TL;DR: Weak visibility leaves least privilege unenforceable in practice: analysis of 225 companies found 85% of privileged credentials, nearly 1 in 3 users with access, and 15% of accessible resources went unused over 90 days, according to StrongDM. The governance problem is no longer whether least privilege is sound, but whether identity teams can measure real usage fast enough to remove standing risk.
At a glance
What this is: This is a StrongDM analysis of why least privilege breaks down when organisations cannot see how privileged access is actually used.
Why it matters: It matters because IAM, PAM, NHI, and human access programmes all depend on usage visibility to remove unused access, reduce standing privilege, and shrink attack surface.
By the numbers:
- 85% of credentials with privileges have not been used in the last 90 days.
- Nearly 1 in 3 users with access to systems have not used that access in the last 90 days.
- 15% of resources available have not been accessed in the last 90 days.
👉 Read StrongDM's analysis of why least privilege has failed
Context
Least privilege fails when teams can grant access but cannot prove whether that access is still needed. In practice, the gap is not policy intent but usage visibility, which is what makes privilege reviews, deprovisioning, and right-sizing difficult across human, machine, and service identities.
For IAM and PAM programmes, that creates a familiar failure mode: access is treated as active until someone notices otherwise. This is especially damaging in environments with many credentials, many systems, and weak telemetry, because unused privilege still expands blast radius even when nobody is touching it.
Key questions
Q: How should security teams remove unused privileged access without breaking operations?
A: Start with accounts that have not been used in 90 days, then validate business owners before revoking anything that still supports production workflows. Keep temporary exceptions time-bound, document the operational reason for retention, and require reapproval if the access is needed again. The goal is to make dormant access removable without making critical systems unavailable.
Q: Why does least privilege fail in modern infrastructure environments?
A: It fails because entitlement is easier to assign than to verify, and many teams lack enough usage telemetry to prove which permissions are still needed. In complex stacks, access can persist long after the original task ends, which leaves standing privilege in place and expands the attack surface.
Q: What do security teams get wrong about over-provisioned access?
A: They often treat over-provisioning as a one-time cleanup problem instead of a continuous governance signal. In practice, access becomes over-provisioned when roles, entitlements, and resource reach drift away from actual use. Teams need recurring evidence-based reviews, not just annual certification rounds, to keep access aligned.
Q: How do you know if privileged access governance is working?
A: You should see fewer dormant credentials, fewer users with unused access, and a shrinking set of reachable resources that no longer support live work. If those numbers do not decline over time, the programme is documenting access rather than reducing it. Effective governance produces measurable removal, not just approval records.
Technical breakdown
Unused privileged credentials create persistent exposure
Privileges become risk-bearing assets the moment they exist, not when they are used. If an elevated credential has not been exercised for months, it may still be fully valid, fully exploitable, and fully invisible to the team that owns it. The technical problem is that entitlement, usage, and need are separate states, but many access programmes only track entitlement. That leaves dormant credentials in place long after the operational need has disappeared, which is why least privilege becomes a theoretical standard instead of a live control.
Practical implication: correlate privilege assignment with actual usage so dormant elevated access can be removed before it becomes an attack path.
Over-provisioning happens when access is easier to grant than to verify
Modern stacks make it easy to add access across databases, servers, cloud services, and internal platforms, but much harder to trace whether each entitlement is still justified. Over-provisioning is not only a policy failure. It is a visibility failure that prevents identity teams from distinguishing legitimate access from inherited access, temporary access, or forgotten access. In environments with poor telemetry, standing access survives because no one can confidently challenge it. That is why least privilege depends on evidence, not intent.
Practical implication: build entitlement review workflows around observed usage, not just role assignment or manager approval.
Unused resources widen attack surface and waste control effort
Least privilege is often discussed as a people problem, but the same visibility gap applies to resources. If servers, databases, or cloud services are available but untouched, they still represent reachable infrastructure, configuration drift, and cost exposure. From an access-control perspective, unused resources are a governance signal that the environment may be carrying more reachable surface than the business actually needs. The stronger the visibility into resource use, the faster teams can separate essential systems from legacy access paths that should be retired.
Practical implication: remove or isolate unused resources so access reviews focus on active systems with real business need.
Threat narrative
Attacker objective: The objective is to turn unused or over-provisioned access into a durable foothold that widens reach into sensitive systems.
- Entry occurs when attackers target dormant privileged credentials that remain valid despite long periods of inactivity.
- Escalation happens when over-provisioned accounts expose systems and privileges that are broader than current business need.
- Impact follows when stale access expands attack surface, enabling credential abuse, ransomware movement, or sensitive-system compromise.
