Access creep between onboarding and offboarding is a math problem

At a glance

What this is: This is an access management analysis that shows how employee access drifts upward between onboarding and offboarding, creating excess grants and hidden risk.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes all fail when access reviews, lifecycle triggers, and cleanup do not keep pace with real employee movement and temporary need.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Zluri's analysis of access creep between onboarding and offboarding

Context

Access creep is the steady accumulation of permissions that remain in place after the business reason for them has changed. In this article, access creep is the primary IAM problem, because the gap appears between onboarding and offboarding, where role changes and temporary access are least visible.

For identity teams, the issue is not provisioning alone. It is the failure to connect HR-driven changes, temporary access expiry, and application visibility into one lifecycle model that can remove entitlements as reliably as it grants them.

Key questions

Q: How should security teams stop access creep after role changes?

A: Security teams should tie each HR-driven role change to an automated access review that removes the old role baseline, not just adds the new one. The control should compare current entitlements to the employee’s current job context and revoke outdated access before the next review cycle creates more drift.

Q: Why does temporary access so often become permanent?

A: Temporary access becomes permanent because organisations track when access starts, but not when the business need ends. If project completion, coverage expiry, or emergency resolution is not linked to revocation, the entitlement stays active and becomes part of the person’s steady-state access.

Q: What breaks when organisations cannot see all applications?

A: Cleanup breaks first, because teams can only review and revoke access in systems they know exist. Non-federated apps, departmental tools, and shadow IT sit outside the identity control plane, which means access creep can continue even when IAM reports look healthy.

Q: Who is accountable when access remains after the business need ends?

A: Accountability usually sits across HR, application owners, and identity teams, but the failure is governance, not ownership alone. If the organisation does not define who closes the loop on scheduled changes and temporary grants, revocation never becomes a reliable control.

Technical breakdown

Why access creep compounds during employment

Access creep is the growth of active entitlements beyond what a current role actually requires. The mechanism is simple: onboarding provisions a baseline, then promotions, team moves, temporary projects, and coverage requests add more access without removing what is no longer needed. Because each change looks legitimate in isolation, the accumulation is usually invisible until audit, incident response, or license review. The critical point is that access drift is not a single event. It is the sum of many small governance misses across the employment lifecycle.

Practical implication: tie every role change and temporary grant to a removal trigger, not just a provisioning event.

Scheduled changes and event-based changes create different cleanup failures

Scheduled changes are the ones HRIS already knows about, such as promotions, department moves, and location changes. Event-based changes are different: project work, emergency access, backup coverage, or learning access that should end when the task ends. The first failure is integration, because HR and IAM systems often do not share triggers. The second failure is time bounding, because temporary access is granted without a reliable expiry or review point. Together, they produce a lifecycle gap that manual teams cannot keep up with.

Practical implication: automate HRIS-triggered reviews for scheduled changes and use expiry-based controls for temporary access.

Why visibility is the control behind every cleanup decision

No cleanup model works if the organisation cannot see the full application estate. Federated SaaS apps appear in identity logs, but non-federated tools, departmental purchases, and shadow IT often do not. That means some access grants can be reviewed but not actually removed because the system of record is incomplete. In practice, visibility is the gatekeeper control for lifecycle governance, because you cannot certify, revoke, or reclaim access to applications you do not know exist. Visibility-first governance is therefore a prerequisite for any access remediation programme.

Practical implication: build a complete application inventory before expecting lifecycle automation to reduce access creep.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access creep is a lifecycle governance failure, not a provisioning problem. The article shows that onboarding can be clean while employment still accumulates excess access through role changes and temporary needs. That is the real discipline gap: organisations often measure how well they grant access, but not how reliably they remove it when context changes. The practitioner conclusion is that lifecycle control has to extend through the full employment journey, not stop at joiner and leaver events.

Scheduled access change and event-based access change are different failure modes. Promotions and transfers fail because HRIS events do not reliably trigger access review. Projects and temporary grants fail because the organisation does not track when the need ends. This distinction matters for IAM and IGA design, because one control path needs event integration and the other needs expiry logic. The practitioner conclusion is that one workflow cannot clean up both problems by itself.

