Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Access creep between role changes and offboarding: what teams miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Access creep accumulates during employment, not just at onboarding or termination, because role changes and temporary access often never get cleaned up; Zluri’s analysis models 500 employees, 100 SaaS apps, and 4,500 excess grants a year. The control gap is visibility and lifecycle automation, not a lack of provisioning effort.

NHIMG editorial — based on content published by Zluri: The Math Behind Access Creep: What Happens Between Onboarding and Offboarding

By the numbers:

Questions worth separating out

Q: How should security teams stop access creep after role changes?

A: Security teams should tie each HR-driven role change to an automated access review that removes the old role baseline, not just adds the new one.

Q: Why does temporary access so often become permanent?

A: Temporary access becomes permanent because organisations track when access starts, but not when the business need ends.

Q: What breaks when organisations cannot see all applications?

A: Cleanup breaks first, because teams can only review and revoke access in systems they know exist.

Practitioner guidance

  • Map access changes to lifecycle triggers Connect HRIS events such as promotion, transfer, department change, and location change to automated entitlement review so old role access is removed when the new role baseline is applied.
  • Expire temporary access by default Assign end dates to project, backup, emergency, and training access so permissions drop automatically when the business need ends instead of relying on manual follow-up.
  • Build complete application discovery Inventory federated apps, non-federated tools, department-purchased software, and shadow IT so cleanup workflows can act on the full estate rather than only what appears in IAM logs.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

  • The step-by-step math behind the 500-employee access creep model, including how excess grants compound over five years.
  • The capacity breakdown showing where manual IAM work goes and why 0.5 FTE cannot keep pace with 1.54 FTE of lifecycle work.
  • The visibility-first automation model for federated apps, non-federated apps, and shadow IT across the full SaaS footprint.
  • The self-service access request pattern used to reduce provisioning burden while preserving approval workflows.

👉 Read Zluri's analysis of access creep between onboarding and offboarding →

Access creep between role changes and offboarding: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Access creep is a lifecycle governance failure, not a provisioning problem. The article shows that onboarding can be clean while employment still accumulates excess access through role changes and temporary needs. That is the real discipline gap: organisations often measure how well they grant access, but not how reliably they remove it when context changes. The practitioner conclusion is that lifecycle control has to extend through the full employment journey, not stop at joiner and leaver events.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

A question worth separating out:

Q: Who is accountable when access remains after the business need ends?

A: Accountability usually sits across HR, application owners, and identity teams, but the failure is governance, not ownership alone. If the organisation does not define who closes the loop on scheduled changes and temporary grants, revocation never becomes a reliable control.

👉 Read our full editorial: Access creep between onboarding and offboarding is a math problem



   
ReplyQuote
Share: