Granted versus used access compares what an identity is allowed to do with what it actually does. This distinction matters most for AI agents and service accounts because over-scoping is common, and unused privileges often represent the easiest path to avoidable exposure.
Expanded Definition
Granted versus used access separates the permission set assigned to a non-human identity from the actions it actually performs. In NHI operations, that distinction matters because service accounts, workload identities, and AI agents are often provisioned broadly to avoid blocking automation, then left with standing access they rarely need. The result is a persistent gap between policy and reality.
This concept is closely related to least privilege, entitlement review, and privilege reconciliation, but it is not identical to any one of them. Least privilege is the target; granted versus used access is the measurement lens that shows whether the target is being met. In practice, definitions vary across vendors because some tools measure token scope, some measure IAM policy attachments, and others observe runtime API calls. NIST SP 800-207’s Zero Trust Architecture is a useful external reference because it assumes access should be continuously evaluated rather than trusted simply because it was previously granted.
The most common misapplication is treating a granted permission as necessary just because a system has not yet failed, which occurs when access is approved once and never validated against actual runtime behaviour.
Examples and Use Cases
Implementing granted versus used access rigorously often introduces review overhead and telemetry dependencies, requiring organisations to weigh tighter privilege control against the cost of collecting reliable usage evidence.
- A build service account is granted repository write access for deployment automation, but logs show it only ever reads release manifests. The unused write path should be removed or converted to just-in-time elevation.
- An AI agent connected through MCP is allowed to call finance, ticketing, and storage tools, yet it consistently uses only ticketing and storage. The extra finance scope becomes an avoidable exposure point.
- A secrets rotation job runs nightly with broad vault permissions, but the job only updates two key paths. Narrowing those permissions reduces blast radius without changing outcomes.
- A platform team compares IAM grants against observed API calls to find dormant privileges in CI/CD runners, then remediates them before attackers can reuse them.
For a broader NHI context, the Ultimate Guide to NHIs covers lifecycle governance, while the OWASP Non-Human Identity Top 10 frames excessive privilege and secret misuse as recurring failure modes.
Why It Matters in NHI Security
Granted versus used access is one of the fastest ways to expose entitlement drift in machine identities. When teams only review assigned roles, they miss dormant privileges that remain valid long after the original business need has disappeared. That gap is especially dangerous for agents and service accounts because compromise does not require a new grant when the attacker can simply inherit an old one. NHI Mgmt Group research shows that 97% of NHIs carry excessive privileges, which broadens the attack surface and makes privilege cleanup a high-value control.
Used-access analysis also supports Zero Trust and PAM programs by showing where access can be reduced, replaced with JIT, or isolated behind stronger checks. It fits naturally with the Ultimate Guide to NHIs — Key Challenges and Risks discussion of over-scoping and remediation gaps, and it aligns with the OWASP Non-Human Identity Top 10 focus on permissions that exceed operational need.
Organisations typically encounter the consequence only after a service account or agent is abused in an incident, at which point granted versus used access becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers excessive permissions and secret misuse in NHIs. |
| NIST Zero Trust (SP 800-207) | 4.1 | Zero Trust expects continuous access evaluation, not once-only grants. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be managed with least-privilege discipline. |
Review grants against runtime use and remove permissions the identity never exercises.
