TL;DR: Identity sprawl emerges when users are spread across multiple siloed identity systems, creating ghost accounts, inconsistent privileges, and password reuse risks, according to Zluri’s guide. The governance problem is not just account count, but the absence of a single source of truth for access decisions.
NHIMG editorial — based on content published by Zluri: Security & Compliance What Is Identity Sprawl: The Ultimate Guide
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: What breaks when identity sprawl is not controlled?
A: When identity sprawl is not controlled, organisations lose confidence in who has access, where that access lives, and whether it was removed correctly.
Q: Why do siloed identity systems increase governance risk?
A: Siloed identity systems increase governance risk because each system can create its own version of the truth.
Q: How can security teams tell whether access reviews are working?
A: Access reviews are working only if they remove stale access, catch duplicated accounts, and produce a reconciled view of who still needs access.
Practitioner guidance
- Inventory every identity store and shadow directory Build a complete map of all systems that can issue or hold identity state, including SaaS apps, local directories, and app-specific stores.
- Reconcile accounts before each access review cycle Do not ask reviewers to certify access from fragmented records.
- Use orchestration to reduce duplicate identity paths Apply orchestration where integrations are unavoidable, but require every new path to preserve a single authoritative user record and a consistent entitlement model across connected apps.
What's in the full article
Zluri's full guide covers the operational detail this post intentionally leaves for the source:
- Step-by-step identity orchestration workflows for connecting incompatible SaaS and directory systems.
- Detailed provisioning and access review flows showing how Zluri centralises identity and entitlement data.
- Hands-on guidance for automating onboarding, access request handling, and deprovisioning across applications.
- Examples of audit trails and reporting views used to evidence access governance for reviewers and auditors.
👉 Read Zluri's guide on identity sprawl and SaaS access governance →
Identity sprawl in SaaS: what IAM teams need to fix now?
Explore further
Identity sprawl is a control-plane failure, not just an account-management problem. When the same identity is spread across multiple systems, no single team can reliably answer who has access, where that access lives, or whether it is still justified. That is a governance failure because lifecycle decisions depend on a stable identity record. The implication is that IAM programmes should treat fragmentation as a structural risk to certification, offboarding, and privilege control.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: How should organisations reduce identity sprawl in SaaS environments?
A: Organisations should reduce identity sprawl by consolidating identity data, federating where possible, and making offboarding and certification depend on one authoritative record. The aim is not to eliminate every external app, but to stop each app from becoming its own identity authority.
👉 Read our full editorial: Identity sprawl is widening the governance gap in SaaS environments