Privilege creep from internal moves: what IAM teams are missing

TL;DR: Internal movers can accumulate access in two directions at once, with one Zluri example showing a director who grew to 52 applications and 14 admin roles after four role changes. The real governance failure is that JML workflows often add entitlements for new roles without removing old access or downgrading obsolete privilege.

NHIMG editorial — based on content published by Zluri: Access Management How Privilege Creep Compounds in Two Directions | The Mover's Journey

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

Questions worth separating out

Q: What breaks when access reviews ignore internal movers?

A: Access reviews that ignore movers usually validate the current role while leaving old access and old privilege untouched.

Q: Why do internal role changes create more privilege risk than joiners or leavers?

A: Joiners start from a baseline and leavers are supposed to be fully removed.

Q: How do organisations know if privilege creep is becoming a governance problem?

A: Look for users whose application count and elevated-role count rise together over time, especially after promotions or transfers.

Practitioner guidance

• Add subtraction to mover workflows Require every role change to trigger removal of obsolete team access, downgrade of inherited admin rights, and revalidation of any temporary elevation tied to the old role.
• Review movers as a distinct identity cohort Separate movers from joiners and leavers in access reporting so you can compare current role, prior role, and retained privilege in one control view.
• Track access and privilege together Measure application count, admin-role count, and cross-team entitlements in the same review cycle so overprivileged accounts do not hide behind legitimate promotions.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• The step-by-step mover lifecycle breakdown that shows how access should be removed as well as added during role changes.
• The per-role examples of horizontal and vertical accumulation across engineering, product, and leadership moves.
• The detection signals and threshold patterns that teams can use to spot overprivileged movers in access reviews.
• The workflow design guidance for turning JML into a reconciliation process instead of a provisioning-only process.

👉 Read Zluri's analysis of privilege creep in internal mover workflows →

Privilege creep from internal moves: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →