Risks
Using saved queries to define anomalies and highlight authorization risks.
Risk scoring in Veza helps identify and prioritize critical authorization issues across software environments, enabling security and governance teams to coordinate efforts on strategic focus areas.
By assigning risk levels to queries that detect potentially dangerous access patterns, misconfigurations, or compliance violations, you can:
Triage identity and access issues at scale
Prioritize response efforts based on risk severity
Add risk context in Access Reviews
Track risk metrics and trends over time
Enable risk-based alerting and automation
Use the Access Intelligence > Risks page to get an overview of all queries with risk levels and details about each entity flagged as a risk.
New Risks experience: Veza is introducing an enhanced Risks page with improved analytics and visualization. Your tenant may use the new or classic experience depending on feature enablement. This documentation covers both versions. Use the tabs below to view instructions for your experience.
Risks provide a framework for understanding and managing potential issues within your environment, based on the latest metadata in Access Graph. You can use out-of-the-box queries that detect common risks such as over-privileged access and misconfigurations, and then customize these queries or create your own for risks specific to your environment and security policies. You can enable alerts for critical risks that require immediate attention, triggering actions and notifications when changes are detected.
Risk Profiles are designed to organize and prioritize different types of risks. You can document specific exceptions with notes to maintain an audit trail, and monitor risk trends over time using the Open & Resolved Risks chart on the Risks overview.
Risk profiles and the Veza risk framework
Risk Profiles availability: Risk Profiles are part of the enhanced Risks experience currently available in Early Access. Contact your Veza representative to enable this feature.
Veza organizes risks into Risk Profiles, categories that help you understand and prioritize different types of authorization risks. Risk Profiles provide a framework for classifying queries based on the type of risk they detect, making it easier to focus your efforts and track security posture across different risk domains.
Risk Profiles also ensure consistent query organization across dashboards, surfacing common risk themes that span multiple integrations.
Risk profile categories
Veza defines eight Risk Profile categories, listed in priority order:
MFA Health
Detects multi-factor authentication (MFA) implementation and enforcement risks. Queries in this profile identify identities without MFA enabled, weak MFA configurations, or MFA bypass conditions.
Privileged Access
Identifies excessive or unnecessarily high-impact privileges. These queries identify over-permissioned accounts, unused administrative access, and risks associated with privilege accumulation.
Dormant Access
Finds inactive identities that retain access permissions. These queries identify accounts that have not been used recently but still have assigned permissions, representing unnecessary risk exposure.
Blast Radius
Measures the scope of potential impact if an identity is compromised. Queries assess the potential damage that could result from unauthorized access to a specific identity or resource.
Orphaned Access
Detects accounts not linked to a central identity provider or HR system. Orphaned accounts may belong to former employees or contractors, and can represent significant security risks.
Access Risk
Covers known risky patterns that do not fit other categories. This catch-all profile captures authorization risks that require attention but are not classified elsewhere.
Identity Hygiene
Identifies IAM best practices and configuration issues. These queries detect naming convention violations, missing metadata, expired credentials, and other identity management concerns.
Informational
Contains non-risk queries used for counts and inventory purposes. These queries provide useful data but do not represent security risks requiring action. This profile is not shown on the Risks page or in the Manage Risk Details modal.
The Risks page Overview tab also displays an Uncategorized card for risk queries that have a risk level but no assigned Risk Profile. This helps identify queries that need categorization.
Viewing risks by profile
The Risks page Overview tab features Risk Profile cards indicating the number of open risks in each category. Click a card to filter the All Risks tab by that profile and focus on specific risk domains.
On the Access Intelligence > Dashboards page, you can group queries by Risk Profile to organize dashboard widgets by risk category rather than by section or risk level.
Assigning risk profiles to queries
You can assign or modify Risk Profiles for custom queries. By default, Veza-created queries have pre-assigned Risk Profiles that cannot be changed, but organizations with the OOTB Query Risk Profiles feature (Early Access) can modify these as well. The Manage Risk Details modal provides a unified interface for updating both risk level and risk profile in a single action.
Open the Manage Risk Details modal from one of these locations:
All Risks table: Click the Actions menu (โฎ) for any risk query and select Manage Risk Details
Dashboard tiles: Click a risk query tile on a Dashboard, then select Manage Risk Details from the actions
Queries page: Click the Actions menu for any saved query with a risk level
Query details page: Click Manage Risk Details in the query actions area
Use the modal to configure either of two options:
Risk Level
Select Critical, High, Medium, Low, or None to set the query's severity
Risk Profile
Select a Risk Profile category to classify the risk type
Click Save to apply your changes.
