Privilege creep and entitlement drift: where IAM teams keep missing

TL;DR: Privilege creep quietly leaves users and service accounts with far more access than they need, creating dormant breach, insider threat, and audit exposure as permissions accumulate over time, according to Cerbos. Least privilege only works when organisations continuously remove stale entitlements, not when they rely on annual reviews and hope drift stays harmless.

NHIMG editorial — based on content published by Cerbos: privilege creep, entitlement drift, and the hidden risk of excess access

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: What breaks when privilege creep is left unchecked in IAM programmes?

A: When privilege creep is left unchecked, access no longer matches business need, so users and service accounts retain capabilities that should have expired.

Q: Why do service accounts with standing privilege increase risk?

A: Service accounts with standing privilege increase risk because they often persist across projects, systems, and teams without the human attention given to employee accounts.

Q: How do security teams know if access reviews are actually working?

A: Access reviews are working when they produce measurable removals of unused permissions, not just completion rates.

Practitioner guidance

• Reconcile roles against actual job functions Review broad roles, nested groups, and historical exceptions to remove access that no longer matches current duties.
• Trigger cleanup on lifecycle events Link joiner-mover-leaver workflows to automatic access review when a person changes team, project, or manager.
• Block high-risk actions with contextual policy Use attribute-based rules for sensitive systems so access can be denied when department, project status, or time-bound conditions no longer justify the request.

What's in the full article

Cerbos' full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step cleanup tactics for broad roles, stale groups, and unused permissions across different identity types
• Concrete examples of how dynamic authorization can reduce risk when legacy access is still waiting to be removed
• Practical guidance on combining least privilege, access reviews, and just-in-time access in day-to-day operations
• The source discussion with Giao Nguyen and Aram Andreasyan that grounds the governance problem in real IAM practice

👉 Read Cerbos' analysis of privilege creep, entitlement drift, and least privilege →

Privilege creep and entitlement drift: where IAM teams keep missing?

Explore further

View Full Forum →  |  NHI Foundation Course →