License-to-access drift is the gap between what an organisation pays for and what its identity systems still allow. It appears when entitlement records, usage data, and offboarding workflows are not aligned, leaving dormant seats or accounts in place long after business need has ended.
Expanded Definition
License-to-access drift describes a governance failure where purchased or approved access no longer matches actual entitlement state. In NHI environments, that mismatch can involve service accounts, API keys, OAuth tokens, or agent permissions that remain active after the business need has ended, even though procurement, billing, and offboarding records imply the access should be gone.
The term sits at the intersection of identity lifecycle management and software asset control. It is broader than simple license waste because the security issue is not only cost leakage, but also retained authority. The OWASP Non-Human Identity Top 10 treats overprivilege and weak lifecycle control as core NHI risks, and that lens applies here when dormant access persists after the commercial record has changed. Usage in the industry is still evolving, and some teams use the phrase to describe SaaS seat sprawl while others apply it to machine access and agent permissions as well.
The most common misapplication is treating the issue as a procurement cleanup task, which occurs when organisations reconcile invoices but do not verify whether the corresponding identities, tokens, and entitlements were actually revoked.
Examples and Use Cases
Implementing license-to-access drift controls rigorously often introduces workflow overhead, requiring organisations to balance tighter entitlement hygiene against the administrative cost of continuous reconciliation.
- A SaaS application is downgraded after renewal, but dormant administrator accounts remain active because the offboarding workflow never reaches the identity provider.
- An engineering team decommissions a CI/CD pipeline, yet long-lived API keys stay valid in a secrets store, creating access that no longer maps to an approved license.
- A customer success platform is billed for 500 seats, but 120 identities have not logged in for months and still retain access to sensitive customer records.
- An autonomous agent is retired from production, but its delegated OAuth grants continue to authorize downstream actions because the revocation step failed.
- Audit teams compare entitlement records with active usage and discover that the “licensed” population is smaller than the set of identities still capable of authenticating.
These patterns are frequently discussed alongside lifecycle failures in the Ultimate Guide to NHIs, and they show why access review must extend beyond human users. For implementation detail, the OWASP guidance is useful, but the operational question is always whether the identity is still able to act, not just whether someone still pays for it.
Why It Matters in NHI Security
License-to-access drift is dangerous because it hides in plain sight. Organisations can believe they have reduced exposure after a contract ends or a system is retired, while the actual NHI still holds credentials or delegated rights. That gap is especially risky when service accounts and tokens are involved, because they may bypass interactive controls and remain invisible to standard user-centric review processes.
NHI Mgmt Group research shows that only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which helps explain why dormant access often survives business changes. The same body of research notes that NHIs outnumber human identities by 25x to 50x in modern enterprises, making drift a scale problem as much as a process problem. The Ultimate Guide to NHIs — Key Challenges and Risks is explicit that lifecycle visibility is central to containment, while the 52 NHI Breaches Analysis shows how access persists long enough for attackers to exploit it.
Organisations typically encounter this consequence only after an audit, breach, or failed offboarding reveals that supposedly closed access was still operational, at which point license-to-access drift becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Addresses excessive access and stale NHI lifecycle states tied to drift. |
| NIST CSF 2.0 | PR.AA | Identity lifecycle and access governance map to who can still access assets. |
| NIST Zero Trust (SP 800-207) | AC-6 | Least privilege requires removing standing access when use ends. |
Reconcile active NHI entitlements with approved need and revoke anything no longer justified.
Related resources from NHI Mgmt Group
- Who is accountable for access drift when protocol-specific controls create exceptions?
- How should organisations phase an IGA programme without creating more access drift?
- How should organisations connect HR systems to IAM without creating access drift?
- How should organisations manage SaaS access without creating entitlement drift?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
