Identity drift in SaaS and NHI access: what teams are missing

TL;DR: Identity drift, not just active exploitation, is increasingly the breach multiplier as unused SaaS accounts, orphaned third-party access, privilege creep and forgotten automation expand attack paths, according to Gathid. The governance lesson is simple: if access is not continuously validated, reviewed and owned, it becomes inherited risk rather than controlled privilege.

NHIMG editorial — based on content published by Gathid: Identity drift is becoming the real enterprise breach multiplier

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams reduce identity drift in SaaS and NHI environments?

A: Start by reconciling approved access against current entitlements and ownership.

Q: Why does identity drift increase breach risk so quickly?

A: Because attackers often do not need to create new access when old access still exists.

Q: How do organisations know whether access governance is actually working?

A: Measure whether every identity has a current owner, a justified business purpose and a review trail that matches actual use.

Practitioner guidance

• Map inherited access first Build a baseline of accounts, tokens, roles and third-party integrations that exist because of prior approvals, copied templates or temporary exceptions.
• Tie every identity to a named business owner Require an accountable owner for human, service and integration identities, then make ownership part of the review record.
• Move from periodic review to continuous entitlement reconciliation Compare current entitlements against approved state on a daily basis for privileged users, service accounts and external integrations.

What's in the full article

Gathid's full article covers the operational detail this post intentionally leaves for the source:

• The article expands on the digital twin approach for modelling identity relationships and blast radius before access changes.
• It includes practical steps for building a normalised identity view from directory, IAM, HR, cloud and SaaS data sources.
• The source also discusses automated policy testing in CI/CD pipelines for roles, APIs and agent integrations.
• It outlines how to measure trust decay, or how quickly privilege diverges from intent, in day-to-day operations.

👉 Read Gathid's analysis of identity drift and enterprise breach exposure →

Identity drift in SaaS and NHI access: what teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →