Abstract Identity and access management in 2025 sits in a strange place. Tooling has never looked more mature on paper, yet real incidents still begin with the same pattern: a small set of messy, long-lived identities that nobody really owns. This paper introduces a thin Sovereign Identity Baseline (SIB) designed for boards, regulators and high assurance sectors. It reduces identity posture to three board-legible metrics: Identity Blast Radius Index (IBRI), Credential Hygiene Score (CHS) and Identity Recovery Time (IRT). The SIB model comes from multi-year field work with financial institutions, healthcare systems, cloud-native providers and public authorities in Europe and Africa. We draw on more than one million anonymised identity events and configuration observations, plus targeted vulnerability assessments, including a container security dataset with 2 545 vulnerabilities where 52.5 percent were rated High and 47.4 percent Medium. The sample is practice-driven, not statistically random. SIB is grounded in messy reality, not lab conditions. While this convenience-based sampling (finance and healthcare heavy) limits broad statistical generalisation, it maximises qualitative validity for high assurance sectors. We describe the three metrics in detail, provide explicit formulas and a worked example, and show how SIB can sit on top of existing IAM stacks and regulations. SIB is intentionally regulation-agnostic, so it can translate across NIS2, DORA, PCI, local banking rules, African supervisory expectations and Pan-African standards such as PASC and IGS-C. The goal is simple: give decision-makers three numbers they can ask for in five minutes, and force identity programmes to prove they actually reduce blast radius, improve hygiene and shorten recovery time.