Access sprawl is bigger than role changes: the invisible 60%

At a glance

What this is: The article argues that access sprawl comes from both role changes and invisible project-based work, and that traditional JML only catches the former.

Why it matters: For IAM teams, this means access governance has to address both HRIS-driven lifecycle changes and the quieter accumulation that happens outside HR events across human, NHI, and autonomous programmes.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Zluri's analysis of access sprawl across movers and static employees

Context

Access sprawl is the gradual expansion of permissions beyond what a role or task should require. In this article, the primary keyword is access sprawl, and the core claim is that HRIS-based governance only sees one source of it while missing the larger pool created by project work, collaboration, and temporary access.

That distinction matters because identity programmes often treat joiner-mover-leaver controls as the main lifecycle mechanism. For human accounts, that is only part of the picture. For NHI and autonomous programmes, the same mistake appears when teams govern provisioning events but fail to manage cleanup, expiration, and access removal after the work ends.

Key questions

Q: What breaks when access governance only follows HRIS events?

A: It misses the larger share of access growth that comes from projects, collaboration, emergency work, and other non-HRIS activity. That means access can expand without any lifecycle trigger, leaving JML focused on movers while static employees and temporary grants keep accumulating permissions outside the review path. The result is false confidence in governance coverage.

Q: Why do static employees often accumulate more access than role movers?

A: Static employees can keep receiving access through repeated work events while their HR record stays unchanged, which makes the growth invisible to lifecycle workflows. Because no mover event exists, nothing forces subtraction. The access set expands quietly until recertification or an incident exposes it, which is why stable titles are not a reliable control signal.

Q: How do teams know if access sprawl controls are actually working?

A: Look for reductions in dormant access, fewer permissions surviving past project closure, and a shrinking gap between role baseline and current entitlement count. If review completion is high but removal rates stay low, the programme is certifying accumulation rather than controlling it. The right signal is cleanup, not paperwork completion.

Q: Who is accountable when temporary access is never removed?

A: Accountability should sit with the business owner who requested the access and the identity team that allowed it to persist without an expiry condition. When access is granted for a project or incident, the request must include a clear owner and end state. Without that, nobody owns the subtraction, so the permission becomes permanent by default.

Technical breakdown

Scheduled-based access accumulation in mover workflows

Scheduled-based accumulation happens when promotions, transfers, and manager changes trigger fresh access grants but do not reliably remove old entitlements. The article shows this clearly in the mover pattern: HRIS has the event, IAM gets the trigger, and provisioning expands the footprint, yet deprovisioning rarely follows. The technical failure is not detection but lifecycle symmetry. A move event is treated as a reason to add access, not as a state change that should force entitlement reduction. That leaves permissions stacked across roles, systems, and teams.

Practical implication: connect role-change workflows to removal logic so mover events do not only add access.

Event-based access accumulation outside HRIS signals

Event-based accumulation comes from project work, temporary collaboration, emergency grants, and migrations that never touch HRIS. These grants often begin with a legitimate request and end with no formal closure, no owner, and no expiration. In IAM terms, the control plane has a start event but no dependable end event. That is why the article treats this as invisible growth. Traditional JML logic cannot govern what it never observes. The gap is architectural, not procedural.

Practical implication: add expiry, project-close, and usage-based review signals for access that starts outside HR events.

Why static employees can create more access debt than movers

Static employees can accumulate more access debt because their baseline appears stable while permissions keep layering on through routine work. A fixed title can hide repeated tool grants from marketing, sales, product, customer success, and operations. Over time, the identity looks clean in HR but fragmented in access systems. This creates false confidence in recertification because reviewers see no mover event and assume no governance issue. The article's key technical point is that stability in HRIS is not the same as stability in access state.

Practical implication: review entitlement growth against role baseline, not just against HR status changes.

Breaches seen in the wild

• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access sprawl is a lifecycle problem, not a mover problem. The article shows that role changes are only one source of entitlement growth, while project work and temporary collaboration create a larger invisible pool. JML programmes that key only off HRIS events are structurally incomplete because they govern transitions, not the quieter accumulation that happens inside a stable role. Practitioners should treat access expansion as a cross-lifecycle issue, not an onboarding and promotion issue alone.

The named failure mode here is invisible access accumulation. That pattern matters because it lets access grow without a corresponding identity event, which means recertification can look healthy while the actual entitlement set keeps expanding. The article is strongest when it separates observable mover sprawl from hidden static-employee sprawl. That distinction should shape how teams think about entitlement drift across human identity, service accounts, and autonomous workloads.

