Skip to content

NHI Permissions Level

Overview

SailPoint Entro automatically evaluates the permission scope of every Non-Human Identity (NHI): API tokens, service accounts, app registrations, and more, and assigns it a Permission Level. The level answers a single question: how privileged is this identity, and how much damage could it do if it were compromised?

Permission Level translates raw, provider-specific permissions into one consistent, comparable signal across your entire environment. Instead of reading IAM policies, Okta admin roles, and GitHub scopes in their own dialects, you get a single scale that lets you immediately surface the identities that carry the most risk and prioritize remediation accordingly.

The four levels

Level What it means
Privileged This identity has admin-level or high-impact access (often broad scope), including production or security-critical actions.
Elevated This identity can make meaningful changes in a limited scope (e.g., specific projects/services), but doesn't control core admin or security settings.
Basic This identity has read-only or very narrow access with low blast radius and no critical change capabilities.
Unknown There is not enough reliable permission data yet to determine this identity's privilege level.

Each level has its own color-coded badge and the descriptions above appear as tooltips throughout the product.

Where you'll see it

NHI Inventory - Permission Level is a dedicated column on the inventory table. It is sortable and filterable, so you can, for example, filter to every Privileged NHI in production or sort the riskiest identities to the top.

NHI drawer → Permissions tab - Opening an identity shows its Permission Level as a badge positioned on a scale, alongside a short (2–3 sentence) explanation of why it received that level, referencing the specific permissions that drove the decision.

How the level is determined

SailPoint Entro evaluates each NHI in a fixed order and assigns the first level that applies.

1. Unknown - no permission data yet. A newly discovered NHI starts as Unknown because SailPoint Entro initially has the identity without its permissions. This is a temporary state: once the permission scan runs and permissions are collected, the level is recalculated. If permissions still can't be collected, the NHI remains Unknown.

2. Admin short-circuit. If the identity is flagged isAdmin = true, it is classified Privileged immediately (top of the scale).

3. Deterministic Privileged triggers. If the identity holds at least one permission, role, or scope from its provider's Privileged trigger list, it is classified Privileged automatically - no AI involved. The explanation reads:

Note

This identity was automatically classified as Privileged because it possesses [permission names]. This level of access allows for broad admin, security or infrastructure control, representing a high-impact risk to the environment's security posture.

4. AI evaluation for everything else. If the identity has permissions but none of them match a deterministic Privileged trigger, SailPoint Entro sends its effective permission set, together with identity metadata and any DSPM enrichment, to a security risk-classification model. The model returns a level (Basic / Elevated / Privileged), a score on the 1–10 scale, a confidence value, and a written rationale that cites the concrete permissions behind its decision. That rationale is what you see in the Permissions tab.

Note

Only enabled NHIs are sent for AI evaluation.

The permission scale and score

When an NHI is evaluated by AI, it receives a score from 1 to 10 that places it precisely on the scale:

Band Score Meaning
Basic 1–3 1 = highly restricted / single-resource read · 3 = broad read-only or minor non-critical write.
Elevated 4–7 4 = limited write in non-prod · 7 = meaningful write/manage access to production services or data.
Privileged 8–10 8 = high-impact access (secrets/keys/IAM) · 10 = full administrative/owner control over the entire tenant or organization.

Identities classified Privileged through the admin short-circuit or a deterministic trigger sit at the top of the scale (score 10).

DSPM enrichment

When a Wiz integration is connected, SailPoint Entro enriches the permission evaluation with data-sensitivity context. For each NHI, SailPoint Entro:

  • Correlates which Wiz-tracked assets the identity can access (to the extent the access can be correlated).

  • Reads the associated Wiz DSPM classifications - high-sensitivity data, PII, secrets, and critical assets.

These classifications are passed to the AI as part of the identity's metadata. The effect is that what an identity can reach, not just the literal permission names, shapes its level. For example, write access scoped to a single resource that DSPM flags as holding PII or secrets is treated as higher-risk than the same write access over non-sensitive data. This sharpens the boundary between Basic, Elevated, and Privileged for identities that the deterministic rules don't catch.

Behavior notes

  • Levels evolve. An NHI starts as Unknown and is recalculated as permissions are collected and as they change over time, so the level always reflects current access.

  • Deterministic first, AI second. The provider trigger lists are evaluated before AI. The AI step only runs for enabled identities that have permissions but matched no Privileged trigger.

  • Explainability. Every non-Unknown level comes with a rationale citing the specific permissions that drove it, visible in the Permissions tab.