When saving a query
You can assign Risk Profiles when saving a query in Query Builder:
Open the query in Query Builder or the Saved Query Details view
Click Edit and then Save
In the save dialog, set a Risk Level (Critical, High, Medium, or Low)
Select a Risk Profile that describes the risk type
Click Save to apply
Veza-created query restrictions: By default, queries created by Veza come with pre-assigned Risk Profiles that you cannot modify. When managing a Veza-created query, you can change its risk level, but the Risk Profile selection is disabled. This preserves system-defined risk categorizations while allowing you to adjust severity based on your organization's priorities.
As of v2026.1.19, organizations can request access to the OOTB Query Risk Profiles feature (Early Access), which enables modifying Risk Profiles for Veza-created queries. Contact your Veza representative to enable this capability.
Risk status: Open and Resolved
Risks in Veza are considered "open" or "resolved" to indicate whether they require attention. A risk is resolved when you have addressed all flagged entities, either by fixing the underlying issue (so they no longer appear in results) or by marking them as exceptions (acknowledging they are acceptable).
The All Risks tab includes a Status filter to show only Open or Resolved risks. By default, the Overview tab displays counts for Open risks only.
Open: The risk query has one or more entities in its results that are not marked as exceptions. This indicates the risk requires investigation, or entities in the results should be marked as exceptions.
Resolved: All entities in the query results have been marked as exceptions, OR the query returns no results. This indicates the risk is addressed and no longer applies to any entities in your environment.
How risk scoring works
Risk scores in Veza are calculated for each entity based on the number of associated risks and their risk levels. The scoring system weighs both the severity of risks and their cumulative impact using an algorithm designed to provide comparable scores across all entities in Access Graph.
The algorithm implements diminishing returns to prevent score inflation, and considers both:
The severity of the highest risk level (Critical, High, Medium, Low)
The total number and combination of risks affecting an entity
Risk score calculation
An entity receives a base score determined by its highest risk severity:
Critical risks start at 75
High risks start at 50
Medium risks start at 25
Low risks start at 10
Additional risks contribute weighted points to the base score through logarithmic scaling:
The scoring algorithm uses logarithmic scaling to prevent score inflation
Each additional risk contributes less than the previous one (diminishing returns)
Lower-severity risks contribute less when higher-severity risks are present
This approach ensures scores scale better as risk counts increase while maintaining meaningful differentiation
Risk score examples
Example 1: Single Critical Risk An identity with 1 Critical risk receives a score of 75 (the base score for Critical risks).
Example 2: Multiple Risk Severities An identity with 5 Critical, 7 High, 10 Medium, and 15 Low severity risks receives a score of approximately 91. Diminishing returns prevent the score from inflating linearly; each additional critical risk contributes less than the previous one.
Example 3: Accumulating Critical Risks An identity with 4 Critical risks receives a score of approximately 83, showing how the score increases but with diminishing returns as more risks accumulate.
Example 4: Mixed Severity Risks An identity with 2 High risks, 2 Medium risks, and 2 Low risks receives a score of approximately 55. The High risks establish the base score (50), and the additional risks add points. Medium and Low risks contribute minimally when higher-severity risks are present.
Understanding risk levels and scores
It is important to understand the relationship between risk queries, scores, and risk level classifications:
Risk Levels: Saved queries are assigned risk levels (Critical, High, Medium, Low)
Risk Scores: When entities appear in risk queries, they receive a calculated score (0-100) based on the number and severity of queries they match
For example, an entity that appears only in High-level risk queries can still receive a score of 75, which places it in the "Critical" risk level category for display purposes. This distinction helps surface entities that have accumulated significant risk exposure even within a single severity category.
Using the Risks page
The Access Intelligence > Risks page provides a comprehensive view of authorization risks across your environment.
The page is organized into two main tabs: Overview and All Risks.
Overview tab
The Overview tab provides a high-level summary of your risk landscape:
Risks by Level: Shows the distribution of risks across Critical, High, Medium, and Low severity levels.
Open & Resolved Risks: Shows Open vs. Resolved risks over time for burndown tracking.
Risk Profiles: Clickable cards indicating open risks in each Risk Profile category, and an Uncategorized card for queries without an assigned profile. Click a card to navigate to the All Risks tab filtered by that profile.
Top 5 Affected Integrations: Table of integrations by most active risks, helping identify which systems need the most attention.
All Risks tab
The All Risks tab displays a filterable table of all risk queries:
Available Filters:
Status: Filter by Open or Resolved risks
Integration Types: Filter by specific integrations or data sources
Risk Level: Filter by Critical, High, Medium, or Low severity
Risk Profiles: Filter by Risk Profile category
Created By: Filter by query creator (System or specific users)
Search: Text search across query names
Query-level actions: Click the Actions menu (โฎ) for any risk query to access:
Open in Query Builder: View and modify the query definition
Create Rule: Create an automation rule based on this query
Create Alert: Set up notifications when query results change
Manage Exceptions: View and manage exceptions for entities flagged by this query
Manage Risk Details: Update the risk level and Risk Profile assignments
Launch Access Review: Create an access review for the entities flagged by this query
The page is organized into two main tabs: By Query and All Risks.
