Delegation drift is the gradual accumulation of excessive or outdated access in groups, roles, and admin pathways. It weakens governance because identity state changes faster than teams review it, creating privilege escalation paths that are easy to miss during normal operations.
Expanded Definition
Delegation drift describes the slow, often invisible expansion of authority across NHI lifecycles, where roles, group memberships, service accounts, and administrative handoffs retain access long after the original business need has changed. In practice, it is less a single misconfiguration than a pattern of accumulation.
Definitions vary across vendors, but in NHI governance the term is most useful when it includes both explicit delegation, such as role assignment, and implicit delegation, such as inherited permissions through nested groups, app connectors, or automation pipelines. That matters because drift can appear in human-led admin pathways and in agentic systems that act with tool access under NIST Cybersecurity Framework 2.0 governance expectations. The key distinction from ordinary privilege creep is timing: delegation drift is driven by identity state changing faster than entitlement review cycles.
It is closely related to ZSP and RBAC failures, but not identical. A role can remain well-designed while delegation drift accumulates in exceptions, break-glass grants, or temporary access that was never removed. The most common misapplication is treating it as a one-time access review problem, which occurs when teams review current permission lists without tracing how authority was inherited or re-delegated over time.
Examples and Use Cases
Implementing delegation drift controls rigorously often introduces review overhead and workflow friction, requiring organisations to weigh faster access delivery against the cost of continuous entitlement validation.
- A service account used for a deployment pipeline keeps admin rights after the pipeline is migrated, because the old group was never pruned.
- A temporary incident-response role is copied into a permanent support group, creating hidden standing access for future operators.
- An AI Agent receives tool access for a narrow workflow, then inherits broader repository and ticketing permissions as the automation stack evolves.
- A merger adds nested directory groups that preserve delegated access paths even after the original business unit is retired.
- The pattern becomes visible in breach analysis, such as the Salesloft OAuth token breach, where stale or excessive access widened the blast radius after token compromise.
Operators often pair this concept with NIST Cybersecurity Framework 2.0 access governance practices and with periodic entitlement recertification for service accounts, API keys, and admin groups. The practical goal is not just to revoke excess access, but to understand how the excess was delegated in the first place.
Why It Matters in NHI Security
Delegation drift is dangerous because NHI security failures rarely begin with a single malicious act. They usually begin with accumulated entitlement debt that survives application changes, ownership changes, and operational shortcuts. NHI Mgmt Group research shows that 97% of NHIs carry excessive privileges, which makes drift a systemic governance issue rather than an edge case. The same research notes that only 5.7% of organisations have full visibility into their service accounts, so many teams are trying to control access they cannot fully see.
This is why delegation drift should be treated as an access-path problem, not just a cleanup task. If a service account is over-delegated, then compromise of one secret can expose multiple downstream systems. If an admin pathway is stale, then PAM controls may exist in policy while bypass paths still operate in practice. The issue also intersects with zero trust, because a trust model that assumes access is still appropriate will fail when delegated authority outlives its context. Guidance from NIST Cybersecurity Framework 2.0 supports continuous access governance, and the Salesloft OAuth token breach illustrates how stale authority becomes exploitable once an attacker obtains a valid credential.
Organisations typically encounter the consequence only after an incident review reveals that access was still available long after it should have been removed, at which point delegation drift becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers excessive and stale non-human privileges that delegation drift leaves behind. |
| NIST CSF 2.0 | PR.AC-4 | Addresses access permissions management and least-privilege governance for delegated identities. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification, which conflicts with drifting delegated authority. |
Continuously recertify delegated NHI access and enforce least privilege across groups and service accounts.