Lifecycle controls designed for explicit start and end dates break when the end date is informal. Projects end quietly, emergency access outlives the incident, and collaborative access becomes permanent by default. That assumption was designed for employment-state changes and stable ownership. It fails when the actor's access is created by work context rather than by HR status. The implication is that governance must be able to operate on task boundaries, not only employment boundaries.

Access review alone cannot compensate for missing offboarding logic. The article demonstrates that static employees may keep accumulating permissions even when their role never changes, because nothing in the workflow forces subtraction. That makes cleanup a control design issue, not an audit issue. Organisations that rely on periodic review without lifecycle triggers will continue to certify accumulated access instead of removing it.

Identity blast radius: access that grows through multiple work patterns becomes harder to contain because the governance model no longer matches the way permissions were granted. This concept captures the article's central lesson: once access is scattered across projects, migrations, and informal collaboration, the original role no longer explains the full entitlement set. Practitioners should use this as a reminder that governance must follow the path of accumulation, not just the latest approved role.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• Only 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to NHI Mgmt Group research.
• For a broader control model, Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs shows where provisioning, rotation, and offboarding should be tied together.

What this signals

Access growth needs to be measured as a lifecycle outcome, not just as a provisioning activity. If role changes add access while project closures do not remove it, the programme is drifting toward entitlement inflation. The practical signal is whether permissions are shrinking after work ends, not whether access was approved in the first place.

The same pattern increasingly shows up across NHI programmes, where secrets, tokens, and service accounts are granted for a task and then left behind. That is why access baseline, usage decay, and expiry enforcement belong in the same operating model, alongside the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10.

Access blast radius is the term practitioners should watch here: once permissions accumulate across projects and collaborations, the original role no longer explains the effective reach of the identity. Teams that can link entitlement growth back to its source will be better positioned to contain that blast radius before it becomes audit noise or operational risk.

For practitioners

• Map access to its granting source Separate entitlements created by HRIS-driven role changes from those created by projects, collaboration, and emergency work. Build the review process so each access grant carries a source label, because cleanup decisions depend on how the permission entered the environment.
• Add explicit end conditions for temporary access Require an end date, project closure event, or usage review for every non-permanent grant. If the request did not come from a role change, it should not remain active by default after the task finishes.
• Review static employees for hidden entitlement growth Flag employees whose titles have not changed but whose access count has drifted above role baseline. Compare current access to peer baseline and remove dormant tools that are no longer justified by the current job context.
• Tie emergency grants to automatic revocation Treat emergency access as time-boxed by design and require justification for every extension. If the incident is over, the access should be removed before the next review cycle rather than left to manual cleanup.
• Measure access drift separately from recertification completion Track how many permissions are added versus removed after projects end, role changes occur, or temporary work closes. A high review completion rate is not a substitute for actual entitlement reduction.

Key takeaways

• The article's core message is that access sprawl is driven by both visible role changes and hidden work patterns.
• The operational risk is not just excess access, but the absence of an end-state control that removes permissions when work finishes.
• IAM teams should measure entitlement reduction, not just approval volume, if they want governance to reflect real access state.

Key terms

• Access Sprawl: Access sprawl is the gradual growth of permissions beyond what a role, task, or project actually needs. It usually happens when grants are added faster than they are removed, leaving identities with layered access that no longer matches current work.
• Joiner-Mover-Leaver (JML): Joiner-Mover-Leaver is the identity lifecycle model for onboarding, role change, and offboarding. It works best when access changes are tied to explicit HR events, but it becomes incomplete when permissions are created by project work, temporary collaboration, or other non-HRIS activity.
• Entitlement Baseline: An entitlement baseline is the expected access footprint for a role, team, or job function. It gives reviewers a reference point for spotting excess access, but it only works if the baseline is updated for real work patterns and not treated as a static job title checklist.
• Access Drift: Access drift is the slow mismatch between current permissions and current need. In practice, it appears when access is granted for one purpose and left in place after the purpose ends, creating hidden privilege growth across human, NHI, and autonomous identity programmes.

Deepen your knowledge

Access sprawl, lifecycle cleanup, and entitlement baselining are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme that has to handle both visible and invisible access growth, it is worth exploring.

This post draws on content published by Zluri: Access Management, A Tale of Two Access-Sprawl Patterns. Read the original.