#1681 · AI & Technology Tool

Identity Access Risk Exposure Calculator

Estimate annual identity and access management risk before and after existing controls. Combine the number of exposed identities, annual compromise probability, average loss per compromised identity, and control effectiveness to quantify residual exposure, avoided exposure, and concentration per identity.

Calculator

Identity risk assumptions
accounts
%
USD
%

How to use this calculator

  1. Enter values that describe the scope and baseline scenario.
  2. Use percentages as whole numbers, such as 35 for 35%.
  3. Select Calculate to refresh the main result and supporting metrics.
  4. Change one assumption at a time to compare scenarios; use Reset to restore the example defaults.

Formula

Inherent exposure = identities × probability × loss. Residual exposure = inherent exposure × (1 − control effectiveness).

What the result means

Residual exposure is the modeled annual loss that remains after the stated IAM controls. Compare it with control spending and risk tolerance.

This is a planning estimate. A single incident may affect multiple identities, so adjust the average loss input to reflect your incident model.

Example calculation

With 5,000 identities, a 4% probability, $25,000 loss, and 65% effectiveness: inherent exposure is $5,000,000 and residual exposure is $1,750,000.

Tips for better results

  • Use a documented rolling 12-month incident history instead of a single unusual event.
  • Separate direct response costs from downtime and business-interruption costs to avoid double counting.
  • Run conservative and optimistic scenarios; the result is an estimate, not a guarantee.
  • Update the inputs after major architecture, staffing, or control changes.

Frequently asked questions

Should service accounts be included in identity risk exposure?

Yes, when they can access valuable systems or data. Model them separately if their probability or impact differs materially.

Is compromise probability entered per identity or for the whole organization?

It is entered per identity for one year and is multiplied by the number of exposed identities.

Can IAM control effectiveness be 100 percent?

The calculator allows it for scenario testing, but real controls rarely eliminate every identity-related loss pathway.

Does residual exposure equal the maximum possible loss?

No. It is an annual expected-loss estimate, not a worst-case or maximum-loss figure.

How should privileged identities be handled?

Use a separate scenario with their smaller count and higher average loss if privileged-account impact differs from ordinary accounts.

Variables and units

VariableMeaningUnit
IdentitiesAccounts or people included in the modelcount
ProbabilityAnnual compromise chance per identity%
LossAverage financial impact per compromiseUSD
EffectivenessShare of modeled loss prevented%

Browse calculator categories

22 category hubs