Role sprawl and AI-assisted access models: what changes now?

TL;DR: Manual role modelling cannot keep pace with SaaS growth, joiner-mover-leaver churn, and acquisition-driven complexity, leaving organisations with stale, bloated roles and weak least-privilege outcomes, according to SailPoint. The governance challenge is not just faster role creation; it is replacing spreadsheet-era assumptions with a continuous access model that can stay current as the enterprise changes.

NHIMG editorial — based on content published by SailPoint: A day in the life with AI-powered identity security: Building a smarter access model

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

Questions worth separating out

Q: How should security teams reduce role sprawl in large identity programmes?

A: Start by identifying duplicated roles, stale entitlements, and business units that create access models independently.

Q: Why does manual role engineering fail as organisations add more SaaS applications?

A: Manual role engineering depends on slow review cycles and human memory, while SaaS adoption changes access patterns continuously.

Q: How can organisations tell whether their access model is still trustworthy?

A: Look for signs that roles still match current business functions, that access is being used as intended, and that recertification produces meaningful exceptions rather than endless cleanup.

Practitioner guidance

• Audit role sprawl before automating it Review duplicated, overlapping, and stale roles across business units, especially after M&A activity or major SaaS onboarding.
• Enrich role data before trusting recommendations Improve identity attributes, entitlement metadata, and usage telemetry so role discovery can make defensible suggestions.
• Use attribute-driven roles for variable job patterns Apply attribute-based access control where access changes by shift, site, team, or function.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

• Role Discovery workflow details for building and refining access models in live environments
• Examples of how role hygiene and role insights are used to right-size access over time
• The human-in-the-loop review approach for approving AI-suggested role changes
• Operational examples of how AI-assisted access modelling supports M&A onboarding and day-one access

👉 Read SailPoint's blog on AI-powered access modelling and role sprawl →

Role sprawl and AI-assisted access models: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →