Least privilege needs activity data, not certification guesswork

At a glance

What this is: This is a SailPoint blog arguing that least privilege works best when access decisions are backed by activity data, not assumption.

Why it matters: It matters because IAM, IGA, and PAM teams need evidence of actual entitlement use to reduce standing access, support reviews, and keep privilege aligned across human and non-human identities.

👉 Read SailPoint's blog on improving least privilege with Activity Insights

Context

Least privilege only works when organisations can see whether granted access is actually being used. In practice, identity programmes often inherit stale entitlements because review decisions rely on role labels, manager memory, or incomplete system records rather than evidence of activity.

That gap becomes more visible when access spans multiple SaaS and enterprise systems. Without usage telemetry, teams cannot reliably separate necessary access from unused access, which weakens certification quality, slows remediation, and leaves both human and non-human identities with more privilege than they need.

Key questions

Q: How should security teams make least privilege reviews evidence-based?

A: Security teams should tie access reviews to observed usage, not just role assignments or manager memory. If an entitlement has not been used for a meaningful period, reviewers should treat it as a candidate for removal unless there is a documented operational need. Evidence-based reviews reduce privilege creep and make certification decisions easier to defend.

Q: Why do manual IGA processes struggle to maintain least privilege?

A: Manual IGA processes struggle because they usually cannot reconstruct effective access across multiple systems. Without centralised activity data, teams know what was granted but not what was actually used, so dormant access and necessary access look similar. That makes least privilege drift harder to detect and slower to correct.

Q: What do identity teams get wrong about access creep?

A: Identity teams often treat access creep as a cleanup exercise when it is really a visibility problem. If organisations cannot see which entitlements are actively used, reviews become opinion driven and excess privilege persists. The fix is to measure usage continuously so access decisions reflect current behaviour, not historical assignment.

Q: How can organisations reduce privileged access without hurting productivity?

A: Organisations can reduce privileged access safely by removing only access that is clearly unused or misaligned with the worker’s actual activity pattern. The key is to use peer comparison and activity evidence so reviewers avoid stripping legitimate access that supports real work. That keeps least privilege aligned with productivity.

Technical breakdown

Activity telemetry turns access reviews into evidence-based decisions

Least privilege is not only a provisioning rule. It also depends on knowing whether an entitlement is being used, how often it is used, and whether that usage is consistent with the role that justified it. Activity telemetry gives IGA teams a behavioural signal that static entitlement records cannot provide. It helps distinguish dormant access from active access, and that distinction matters when managers must decide whether to retain or revoke permissions during certification.

Practical implication: feed usage data into certification workflows so reviewers can revoke access based on inactivity, not just assumptions about role fit.

Why disparate systems make least privilege drift harder to control

When access is spread across multiple systems, there is no single source of truth for effective privilege. One application may show entitlement assignment, another may show login events, and a third may show nothing useful at all. That fragmentation makes it difficult to detect access creep, understand whether permissions are still needed, or spot anomalous use that should trigger review. Least privilege then becomes a policy statement instead of an operational state.

Practical implication: centralise activity and entitlement evidence so reviewers can see which access is active, unused, or out of step with the intended role.

Role modelling improves when usage patterns are visible

Role design becomes more accurate when teams can compare how similar identities use access in practice. Usage patterns reveal over-granted access, unnecessary entitlement breadth, and outlier behaviour that should not be normalised into future access models. This is especially useful when organisations want least privilege to be built into role definitions rather than corrected after the fact. In that sense, activity data is not just for cleanup. It is also a design input for future access structures.

Practical implication: use activity trends and peer comparisons to refine roles so new access models start closer to least privilege.

NHI Mgmt Group analysis

Least privilege collapses when access reviews are built on entitlement assignment instead of observed use. The control assumption is that managers can judge necessity from role and request context alone. That assumption fails when identity activity is invisible across systems, because dormant access and truly required access look the same on paper. The implication is that certification programmes must be judged by evidence quality, not by how many access items they process.