Breaches seen in the wild
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
- BeyondTrust API key breach — compromised BeyondTrust API key led to unauthorized SaaS access.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Visibility is the real control plane for least privilege. Least privilege does not fail because the principle is wrong. It fails because organisations cannot continuously prove which privileges are active, which are dormant, and which are no longer justified. Without usage visibility, access reviews become ceremonial and deprovisioning becomes reactive. The practitioner conclusion is that least privilege is only enforceable when entitlement can be reconciled to real use.
Standing privilege is the named failure mode this article exposes. The article shows that unused access persists across privileges, users, and resources, which means the governance problem is not isolated exceptions but retained standing access. That is a control-gap statement, not a product claim. The practitioner conclusion is that any programme measuring only assignment, not use, is carrying hidden exposure.
Zero standing privilege is the logical destination, but visibility is the prerequisite. StrongDM’s framing is really about moving from static entitlement to evidence-based access reduction. In NHI and human programmes alike, the organisation cannot remove what it cannot see, and it cannot govern what it cannot measure. The practitioner conclusion is that access analytics must precede access minimisation.
Least privilege is a cross-actor governance issue, not just a human IAM policy. The same usage-visibility problem appears in service accounts, workload identities, and human accounts, even if the operational shape differs. That makes the discipline broader than a single control family and closer to an identity hygiene model across the full stack. The practitioner conclusion is to evaluate access by actor type and lifecycle, not by team silo.
Identity blast radius: this article sharpens the idea that every unnecessary entitlement increases the amount of infrastructure an attacker can reach from one credential. That is not merely excess permission, it is expanded compromise potential across systems, data, and workflows. The practitioner conclusion is to treat privilege reduction as blast-radius reduction.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- A separate finding from the same survey shows that 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments.
- That combination points forward to identity programmes that must reconcile access visibility, privilege scope, and actor type before dynamic systems become normal operating mode.
What this signals
Standing privilege is becoming harder to defend as environments become more dynamic. With 70% of organisations already granting AI systems more access than human employees, per the 2026 Infrastructure Identity Survey, access governance is shifting from periodic review to continuous evidence gathering. Teams that cannot see usage patterns will not be able to justify privilege scope.
Ephemeral access and static entitlement now collide in the same control stack. That creates a runtime governance gap where the organisation may know who can access something, but not whether that access still reflects live work. The practical signal is simple: if dormant access never trends down, least privilege is not being enforced.
Access analytics should become a core input to IAM, PAM, and cloud governance decisions. The next programme step is not just more review, but better correlation between entitlements, activity, and resource reach so removals are defensible and repeatable. Identity teams that do this well will reduce attack surface without relying on blanket restrictions.
For practitioners
- Correlate entitlement with actual usage Compare privileged account assignments against 90-day usage data so dormant access can be challenged, justified, or removed. Focus first on accounts that can reach sensitive systems or infrastructure.
- Retire unused privileged credentials Deprovision elevated credentials that have no verified business use and replace permanent access with task-scoped alternatives where operationally possible. Keep an exception register for access that cannot yet be removed.
- Review over-provisioned users by system reach Map who can reach which databases, servers, and cloud resources, then remove inherited access that no longer matches current job function or operational need.
- Measure resource inactivity as a governance signal Track unused resources alongside unused access so access reviews, cloud rationalisation, and decommissioning decisions use the same evidence base.
- Use usage telemetry to drive PAM decisions Feed access logs into PAM review cycles so high-risk entitlements are removed before they become standing privilege rather than after an incident.
Key takeaways
- Least privilege fails most often because organisations cannot see which access is actually in use.
- The evidence points to a broad standing-access problem across credentials, users, and resources.
- Practitioners should tie entitlement reviews to usage telemetry so dormant access can be removed with confidence.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Unused privileged credentials map directly to NHI rotation and exposure risks. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege depends on access permissions being managed and justified. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification of access, not assumption of need. |
Align access review cadence to actual usage and revoke entitlements that no longer support work.
Key terms
- Least Privilege: A governance principle that limits an identity to the smallest amount of access needed to do the job. In practice, it only works when entitlement can be matched to actual use, otherwise organisations preserve dormant permission that still widens attack surface.
- Standing Privilege: Persistent access that remains available even when the original business need has faded. For human and non-human identities alike, standing privilege becomes a hidden risk when teams cannot prove that the access is still required or still being used.
- Usage Visibility: The ability to see how identities, credentials, and resources are actually being used across the environment. It is the evidence layer that turns access governance from assumption into decision, and it is essential for removing dormant access safely.
Deepen your knowledge
Least privilege, usage visibility, and standing privilege reduction are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is trying to move from access assignment to evidence-based access removal, it is worth exploring.
This post draws on content published by StrongDM: 3 Reasons Why Least Privilege Has Failed. Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
