A governance failure where legitimate role changes leave behind permissions that no longer fit the actor’s current function. The result is conflicting access that accumulates over time, making SoD and least privilege look intact on paper while breaking down operationally.
Expanded Definition
Access Overlap Drift describes a control failure in which an identity’s access expands, persists, or conflicts after role changes, project moves, or tool ownership changes. In NHI and IAM programs, the drift is not always visible as a single excessive permission; it often appears as a layered accumulation of valid entitlements that no longer map cleanly to current duties. That makes it distinct from one-time privilege creep, because the problem is specifically the overlap between old and new access states rather than simple overprovisioning at onboarding.
Definitions vary across vendors, but the operational meaning is consistent: access reviews that appear current can still mask outdated privileges, duplicate paths, or conflicting approvals. The OWASP Non-Human Identity Top 10 treats weak lifecycle governance as a core risk pattern, and the same logic applies when service accounts, bots, or API clients inherit permissions that were never removed. The most common misapplication is treating a successful role update as proof that prior access was fully revoked, which occurs when revocation is not tied to authoritative lifecycle events.
Examples and Use Cases
Implementing access overlap controls rigorously often introduces more review overhead and entitlement reconciliation work, requiring organisations to weigh administrative friction against the risk of hidden privilege accumulation.
- A developer moves from application support to platform engineering, but their old API write access remains active while new admin roles are granted, creating overlapping authority in production change paths.
- A service account is repurposed for a new workload, yet legacy permissions for the previous system are never removed, leaving the account able to reach datasets it no longer needs.
- A CI/CD identity gains temporary release permissions during a migration and keeps them after the migration ends, which breaks separation of duties even though the access review still looks approved.
- NHIMG’s Ultimate Guide to NHIs is useful for mapping how lifecycle controls, offboarding, and rotation intersect with entitlement cleanup in real environments.
- For incident context, the Salesloft OAuth token breach illustrates how token persistence and missed cleanup can turn ordinary access into an exposure path.
For adjacent standards language, OWASP’s Non-Human Identity Top 10 helps frame why stale or overlapping access should be treated as a lifecycle issue rather than a one-off entitlement exception.
Why It Matters in NHI Security
Access Overlap Drift matters because it creates a false sense of control. SoD checks, approval workflows, and periodic reviews can all appear intact while conflicting permissions continue to accumulate across human operators, service accounts, and agentic systems. In practice, that means the organisation may not notice the risk until an identity with legitimate history can still act in an old role, an old environment, or an old trust boundary.
This is especially important in NHI programs because identities outnumber human users by 25x to 50x in modern enterprises, and lifecycle gaps scale quickly when access is distributed across code, CI/CD tools, and secrets stores. NHIMG research also shows that only 20% have formal processes for offboarding and revoking API keys, which is exactly where overlap drift tends to persist. The Ultimate Guide to NHIs and its Key Challenges and Risks section make the underlying point clear: visibility and revocation discipline are prerequisites for trustworthy access governance.
Organisations typically encounter the consequence only after a breach review, access dispute, or failed deprovisioning event, at which point access overlap drift becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Addresses weak lifecycle and secret governance that lets old access persist. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access management is the control area most affected by overlap drift. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuously evaluated, current access rather than stale role inheritance. |
Reconcile entitlements after every role change and verify least privilege remains true in practice.
