TL;DR: Most organisations only govern access changes that show up in HRIS, yet the source article argues that event-based work, projects, and temporary collaborations create the larger share of access creep by adding access with no clear end point. That gap leaves JML covering the visible minority while the invisible majority compounds silently, according to Zluri. The governance problem is not access review cadence alone, but the lack of cleanup triggers for access that begins outside employment changes.
NHIMG editorial — based on content published by Zluri: Access Management, A Tale of Two Access-Sprawl Patterns
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: What breaks when access governance only follows HRIS events?
A: It misses the larger share of access growth that comes from projects, collaboration, emergency work, and other non-HRIS activity.
Q: Why do static employees often accumulate more access than role movers?
A: Static employees can keep receiving access through repeated work events while their HR record stays unchanged, which makes the growth invisible to lifecycle workflows.
Q: How do teams know if access sprawl controls are actually working?
A: Look for reductions in dormant access, fewer permissions surviving past project closure, and a shrinking gap between role baseline and current entitlement count.
Practitioner guidance
- Map access to its granting source Separate entitlements created by HRIS-driven role changes from those created by projects, collaboration, and emergency work.
- Add explicit end conditions for temporary access Require an end date, project closure event, or usage review for every non-permanent grant.
- Review static employees for hidden entitlement growth Flag employees whose titles have not changed but whose access count has drifted above role baseline.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- The full role-by-role access timelines for Jessica and Sarah, including app-by-app growth over three years.
- The article's deeper breakdown of source 1 versus source 2 access sprawl, including how each pattern compounds.
- The stepwise examples of project access, collaboration access, and emergency grants that remain active after work ends.
- The article's recommended governance strategies for handling static employees and movers differently.
👉 Read Zluri's analysis of access sprawl across movers and static employees →
Access sprawl beyond JML: why the invisible 60% keeps growing?
Explore further
Access sprawl is a lifecycle problem, not a mover problem. The article shows that role changes are only one source of entitlement growth, while project work and temporary collaboration create a larger invisible pool. JML programmes that key only off HRIS events are structurally incomplete because they govern transitions, not the quieter accumulation that happens inside a stable role. Practitioners should treat access expansion as a cross-lifecycle issue, not an onboarding and promotion issue alone.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- Only 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to NHI Mgmt Group research.
A question worth separating out:
Q: Who is accountable when temporary access is never removed?
A: Accountability should sit with the business owner who requested the access and the identity team that allowed it to persist without an expiry condition. When access is granted for a project or incident, the request must include a clear owner and end state. Without that, nobody owns the subtraction, so the permission becomes permanent by default.
👉 Read our full editorial: Access sprawl is bigger than role changes: the invisible 60%