Access sprawl is colliding with non-human identity governance

At a glance

What this is: This is an editorial on access sprawl, showing how fragmented visibility, impact-based review, and least-privilege discipline are becoming necessary as NHI populations grow.

Why it matters: For IAM and NHI teams, the message is that excessive permissions are no longer just an audit problem; they are a security exposure that compounds as access surfaces expand.

By the numbers:

• Microsoft reports that 90% of identities use less than 5% of the permissions they have been granted.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read Lumos's analysis of access sprawl and NHI governance

Context

Access sprawl is what happens when permissions accumulate faster than teams can review, revoke, or explain them. In practice, that means SaaS apps, legacy systems, microservices, and non-human identities all carry access that nobody can confidently justify, which is exactly where NHI governance becomes a security issue rather than an administrative one.

Lumos frames the problem as a visibility and prioritisation challenge, but the deeper issue is structural: identity systems built for slower, more static environments do not map cleanly to modern access growth. That is typical across enterprises, not an edge case, which is why NHI and IAM programmes need continuous entitlement control instead of periodic cleanup.

The Lumos article also points to Shadow IT, unused access, and policy violations as the places to focus first. That ordering is sensible because the right question is not whether access sprawl exists, but which permissions can most quickly shrink the blast radius if removed now.

Key questions

Q: How should security teams reduce access sprawl in NHI-heavy environments?

A: Start with a complete inventory of human and non-human access, then rank entitlements by privilege, dormancy, and business impact. Remove unused access first, convert permanent grants into time-bound access where possible, and require ownership for every service account or token. The goal is to shrink blast radius continuously, not just during audits.

Q: What is the difference between access visibility and access governance?

A: Access visibility tells you who or what has access, while access governance decides whether that access should exist and for how long. Visibility is the input to governance, not the same thing. In NHI programmes, the distinction matters because you cannot safely revoke, rotate, or reduce privilege without trustworthy entitlement data.

Q: When does least privilege become more important than broad access convenience?

A: Least privilege becomes the priority whenever unused or excessive access can create a larger blast radius than the convenience it buys. That is especially true for service accounts, API keys, and bots that persist across systems. If access is long-lived or hard to trace, convenience is usually masking risk.

Q: Why do non-human identities make access reviews harder?

A: Non-human identities are numerous, often lack clear business owners, and can be embedded in code, pipelines, or infrastructure where they are easy to forget. They also change faster than manual review cycles can keep up with. That combination makes traditional access reviews incomplete unless they are tied to continuous discovery and revocation.

Technical breakdown

Why access sprawl becomes an NHI governance problem

Access sprawl is the accumulation of excessive, outdated, or invisible permissions across human and non-human identities. For NHI governance, the problem is sharper because service accounts, API keys, tokens, and bots often operate without a clear owner or review cadence. When those identities are embedded in SaaS, CI/CD, and microservices, the access graph expands faster than manual controls can track. The result is not just too much access, but access that no one can confidently explain, validate, or remove in time.

Practical implication: Practitioners need identity inventory, ownership mapping, and review triggers that include non-human accounts, not just employees.

How integrated access visibility changes the control model

Integrated access visibility means pulling entitlement data from multiple systems into one control plane so teams can see who or what has access, where, and why. For NHI environments, this matters because access is often spread across cloud consoles, app-specific roles, vaults, and local scripts. Without that aggregation, revocation becomes guesswork. Visibility also supports better prioritisation because teams can isolate privileged, dormant, or anomalous access before attempting broad cleanup. In other words, visibility is the prerequisite for meaningful entitlement governance, not a reporting feature.

Practical implication: Build unified entitlement coverage before enforcing stricter access policy, or you will only automate blind spots.

Impact-based governance and least privilege for machine identities

Impact-based governance is a triage method that focuses first on permissions most likely to create damage, such as admin rights, SoD violations, unused access, and outliers. For machine identities, that approach is often more realistic than full entitlement review because NHI populations are large and fast-changing. Least privilege then becomes operational, not philosophical: grant access with an expiration date, monitor use continuously, and remove standing access when the task is done. This is where NHI governance aligns with Zero Trust and zero standing privilege principles.

Practical implication: Use risk-ranked access reviews and time-bound permissions to reduce exposure without waiting for perfect coverage.

Threat narrative

Attacker objective: The attacker seeks to exploit excessive access that should have been removed, then use it to expand control and increase the blast radius of the compromise.

1. Entry begins with over-permissioned identities embedded in SaaS, microservices, and legacy systems that retain access long after the original business need has changed.
2. Escalation follows when dormant or excessive permissions let an attacker move from a low-value account to administrative actions or policy-boundary violations.
3. Impact occurs when unused access, shadow IT, or privileged entitlements provide a path to data exposure, service manipulation, or broader environment compromise.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access sprawl is now an NHI governance failure, not just an IGA backlog. As machine identities multiply, the old habit of treating entitlement cleanup as a quarterly audit task no longer works. The core problem is not only volume but invisibility, because unmanaged service accounts and tokens can outlive the workflows that created them. Practitioners should treat access sprawl as active attack surface reduction work.

