Privilege creep compounds in two directions for employee movers

At a glance

What this is: This analysis shows how employee movers accumulate both broader access and higher privilege over time, creating a two-dimensional privilege creep problem.

Why it matters: It matters because IAM, IGA, and PAM teams must reconcile role changes across human, NHI, and autonomous governance patterns instead of treating moves as additive-only events.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

👉 Read Zluri's analysis of privilege creep in internal mover workflows

Context

Privilege creep is the slow accumulation of access and permissions beyond what a current role should require. In mover workflows, that accumulation often happens twice, first as new access is added for the next job and then as old access is left in place. For identity teams, the problem is not just overprovisioning. It is the failure to reconcile entitlements when a person changes roles, teams, or levels.

The article’s central point is that internal moves create a governance blind spot across IAM, IGA, and PAM. A role change should trigger subtraction as well as addition, but most workflows are built around provisioning, not entitlement cleanup. That same lifecycle gap appears in machine identity programmes when service accounts or tokens outlive the context that created them.

For practitioners, this is a familiar lifecycle problem with a human subject. The security question is not whether access was once justified, but whether prior access, prior elevation, and prior admin rights still align with the current role and operating need.

Key questions

Q: What breaks when access reviews ignore internal movers?

A: Access reviews that ignore movers usually validate the current role while leaving old access and old privilege untouched. The result is a false clean bill of health for users whose entitlement history no longer matches their present job. This is how privilege creep compounds quietly across teams, systems, and admin layers.

Q: Why do internal role changes create more privilege risk than joiners or leavers?

A: Joiners start from a baseline and leavers are supposed to be fully removed. Movers are different because they keep prior access while acquiring new access for the next role. That makes them the highest-risk cohort for entitlement carryover, stale admin rights, and cross-team overexposure.

Q: How do organisations know if privilege creep is becoming a governance problem?

A: Look for users whose application count and elevated-role count rise together over time, especially after promotions or transfers. A growing gap between current role and retained entitlement history is the clearest signal that access is being added faster than it is being reconciled.

Q: Should teams treat promotions as access reviews or as provisioning events?

A: They should treat promotions as both. New-role provisioning is necessary, but it is incomplete unless the process also removes obsolete access and downgrades inherited privilege from prior roles. Without that second step, each promotion increases the blast radius instead of resetting it.

Technical breakdown

Horizontal privilege creep: how access sprawl accumulates across teams

Horizontal privilege creep occurs when a user keeps gaining access to more applications, data sets, or team systems while older entitlements remain active. Each move expands the user’s reachable attack surface. The failure is not the first grant, but the absence of a clean removal path when the role context changes. In practice, this creates stale cross-team access that is still legitimate on paper but no longer justified by current job function.

Practical implication: build move-triggered access review and revocation steps that remove obsolete team access before adding the next set of entitlements.

Vertical privilege creep: why admin rights keep stacking after promotions

Vertical privilege creep is the accumulation of elevated roles inside the same systems, such as admin, owner, or super-user permissions. Promotions and temporary exceptions often add control without rescinding older elevations, especially where business continuity is prioritised over least privilege. Over time, users hold too much authority in too many tools, and the organisation loses the ability to distinguish active necessity from inherited privilege.

Practical implication: separate role-based entitlement grants from elevation grants so that promotions do not automatically preserve every prior admin assignment.

Two-dimensional accumulation: why movers are a governance blind spot

Movers are dangerous from an identity governance perspective because they compound both horizontally and vertically. They do not arrive with a clean slate, and they do not exit the way leavers do. Without explicit cleanup logic, each internal move becomes an additive event, not a reconciliation event. That is why mover workflows tend to preserve old access, stack new access, and retain elevated rights across every role change.

Practical implication: treat internal moves as recertification events for access scope and privilege level, not as simple provisioning tickets.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Two-dimensional privilege creep is a lifecycle failure, not a one-off access mistake. The article shows that users can accumulate both broader access and higher privilege with every role change. That is the same structural problem NHIs face when lifecycle processes add entitlements but never subtract them. The practitioner conclusion is clear: governance must reconcile what a subject loses, not only what it gains.

