Identity drift and authorization sprawl: what IAM teams are missing

TL;DR: Identity drift is widening the gap between who has access and who should have it as cloud-native systems, fragmented ownership, and NHI activity outpace static role-based access models, according to Opal Security. Authorization now matters more than authentication because the real breach path is increasingly what an identity can do after it gets in.

NHIMG editorial — based on content published by Opal Security: The Quiet Breach Vector: How Traditional Access Models Are Failing Security Staff

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

Questions worth separating out

Q: How should security teams reduce identity drift in cloud and SaaS environments?

A: Start by mapping where authorization is actually decided, then identify which roles, groups, and app-level permissions are inherited across systems.

Q: Why does authorization drift create more risk than a failed login?

A: A failed login stops entry, but authorization drift determines what a valid identity can do after entry.

Q: What do security teams get wrong about periodic access reviews?

A: They treat reviews as the control instead of a checkpoint.

Practitioner guidance

• Map entitlement ownership across control planes Document who owns each access path across IdP, cloud IAM, SaaS consoles, and NHI tooling so no entitlement sits in an ownership gap.
• Prioritise drift-prone access paths first Start with privileged roles, nested groups, persistent sessions, and service accounts that have broad inherited access or weak offboarding controls.
• Add runtime checks to access governance Use context-aware controls and continuous validation where access decisions are currently made once and assumed to remain correct.

What's in the full article

Opal Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Examples of how identity drift appears across IAM, SaaS, and cloud administration paths.
• The specific access-review and entitlement-management problems Opal Security says teams run into during audits and breach triage.
• How the vendor frames AI-guided access reviews as a response to authorization sprawl.
• The source article's fuller explanation of why static access models fail in engineer-driven environments.

👉 Read Opal Security's analysis of identity drift and authorization sprawl →

Identity drift and authorization sprawl: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →