything is labeled proven or modeled. An identity that reaches nothing shows null — not a reassuring zero.
One row per identity. Four answers.
Each discovered non-human identity becomes one row, worst blast radius first — who it is, what it reaches, what that is worth, and the one cut.
What a compromise reaches: how many crown jewels, in how many hops — the same attack-path chain the rest of your review draws. Every hop is a route you can inspect, not a heuristic score.
What it is worth: the modeled annualized exposure (FAIR p50, with a p10–p90 band) if this identity is the foothold. Shown only when the reached crown carries a dollar profile.
What stops it: the min-cut edge that breaks every reaching path at once — the single change that shrinks this identity’s blast radius to nothing. Usually a scope to narrow or a network edge to close: a ticket, not a program.

Upload the identity export
Okta, AWS IAM — the export you already pull for audits. Metadata only; no secret material is read.
Every non-human gets a radius
Service accounts, tokens, roles — the engine maps what each one reaches, across every ingested surface.
The worst offenders, priced
The identities whose compromise reaches a crown, in dollars, labeled modeled — a null when nothing is reached, never a fake zero.
A leaked token, priced to the crown.
The row a breach post-mortem produces at 2am — produced before, for every identity. A modeled example from the fictional Acme Capital estate.
Printed on the row: this is your twin’s modeled reach if the identity is compromised — not a claim that it has been. An identity that reaches no crown shows null here, never a zero.
Not a 400-line least-privilege project. One edge.
build host → prod VPC (network.allows)
Scope the pipeline to a deploy target, not the whole segment, and all three hops to the cardholder database break. The $1.8M row drops to null on the next recompute.
The restraint is the product.
Other identity tools scan your boxes, read your secrets, or score permissions in isolation. NHI Blast Radius does none of that — and says so on the screen.
The identity is real; the reach is modeled.
We discover the identity and its edges from config you already ingested. The reach and its dollars are a conditional “if this leaks” — never a claim that it has been, or will be, compromised.
An identity that reaches nothing shows null.
No $0-implies-safe row, ever. If a service account can’t reach a crown in the modeled twin, it’s counted and set aside — not dressed up as a finding.
A crown with no dollar profile reads “not priced”.
When an identity reaches something we can’t value, the row says priced=false — never a fabricated zero that would read as “harmless.”
No secret material is read or stored.
Discovery works from resource typing and names in your ingested config. We never read, request, or retain a key, token, or credential value.
“Discovery relies on ingested identity signal (Okta, Microsoft Entra, AWS IAM). Reach is modeled from config — an identity from an un-ingested source, or one whose target resource ARNs weren’t supplied, means missing edges, not proven safety.”
The edge of what we can see, stated on the same screen as the finding.
The same engine that draws your paths.
Do you connect to Okta or AWS live?
What does an identity that reaches nothing show?
Is the reach a claim the identity was compromised?
The identity is real; the reach is modeled. An identity that reaches no crown shows null, never a reassuring zero — and a crown we can’t price reads priced=false, never a fabricated zero.
One of your service accounts can reach a crown. Which one?
Included in the Program tier — no add-on, no separate SKU.
Cross-stitched from the 15 security tools we support · annotated against 26 distinct MITRE ATT&CK techniques · backed by 9,000 automated tests
Full coverage & honesty detail → /features#coverage
The deliverables a senior consulting partner would produce — refreshable, sourced, board-ready.