I asked a customer recently how they measure whether their identity governance is working.
"We haven't had a breach," he said.
I understand the logic. No breach, no problem. But "no breach" as a metric is a lagging indicator of the worst kind. It tells you nothing until something goes very wrong. It is like measuring your driving by whether you have been in an accident. Technically informative. Not exactly useful for improvement.
Most companies I talk to across the Nordics have no identity governance metrics at all. They know, in a vague sense, whether things feel under control or chaotic. But they cannot point to numbers that tell them if things are getting better or worse.
Here are five metrics that actually tell you something. None of them require expensive tools to measure. Some you can check today.
1. Time to provision
How long does it take from when a new hire is confirmed to when they have all the access they need on their first day?
If you do not know, try tracking it for your next three hires. Note when HR confirms the start date and when the user's account is fully set up with the right groups, licenses, and application access.
For companies doing this manually, I typically see one to three days. Sometimes longer if IT is busy or if the hire starts on a Monday and nobody got to it on Friday.
For companies with automated provisioning from their HR system, it is measured in minutes.
This matters because it directly affects the new hire's first impression (nobody wants to sit at their desk with no access on day one) and because long provisioning times usually mean manual processes with room for error.
2. Time to deprovision
How long between when someone leaves and when all their access is fully revoked?
This one tends to make people uncomfortable when they actually measure it. The Entra ID account gets disabled on the last day, sure. But the shared mailbox access? The SharePoint permissions? The third-party SaaS logins?
Full deprovisioning in a manual process often takes days to weeks, if it happens completely at all. I have seen accounts that were "disabled" in Entra ID but still had active sessions in SaaS applications because nobody revoked access at the app level.
Track this honestly. Time to deprovision is your exposure window. Every hour a former employee retains access is an hour of unnecessary risk.
3. Stale account percentage
What percentage of accounts in your directory have not signed in within 90 days?
You can check this in Entra ID's sign-in activity report. If you are running hybrid, also check Active Directory for accounts that have not authenticated recently. The AD side often has even more stale accounts than the cloud, especially old service accounts and test users that were never cleaned up. Filter for 90 days of inactivity. Divide by total users.
For well-managed organisations, this should be under 5%. For most organisations I see, it is 15 to 30%. These accounts probably belong to people who left, moved to a different system, or are otherwise inactive.
Every stale account is a potential way in. They are not monitored, not actively used, and if their credentials get compromised, nobody will notice because there is no baseline of normal activity to compare against.
4. Access review completion rate
If you run periodic access reviews (and you should), what percentage actually get completed on time?
This is less about Entra ID and more about process. If you ask managers to review their team's access quarterly, how many of them actually do it? And how many just approve everything to make it go away?
A completion rate below 80% means the review process is not working. Either it is too burdensome, too frequent, or not taken seriously enough. An "approve all" rate above 50% means reviews are happening on paper but providing no real value.
Both are signals that the review process needs rethinking, not just enforcement.
5. Orphaned account count
How many accounts in your directory have no corresponding record in your HR system or organisational chart?
These are accounts that exist in Active Directory or Entra ID (or both) but belong to nobody in particular. Former employees whose accounts were never fully removed. Test accounts. Service accounts created under a person's name instead of as a proper service principal. In hybrid environments, orphaned accounts in AD keep syncing to the cloud indefinitely.
Orphaned accounts are risky because nobody is responsible for them. If one gets compromised, nobody gets an alert. Nobody is watching.
Count them. The number is usually higher than people expect.
The point is not perfection
I am not suggesting you build a real-time dashboard tracking all five of these (though if you want to, go ahead). The point is to have numbers instead of feelings.
"I think our deprovisioning is fairly quick" is not actionable. "Our average time to deprovision is 4 hours for account disable and 72 hours for full access removal" gives you something to work with and improve.
Pick one metric. Whichever feels most relevant to where you are right now. Check it today. Write down the number. Check again in 90 days.
One number. One comparison point. More useful than "we have not had a breach."