TL;DR: Entitlement sprawl is the steady accumulation of unused cloud permissions, and Orca Security argues it is driven largely by machine and non-human identities that outnumber people and outpace manual review. The core problem is structural: cloud IAM programmes cannot govern what they cannot continuously measure.
NHIMG editorial — based on content published by Orca Security: Entitlement sprawl is the cloud IAM risk teams keep underestimating
By the numbers:
- Machine identities now outnumber human ones by more than 80 to 1, according to CyberArk’s 2025 State of Machine Identity Security Report.
Questions worth separating out
Q: How should security teams reduce entitlement sprawl in cloud environments?
A: They should start by measuring effective permissions, not just attached policies.
Q: Why do machine identities make entitlement sprawl worse?
A: Machine identities accumulate permissions faster because they are created for operational speed, reused across projects, and rarely offboarded with the same discipline as people.
Q: What breaks when access reviews are only annual in cloud IAM?
A: Annual reviews miss the pace of cloud change.
Practitioner guidance
- Measure effective permissions continuously Compare granted access to what identities can actually do after role inheritance, resource policies, and trust relationships resolve.
- Set expiry on machine identity access Require a clear owner, purpose, and removal trigger for every service account, workload role, and access key.
- Replace annual reviews with usage-based revocation Automate detection of permissions that have not been exercised over a meaningful window, then route them for removal or re-scoping.
What's in the full article
Orca Security's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step methods for spotting unused permissions across cloud accounts and resolving effective access.
- Concrete examples of how entitlement sprawl appears in AWS, Azure, and Google Cloud policy models.
- Operational guidance on continuous access reviews, JIT access, and automated revocation workflows.
- The product workflow Orca uses to surface over-permissioned identities in context, which this post intentionally does not evaluate.
👉 Read Orca Security's analysis of entitlement sprawl and cloud access risk →
Entitlement sprawl in cloud IAM: what should teams fix first?
Explore further
Entitlement sprawl is a governance failure before it is a technical one. The article correctly treats unused permission as latent risk, not administrative clutter. In cloud estates, the problem is not that access exists, but that nobody can continuously prove which access still has a business purpose. That makes entitlement sprawl a control-state problem for IAM, PAM, and NHI governance together. Practitioners should treat effective-permission drift as the primary signal, not the number of attached roles.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one exposed identity can become repeated operational loss.
A question worth separating out:
Q: Which controls matter most when entitlement sprawl reaches production systems?
A: The controls that matter most are least privilege, automated revocation, and tight ownership of non-human credentials. If an identity can touch production and nobody knows why it still has that access, the problem is already operational, not theoretical.
👉 Read our full editorial: Entitlement sprawl is the cloud IAM risk teams keep underestimating