Identity review processes were designed for visible changes, not compounding carryover. Access reviews often assume a user’s current role cleanly reflects current need, but mover history breaks that assumption. Old entitlements remain as inherited state, which means recertification can bless stale privilege unless the process explicitly compares current function to past grants. The implication is that review evidence must be historical, not just snapshot-based.

Horizontal access sprawl and vertical permission inflation are the same failure mode in different dimensions. A user with too many apps and too many admin roles has crossed both boundaries of least privilege at once. That makes the governance problem broader than standard entitlement cleanup and more relevant to PAM, IGA, and access lifecycle design. Practitioners should treat the combined footprint as the real risk indicator, not either dimension alone.

Movers expose the limits of additive-by-default JML design. The article’s strongest signal is that internal transfers are rarely treated as remove, downgrade, and reissue events. JML logic is often built to provision the next role, while the previous role is left intact. The practitioner conclusion is that role change governance must become subtractive as well as additive.

Privilege accumulation is only visible when organisations measure cross-team access and cross-system elevation together. Teams that track app counts without admin counts miss the attack surface, and teams that track admin counts without role context miss the governance debt. The field implication is that identity programmes need a combined view of entitlement scope, privilege level, and role history. Practitioners should measure both dimensions in the same control cycle.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• That visibility gap is why the NHI Lifecycle Management Guide matters when you need to connect entitlement cleanup, rotation, and offboarding into one control model.

What this signals

Privilege creep is becoming a lifecycle analytics problem, not just an access review problem. Teams that can only count current entitlements will miss the carryover pattern that movers create. The next control maturity step is to correlate role history, admin growth, and cross-team access so that old privilege becomes visible before it becomes normal.

Two-dimensional entitlement debt is the right concept for this pattern. It describes the combined buildup of extra access and extra control across internal moves, and it gives practitioners a cleaner way to explain why a user can look legitimate in one report and overprivileged in another. If your governance model cannot surface that combined debt, it is not measuring the real risk.

With only 5.7% of organisations having full visibility into their service accounts, according to the Ultimate Guide to NHIs, identity programmes that cannot see non-human lifecycle state are already struggling with the same blind spot that mover governance exposes in human IAM.

For practitioners

• Add subtraction to mover workflows Require every role change to trigger removal of obsolete team access, downgrade of inherited admin rights, and revalidation of any temporary elevation tied to the old role.
• Review movers as a distinct identity cohort Separate movers from joiners and leavers in access reporting so you can compare current role, prior role, and retained privilege in one control view.
• Track access and privilege together Measure application count, admin-role count, and cross-team entitlements in the same review cycle so overprivileged accounts do not hide behind legitimate promotions.
• Reconcile role history before approvals Before approving new access, check whether the user already holds equivalent systems, stale admin rights, or inherited permissions from earlier positions.

Key takeaways

• Privilege creep becomes much harder to contain when internal moves add access without removing old entitlements.
• The scale issue is not just more applications or more admin roles, but the compounding of both across role changes.
• The practical fix is to make every mover workflow subtractive as well as additive, with access and privilege reviewed together.

Key terms

• Privilege Creep: Privilege creep is the gradual buildup of access and elevated permissions beyond what a current role requires. It happens when organisations add new entitlements during change events but do not remove old ones, leaving users with inherited reach that no longer matches operational need.
• Horizontal Expansion: Horizontal expansion is the growth of a user’s access footprint across more applications, systems, or teams. In identity governance, it becomes a problem when each move adds new reach but old team access remains active, creating cross-functional exposure and stale entitlements.
• Vertical Escalation: Vertical escalation is the accumulation of higher privilege inside systems, such as admin or owner roles. It is not the same as broader access. The control concern is that elevation granted for one role often persists after the role changes, leaving excess control behind.
• Mover Workflow: A mover workflow is the identity process used when a user changes roles, teams, or departments while staying employed. Strong mover workflows remove outdated access, downgrade obsolete privilege, and revalidate new need at the same time, rather than only provisioning the next role.

Deepen your knowledge

Privilege creep, mover workflows, and entitlement reconciliation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are translating lifecycle governance into a more disciplined access model, it is worth exploring.

This post draws on content published by Zluri: Access Management How Privilege Creep Compounds in Two Directions | The Mover's Journey. Read the original.