Integrated visibility is the control plane that makes least privilege enforceable. Without a consolidated view of human and non-human access, teams cannot safely prioritize revocation, automate remediation, or prove what changed. That is why visibility is upstream of governance, not downstream of it. Security teams should make unified entitlement data a prerequisite for NHI policy enforcement.

Impact-based governance is the practical answer when perfect review is not realistic. The article’s triage model reflects the way real NHI programmes have to operate: start with admin rights, policy violations, unused access, and outliers, then work outward. That approach is consistent with zero standing privilege thinking because it reduces the highest-risk exposure first. Practitioners should rank access by blast radius, not by spreadsheet order.

Least privilege must be continuous if NHI populations are to stay manageable. Expiration dates, dormant-access removal, and continuous monitoring are not optional add-ons when identities are non-human and scale is high. The governance mistake is assuming a review cycle can keep up with workloads that change in hours or minutes. Teams should design for ongoing entitlement decay, not permanent grants.

Identity blast radius is the right concept for access sprawl. The question is not how many permissions exist, but how much damage one stale credential can cause before it is removed. That framing is more useful for board reporting, control design, and incident readiness than generic access-count metrics. Practitioners should measure exposure by damage potential, not just by total entitlement volume.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For a broader control baseline, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for lifecycle controls that reduce persistent access.

What this signals

Identity blast radius is becoming a programme-level metric. With 97% of NHIs carrying excessive privileges, the control objective is no longer simply to discover access, but to reduce the damage a single stale identity can cause. That shift aligns tightly with NIST Cybersecurity Framework 2.0 and with how modern IAM teams should think about continuous exposure management.

The practical signal for security teams is that access cleanup must be tied to lifecycle events, not calendar-driven reviews. If service accounts, API keys, and machine tokens are still being managed as static assets, the programme is already behind the operational reality of OWASP Non-Human Identity Top 10.

Integrated visibility is now a prerequisite for automation. Teams that cannot aggregate entitlement data across SaaS, cloud, and legacy platforms will struggle to enforce least privilege at machine scale, and they will keep paying the cost in delayed revocation. That makes access telemetry, ownership mapping, and lifecycle hooks the next investment priority, not another one-off cleanup effort.

For practitioners

• Map all non-human identities to owners and systems Create a complete inventory that includes service accounts, API keys, tokens, certificates, bots, and workload identities across SaaS, cloud, CI/CD, and legacy systems. Do not accept orphaned accounts or spreadsheet-only ownership.
• Prioritise privileged and unused access first Rank entitlements by potential blast radius, starting with admin rights, segregation-of-duties violations, dormant access, and peers-without-peer access. Remove or step down the accounts that create the fastest path to abuse.
• Implement time-bound access for machine identities Set expiration dates for access, require justification for renewals, and auto-remove dormant access when task windows close. Tie this to continuous monitoring so standing privilege does not silently return.
• Unify entitlement data before automating cleanup Integrate SaaS, cloud, vault, and legacy sources into one access view so revocation decisions are based on current data. Use that view to drive targeted remediation rather than broad, manual sweeps.

Key takeaways

• Access sprawl becomes an NHI security problem when excess permissions are invisible, long-lived, and hard to revoke.
• The scale of the issue is already measurable: 90% of identities use less than 5% of their permissions, which means most organisations are carrying avoidable access exposure.
• The right response is continuous entitlement control, starting with privileged access, time-bound grants, and unified visibility across human and non-human identities.

Key terms

• Access Sprawl: Access sprawl is the uncontrolled growth of permissions across applications, identities, and environments. It happens when access is granted faster than it is reviewed or revoked, leaving outdated and excessive entitlements in place. In NHI programmes, it often accumulates silently because machine identities are harder to inventory and assign to an owner.
• Impact-Based Governance: Impact-based governance is a prioritisation method that focuses first on the permissions most likely to cause harm. Instead of reviewing every entitlement equally, teams rank access by privilege, inactivity, policy violations, and expected damage. For NHI security, this is a practical way to reduce risk when full manual review is not realistic.
• Identity Blast Radius: Identity blast radius is the amount of damage a single compromised identity can cause before it is contained. It reflects privilege level, system reach, and the number of connected resources an account can touch. The concept is especially useful for non-human identities, where one stale credential can span multiple services.
• Non-Human Identity: A non-human identity is any credentialed entity that acts on behalf of software rather than a person. This includes service accounts, API keys, tokens, certificates, bots, and AI agents. These identities need ownership, lifecycle control, and access review because they often persist longer and scale faster than human accounts.

Deepen your knowledge

Access sprawl, NHI lifecycle governance, and least privilege are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to move from periodic cleanup to continuous control, it is worth exploring.

This post draws on content published by Lumos: 3 Proven Strategies to Rein In Access Sprawl (Before It Wreaks Havoc). Read the original.