TL;DR: Privilege creep quietly leaves users and service accounts with far more access than they need, creating dormant breach, insider threat, and audit exposure as permissions accumulate over time, according to Cerbos. Least privilege only works when organisations continuously remove stale entitlements, not when they rely on annual reviews and hope drift stays harmless.
NHIMG editorial — based on content published by Cerbos: privilege creep, entitlement drift, and the hidden risk of excess access
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: What breaks when privilege creep is left unchecked in IAM programmes?
A: When privilege creep is left unchecked, access no longer matches business need, so users and service accounts retain capabilities that should have expired.
Q: Why do service accounts with standing privilege increase risk?
A: Service accounts with standing privilege increase risk because they often persist across projects, systems, and teams without the human attention given to employee accounts.
Q: How do security teams know if access reviews are actually working?
A: Access reviews are working when they produce measurable removals of unused permissions, not just completion rates.
Practitioner guidance
- Reconcile roles against actual job functions Review broad roles, nested groups, and historical exceptions to remove access that no longer matches current duties.
- Trigger cleanup on lifecycle events Link joiner-mover-leaver workflows to automatic access review when a person changes team, project, or manager.
- Block high-risk actions with contextual policy Use attribute-based rules for sensitive systems so access can be denied when department, project status, or time-bound conditions no longer justify the request.
What's in the full article
Cerbos' full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step cleanup tactics for broad roles, stale groups, and unused permissions across different identity types
- Concrete examples of how dynamic authorization can reduce risk when legacy access is still waiting to be removed
- Practical guidance on combining least privilege, access reviews, and just-in-time access in day-to-day operations
- The source discussion with Giao Nguyen and Aram Andreasyan that grounds the governance problem in real IAM practice
👉 Read Cerbos' analysis of privilege creep, entitlement drift, and least privilege →
Privilege creep and entitlement drift: where IAM teams keep missing?
Explore further
Privilege creep is not a hygiene problem, it is a lifecycle failure. Access rarely self-reduces, so every missed offboarding event, unremoved project role, or forgotten group membership compounds the entitlement surface. That makes privilege creep a structural governance issue across human users and non-human accounts, not a one-time cleanup task. The programme implication is that access lifecycle controls have to be treated as operational controls, not annual paperwork.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Should organisations use dynamic authorization before finishing a full access cleanup?
A: Yes, but only as a compensating control rather than a substitute for cleanup. Dynamic authorization can stop inappropriate access at decision time when roles and groups are stale, which lowers immediate risk. It does not fix the underlying entitlement debt, so organisations still need to remove excess access and restore accurate ownership.
👉 Read our full editorial: Privilege creep is turning stale access into hidden breach risk