Three hops captures the realistic post-compromise reach inside a typical enterprise environment. If your IAM tooling does not expose a graph, the practical substitute is "count of distinct resources the identity has permission to read or modify within 60 minutes of session start, assuming no MFA step-up triggers." What good looks like Privileged human identity: under 50 reachable resources, zero crown-jewel data classes without step-up Standard human identity: under 200 reachable resources, no production data without explicit grant Service account: scoped to a single namespace or workload — under 10 reachable resources is normal, over 100 is a problem Report this metric per identity class , not as a single org-wide average. The average hides the outliers, and the outliers are what get exploited. Metric 2: Lateral-movement time-to-detect Lateral-movement TTD is the median time between an attacker's first action on a compromised host and the moment your SOC opens a case for the second host.…