By Query tab
The By Query tab shows a summary of risk queries with aggregated metrics:
Summary cards: These indicate Total Risks, Critical, and High counts with percentage change indicators
Query table: Lists all risk queries with the following columns:
Query Name
The name of the risk query
Risk Level
The severity level (Critical, High, Medium, Low)
Risks
Count of entities currently flagged
Remediation
Whether remediation guidance is available (Yes/No)
Exceptions
Count of entities marked as exceptions
Rules
Count of rules associated with this query
Integrations
The integrations this query applies to
Labels
Tags assigned to the query
Click a query row to expand its details and view trend information.
All Risks tab
The All Risks tab displays individual entity risk records.
Click the Actions menu (โฎ) for any risk entity for more options:
Open in Graph: View the entity and its relationships in Graph view
Open in Query Builder: Open the query with this entity highlighted
Mark as Exception: Mark the entity as an exception for this risk query
Add Risk Assignee: Assign an owner responsible for addressing this risk
Add Note: Add contextual notes about this risk entity
Columns on the All Risks tab provide contextual information about each result:
Time Triggered
When the entity was flagged by the risk query
Query Name
The query that flagged this entity
Node Type
The type of entity (SnowflakeUser, OktaUser, etc.)
Risk Assignee
The person assigned to address this risk
Exception
Whether this entity is marked as an exception
Actions
Menu for entity-level actions
Taking action on risks
The Risks page supports a triage workflow for systematically identifying, prioritizing, and addressing authorization risks. Start on the Overview tab to understand your risk landscape, then drill down through Risk Profiles and filters to focus on specific issues.
Query-level actions (from the All Risks table):
Create Rule or Create Alert: Set up automated notifications and Veza Actions when risk conditions change
Launch Access Review: Create a review for stakeholders to evaluate flagged access
Manage Exceptions: View and manage all exceptions for a risk query
Manage Risk Details: Update the Risk level and Risk Profile assignments
Entity-level actions (from the Affected Entities tab in query details):
Open in Graph: View the entity and its relationships in Graph view
Mark as Exception: Acknowledge that specific flagged access is intentional or acceptable
Add Risk Assignee: Assign ownership for addressing a specific risk entity
Add Note: Document decisions or context about a flagged entity
For step-by-step instructions, see Investigate risks.
Risk query details
Risk queries can include explanatory information to help teams understand and address security issues. Many Veza-created queries include these details, and you can add them to any custom query.
To view query details, click on a risk query to open the details view. The details view shows:
Risk Explanation: Background on why this pattern represents a risk
Trend over Time: Chart showing how the count of affected entities has changed
Affected Entities: Table of entities currently flagged by the query
From the query details view, you can use the query-level actions menu to create rules, alerts, or access reviews.
Working with affected entities
The Affected Entities tab in the query details view lists all entities currently flagged by the risk query. Click the Actions menu (โฎ) for any entity to access entity-level actions:
Open in Graph: View the entity and its relationships in Graph view
Open in Query Builder: Open the query with this entity in context
Mark as Exception: Mark the entity as an exception for this risk query
Add Risk Assignee: Assign an owner responsible for addressing this risk
Add Note: Add contextual notes about this risk entity
These actions let you triage individual entities within a risk query, documenting decisions and assigning ownership as you work through flagged access.
Configuring risks
Define risks from queries
Assign risk levels (Critical, High, Medium, or Low) to saved queries to enable risk scoring. When you assign a risk level, entities that match the query receive a calculated risk score. You can also assign Risk Profiles to categorize queries by the type of issue they detect.
For step-by-step instructions, see Configure risk levels and profiles.
Manage exceptions
When an entity appears in risk query results but represents intentional or acceptable access, mark it as an exception. Exceptions acknowledge that you have reviewed the flagged access and determined it does not require action.
For step-by-step instructions, see Manage risk exceptions.
Use Risk Profiles on dashboards
Risk Profiles can organize dashboard widgets by risk category. On the Access Intelligence > Dashboards page, use the Group By dropdown and select Risk Profile to see queries grouped by their assigned categories.
Enable risk-based alerting
Create Alert Rules to get notifications when:
The number of entities with risks increases beyond a threshold
New Critical or High risks are detected
Risk scores change significantly
You can configure rules to trigger Veza Actions, including:
Email notifications
Slack messages
Jira tickets
ServiceNow incidents
Custom webhooks
See also
Last updated
Was this helpful?