State drift is the gap between the access state one system believes is current and the access state another system is actually enforcing. In identity programmes, it appears when revocations, role changes, or token updates do not propagate uniformly across directories, applications, and policy engines.
Expanded Definition
State drift describes a mismatch between what one control plane, directory, or policy engine believes is true and what another system is actually enforcing. In NHI and IAM environments, that mismatch usually appears after revocation, role changes, token rotation, or policy updates fail to propagate cleanly across directories, SaaS applications, PAM layers, and authorization caches. It is closely related to configuration drift, but the emphasis here is identity state rather than infrastructure settings. The term is used alongside NIST Cybersecurity Framework 2.0 because the operational problem is not only technical sync failure, but also weak visibility into where authoritative identity state resides.
Definitions vary across vendors when they describe whether state drift includes stale tokens, delayed replication, or only policy divergence. For NHI governance, the practical test is whether the effective access path matches the intended access decision at the moment a request is made. The most common misapplication is treating successful deprovisioning in one system as complete remediation, which occurs when downstream caches, replicas, or application-local entitlements still preserve access.
Examples and Use Cases
Implementing drift detection rigorously often introduces reconciliation overhead, requiring organisations to weigh faster revocation against the cost of continuous state comparison across systems.
- A service account is disabled in the central directory, but a connected application continues to trust a cached token until expiry.
- Role changes are applied in IAM, yet a legacy policy engine still grants the previous entitlement set during the next access window.
- A rotated API key is stored in the secret manager, but CI/CD jobs continue to inject the old value from an environment variable.
- A revoked OAuth grant remains effective in a SaaS tenant because the application has not refreshed its authorization state, similar to patterns observed in the Salesloft OAuth token breach.
- A cloud workload receives a reduced role assignment, but attached caches and replicated claims cause the workload to retain broader access for a short period.
These cases show why identity state must be validated end to end, not only at the system where the change was first made. The same operational logic appears in guidance from NIST Cybersecurity Framework 2.0 and in NHI governance discussions where lifecycle control depends on propagation, not intention alone.
Why It Matters in NHI Security
State drift is dangerous because NHI compromise often hides in the gap between intended revocation and actual enforcement. If tokens, keys, or service-account entitlements remain valid after the owner believes they are removed, attackers can keep operating with legitimate-looking access. That is especially consequential in environments where NHIs outnumber human identities by 25x to 50x, because even small synchronization failures scale into large exposure across automation, integrations, and machine-to-machine workflows. NHI Mgmt Group research also shows that only 20% of organisations have formal offboarding and revocation processes for API keys, which makes drift a routine control failure rather than an edge case.
Practitioners should treat state drift as both a governance and incident-response issue. It undermines Zero Trust enforcement, weakens audit evidence, and can invalidate access reviews if reviewers inspect the wrong source of truth. A mature programme needs authoritative state mapping, propagation SLAs, and verification that revocations took effect everywhere the identity can still be trusted. Organisations typically encounter the full operational cost only after a breach review or failed offboarding, at which point state drift becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret and credential lifecycle failures that often manifest as access state drift. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege enforcement depends on timely removal of stale access state. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous validation of effective access, not assumed state. | |
| NIST SP 800-63 | AAL2 | Assurance levels depend on current authenticator state and reliable revocation handling. |
| OWASP Agentic AI Top 10 | Agentic systems often retain access through stale tokens or outdated tool permissions. |
Reconcile identity changes across systems so effective access always matches approved privileges.