Automated Risk Scoring Disclosure
AIRM produces a number: the Sabiki NHI Risk Score™. A number that ranks identities, and that an MSP may show to a client, deserves an explanation of what it is, what it is not, and what happens because of it. That is what this page is for.
AIRM never acts on its own. The scoring is automated. The decision is not. AIRM is read-only by default: it ranks, groups and recommends, and every change to a tenant is made by a person who chooses to make it. There is no automated decision that produces a legal or similarly significant effect on any individual.
1. What is scored
AIRM scores non-human identities: service principals, app registrations, OAuth-connected applications, connectors, Copilots and AI agents in a Microsoft 365 tenant. It scores the identity, not the person.
Some identity records contain personal data, most often the name or email address of the person who owns, created or consented to an application. AIRM records this because "who is accountable for this identity" is the point of the product. That person is not being scored, profiled or evaluated. The score belongs to the application, not to them.
2. What the score is
The Sabiki NHI Risk Score is a 0 to 100 assessment of the risk carried by a non-human identity, and an aggregate score for a tenant. It is derived from signals including the permissions an identity actually holds through the Microsoft Graph, the reach those permissions give it, whether an accountable owner exists, and the trust characteristics of its publisher.
It is an opinion, expressed as a number. It is our assessment, made consistently across tenants so that one tenant can be compared with another. It is not a measurement of a fact.
We are preparing a fuller technical description of the scoring model, including the signals it uses and their relative weight, so that a security team can interrogate the score rather than take it on trust. It is not published yet. We would rather say that than publish a summary that sounds precise and is not. If you need the detail now, as part of a security review or a procurement process, ask us at security@sabikisecurity.com and we will walk you through it.
3. What the score is not
- It is not a certification. A good score is not an audit, an accreditation, or a statement that a tenant is compliant with anything.
- It is not a guarantee. A tenant with a strong score can still be breached. Anyone who tells you otherwise is selling you something.
- It is not a judgement about a person. An identity owned by a particular administrator scoring badly is a statement about the identity's permissions, not about the administrator.
- It is not an automated decision under Article 22 of the GDPR, because no decision is automated. A person reviews and a person acts.
4. Human review is not optional in AIRM, it is the design
AIRM connects with read-only Microsoft Graph permissions. It cannot change a tenant on its own, and that is a property of the permissions we request, not a setting you have to trust us to honour.
Where AIRM offers a response action, the action is presented to an administrator, who approves it, assigns an owner, or disables an identity. Four buttons, one person, one accountable decision. If nobody clicks, nothing happens.
5. If you think a score is wrong
Tell us. A score you cannot challenge is a score you should not trust.
- Email support@sabikisecurity.com with the tenant and the identity in question.
- We will explain the signals that produced that score for that identity.
- If we are wrong, we will correct it, and if the error is in the model rather than the data, we will fix the model.
If the score reflects personal data about you that is inaccurate, you also have the rights set out in our Privacy Policy, including the right to ask for a correction.
6. Do we use your data to train a model?
No. We do not use customer tenant data to train machine learning models, and we do not share customer tenant data with any third-party AI provider for that or any other purpose. If that ever changes, it will be a disclosed change to this page and to our Privacy Policy, made in advance, and not buried.
7. Regulatory context
AIRM is used by organisations that have obligations under the EU AI Act, DORA, ISO/IEC 42001 and similar regimes. AIRM helps evidence those obligations; using AIRM does not discharge them. Nothing on this page or in the product is a legal opinion about your own compliance position.
8. Questions
About the score or the model: security@sabikisecurity.com. About personal data: dpo@sabikisecurity.com.
← All legal documents