They were built to manage work items, not entitlements. When a platform cannot distinguish read-only access from admin access, or temporary access from standing access, the easiest outcome is to approve broadly and clean up later. That pattern consistently produces excess privilege and weak audit posture.
Why This Matters for Security Teams
ITSM platforms often become the place where access requests are approved fastest, not the place where access is designed well. That matters because service management workflows are optimized for ticket closure, SLA compliance, and change tracking, while entitlement governance needs role design, scope control, and revocation discipline. When those are conflated, temporary needs turn into standing access and approval history can look cleaner than the underlying privilege model really is. This is a core NHI and workforce governance issue, not just an admin convenience problem, as reflected in the Ultimate Guide to NHIs — Key Challenges and Risks and the OWASP Non-Human Identity Top 10. NHI Mgmt Group notes that 97% of NHIs carry excessive privileges, which is a reminder that broad access often becomes the default when systems are not built to express least privilege cleanly. In practice, many security teams encounter over-permissioning only after an audit, incident, or offboarding failure has already exposed it.
How It Works in Practice
The over-permissioning pattern usually starts with a design mismatch. ITSM tools are excellent at routing requests, capturing approvals, and recording operational change, but they are not identity engines. If a request form cannot distinguish between read-only access, task-specific access, and privileged access, the safest path for the operator is often to grant the broadest role that will make the ticket close. Over time, that becomes a privilege accumulation problem.
A more controlled model separates request orchestration from entitlement enforcement. In practice, that means:
- using ITSM to initiate access requests, not to define the permission model
- mapping each request to a pre-approved role, scope, or policy decision
- requiring expiration dates for temporary access and automated revocation at expiry
- logging the business justification, approver, and duration for every elevation
- reviewing role design regularly so the catalog reflects real operational needs
This is where identity governance, PAM, and Zero Trust controls should sit behind the ITSM workflow rather than inside it. NHI Mgmt Group’s Ultimate Guide to NHIs — Key Challenges and Risks is useful here because the same pattern appears with service accounts and API credentials: convenience wins unless revocation and scoping are engineered into the lifecycle. Current guidance from OWASP Non-Human Identity Top 10 supports treating entitlement sprawl as a first-class risk, not an afterthought. These controls tend to break down when the ITSM platform is also used as the source of truth for roles, because workflow approval then gets mistaken for actual authorization.
Common Variations and Edge Cases
Tighter access control often increases ticket complexity and operational overhead, so organisations have to balance speed against assurance. That tradeoff is especially visible in environments with shared admin teams, legacy applications, or outsourced support, where rigid role models can slow delivery if the catalog is poorly designed.
There is no universal standard for this yet, but current guidance suggests a few practical exceptions need special handling. Emergency access should be time-bound and separately logged, not merged into normal approvals. Third-party support accounts need narrower scopes and more frequent review because their usage patterns differ from internal staff. Service desks that provision access for both humans and NHIs should avoid shared approval paths, since the revocation logic and audit evidence are not the same. The most common failure mode is assuming a ticket closure equals entitlement cleanup. It does not. A ticket can prove someone asked for access, but it cannot prove the access was removed later, especially when identity lifecycle data lives outside the ITSM record.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Over-permissioning and weak revocation are core NHI lifecycle failures. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access governance addresses broad ITSM-approved entitlements. |
| NIST AI RMF | Governance and accountability apply when workflow tools drive access decisions. |
Establish accountable approval rules, traceable decisions, and periodic evaluation of access outcomes.