Access creep is not a documentation problem. It is a measurement problem. Organisations often know who has access, but not who is actually using it, which leaves reviewers blind to excess privilege that has quietly accumulated. Manual IGA across disparate platforms amplifies that gap because no single workflow can reconstruct effective access from scattered logs. Practitioners should treat activity visibility as a governance control, not an optional analytics layer.

Activity insights sharpen role design because role fit cannot be inferred from job title alone. A role model that ignores how entitlements are used will keep reproducing broad access, especially where users share similar titles but not similar task patterns. The most useful output is not just cleaner review decisions, but tighter future entitlement design. That makes usage data a structural input to identity governance rather than a retrospective report.

Least privilege is strongest when it becomes a continuous operating model rather than an annual cleanup exercise. If access evidence only appears during certification campaigns, the organisation is already behind the actual privilege state. Continuous usage feedback narrows the gap between granted access and necessary access across human and machine identities. For practitioners, the field lesson is simple: privilege is controlled where it is measured.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• That same research found only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how often confidence runs ahead of control maturity.
• For the broader lifecycle context, NHI Lifecycle Management Guide shows why provisioning, rotation, and offboarding need evidence, not assumption.

What this signals

Access evidence is becoming the differentiator between performative governance and defensible governance. As entitlement estates expand, teams that cannot show actual usage will keep relying on manager judgment and stale role assumptions. The operational signal to watch is whether certification decisions are changing because telemetry exists, not because reviewers are being asked to guess.

Least privilege is now a data quality problem as much as a policy problem. The organisations that can combine entitlement assignment, activity patterns, and peer baselines will be able to shrink access more confidently. Those that cannot will keep preserving broad access because no one wants to remove permissions they cannot prove are idle.

Identity programmes should treat usage telemetry as a control input, not a reporting extra. When managers can see evidence of inactivity, access reductions become easier to justify and easier to sustain. That is the practical path from certification theatre to continuous privilege reduction.

For practitioners

• Use activity evidence in every certification cycle Require reviewers to see actual usage patterns, not only entitlement ownership, before they approve retained access. Prioritise unused access and dormant accounts first, because they are the clearest candidates for revocation.
• Compare access use against peer baselines Use peer comparisons to identify identities whose access patterns diverge materially from similar roles. That helps distinguish legitimate exceptions from entitlement sprawl that should be reduced.
• Consolidate usage visibility across systems Bring login and entitlement evidence into one operational view so managers can assess whether access is still needed. Fragmented records make least privilege decisions slow, inconsistent, and hard to defend.
• Treat unused access as a governance signal Flag long-unused entitlements for review alongside anomalous access and overbroad roles. Unused permissions are often the easiest least privilege win because removal rarely affects active work.

Key takeaways

• Least privilege breaks down when reviewers cannot see whether access is actually used.
• Activity telemetry makes certification more accurate by separating dormant access from necessary access.
• Identity teams should use usage data, peer comparisons, and centralised evidence to reduce privilege without disrupting work.

Key terms

• Least Privilege: A governance principle that limits each identity to the smallest amount of access needed to complete a task. In identity programmes, it is only defensible when access is continuously checked against real use, so unnecessary permissions can be identified and removed without relying on guesswork.
• Activity Insights: Usage telemetry that shows how identities actually interact with applications and entitlements. It gives identity teams an evidence layer for certification, role design, and access reduction because it turns abstract entitlement ownership into observable behaviour across the environment.
• Access Creep: The gradual accumulation of permissions beyond what an identity still needs to do its work. It often happens when access is granted for a project or role change and never fully removed, leaving organisations with broader privilege than their current operating model requires.
• Certification Campaign: A scheduled review process where managers or control owners confirm whether existing access should remain in place. The process is most effective when reviewers can see usage evidence, because retained entitlements are otherwise easy to approve simply because they already exist.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Improve security with the principle of least privilege. Read the original.