Visibility-first governance is the named concept this article reveals. You cannot remediate entitlements in systems you cannot see, and that includes non-federated SaaS, departmental tools, and shadow IT. The article’s math depends on hidden applications as much as on missed reviews, which means lifecycle automation without discovery only automates part of the problem. The practitioner conclusion is that application visibility is a prerequisite to access governance, not a reporting extra.

Access creep becomes a cross-domain issue when human lifecycle and non-human governance overlap. The same governance pattern that leaves employee access behind also leaves service accounts, API keys, and other NHIs unmanaged when ownership changes or temporary access is never reclaimed. That is why lifecycle discipline cannot stay siloed by identity type. The practitioner conclusion is to align review, expiry, and offboarding logic across human and non-human identities.

Manual cleanup fails because the workload grows faster than the team does. The article’s capacity math shows that access governance is not just a policy question. It is an operational throughput problem, where review, cleanup, and exception handling eventually exceed available staff time. The practitioner conclusion is that programme design must assume sustained automation, not periodic manual remediation, if it is to keep pace with access growth.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• For the broader lifecycle view, NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding need to work as one control loop.

What this signals

Visibility-first governance is becoming the deciding factor in access control maturity, because the same organisation cannot revoke what it cannot inventory. When 5.7% of organisations have full visibility into their service accounts, as our Ultimate Guide to NHIs shows, the governance gap is not abstract. It is operationally immediate for both human access cleanup and NHI lifecycle control.

The next maturity jump is not another manual review cycle. It is a control model that links HR events, application discovery, and expiry-based access so that permissions can be removed at the same speed they are granted.

Access drift debt: every day that temporary or outdated access remains in place increases the cleanup burden for the next review cycle. Teams should treat drift as accumulated operational debt, not as isolated exceptions, and use the NHI Lifecycle Management Guide to shape lifecycle controls that close the loop.

For practitioners

• Map access changes to lifecycle triggers Connect HRIS events such as promotion, transfer, department change, and location change to automated entitlement review so old role access is removed when the new role baseline is applied.
• Expire temporary access by default Assign end dates to project, backup, emergency, and training access so permissions drop automatically when the business need ends instead of relying on manual follow-up.
• Build complete application discovery Inventory federated apps, non-federated tools, department-purchased software, and shadow IT so cleanup workflows can act on the full estate rather than only what appears in IAM logs.
• Separate remediation by change type Use one workflow for scheduled changes that removes outdated role access and another for event-based access that enforces expiry and usage-based review.

Key takeaways

• Access creep is created during employment when role changes and temporary grants are not cleaned up.
• The scale problem is operational as much as security-related, because excess access accumulates faster than manual teams can remove it.
• Lifecycle automation only works when organisations can see the full application estate and trigger removal at the moment access stops being needed.

Key terms

• Access Creep: Access creep is the gradual growth of permissions beyond what a current role or task requires. It appears when access is added for promotions, projects, or temporary work, but the old entitlement is never removed, leaving the identity over-provisioned.
• Scheduled-Based Change: A scheduled-based change is a documented lifecycle event such as a promotion, team move, or department transfer. The event is known to the organisation, which means access should be re-evaluated immediately, but often is not because the review workflow is disconnected.
• Event-Based Access: Event-based access is temporary permission granted for a specific business activity, such as a project, emergency, or backup assignment. It should expire when the activity ends, but it often persists because no reliable end trigger exists in the governance process.
• Visibility-First Governance: Visibility-first governance is the practice of discovering the full application estate before trying to automate cleanup or access review. It recognises that identity controls cannot manage what they cannot see, especially across federated, non-federated, and shadow applications.

Deepen your knowledge

Access creep, lifecycle cleanup, and visibility-first governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a control model that must span human and non-human access, it is worth exploring.

This post draws on content published by Zluri: The Math Behind Access Creep: What Happens Between Onboarding and Offboarding. Read the original.