Access sprawl beyond JML: why the invisible 60% keeps growing

TL;DR: Most organisations only govern access changes that show up in HRIS, yet the source article argues that event-based work, projects, and temporary collaborations create the larger share of access creep by adding access with no clear end point. That gap leaves JML covering the visible minority while the invisible majority compounds silently, according to Zluri. The governance problem is not access review cadence alone, but the lack of cleanup triggers for access that begins outside employment changes.

NHIMG editorial — based on content published by Zluri: Access Management, A Tale of Two Access-Sprawl Patterns

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: What breaks when access governance only follows HRIS events?

A: It misses the larger share of access growth that comes from projects, collaboration, emergency work, and other non-HRIS activity.

Q: Why do static employees often accumulate more access than role movers?

A: Static employees can keep receiving access through repeated work events while their HR record stays unchanged, which makes the growth invisible to lifecycle workflows.

Q: How do teams know if access sprawl controls are actually working?

A: Look for reductions in dormant access, fewer permissions surviving past project closure, and a shrinking gap between role baseline and current entitlement count.

Practitioner guidance

• Map access to its granting source Separate entitlements created by HRIS-driven role changes from those created by projects, collaboration, and emergency work.
• Add explicit end conditions for temporary access Require an end date, project closure event, or usage review for every non-permanent grant.
• Review static employees for hidden entitlement growth Flag employees whose titles have not changed but whose access count has drifted above role baseline.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

• The full role-by-role access timelines for Jessica and Sarah, including app-by-app growth over three years.
• The article's deeper breakdown of source 1 versus source 2 access sprawl, including how each pattern compounds.
• The stepwise examples of project access, collaboration access, and emergency grants that remain active after work ends.
• The article's recommended governance strategies for handling static employees and movers differently.

👉 Read Zluri's analysis of access sprawl across movers and static employees →

Access sprawl beyond JML: why the invisible 60% keeps growing?

Explore further

View Full Forum →  |  NHI Foundation Course →