Tenant drift is the gradual divergence between intended and actual access, configuration, or app permissions inside a cloud environment. In email platforms, it often shows up as stale admin settings, excessive grants, or unmonitored integrations that create durable attacker footholds.
Expanded Definition
Tenant drift describes the slow, often unnoticed gap between the access, configuration, and application permissions a cloud tenant should have and what it actually has in production. In NHI and IAM operations, that gap usually forms when administrators add exceptions, integrations accumulate privileges, and cleanup never catches up. The result is not one obvious breach point but a layered control failure across identity, policy, and telemetry.
Definitions vary across vendors, but in practice tenant drift is broader than simple misconfiguration because it includes stale delegated access, orphaned admin roles, consented apps, shadow integrations, and policy exceptions that persist after the original need has passed. It is closely related to privilege creep, yet tenant drift is tenant-wide and operational, not just user-level. For governance context, the NIST Cybersecurity Framework 2.0 helps frame the need for ongoing asset, access, and configuration oversight rather than one-time setup. The most common misapplication is treating tenant drift as a minor hygiene issue, which occurs when teams review permissions only during onboarding and ignore changes introduced by later app connections and admin exceptions.
Examples and Use Cases
Implementing tenant drift controls rigorously often introduces administrative overhead, requiring organisations to weigh faster app enablement against the cost of continuous entitlement review and configuration validation.
- An email tenant retains a legacy admin consent for a marketing automation app after the campaign ends, leaving an unneeded privileged integration in place.
- A cloud collaboration platform still trusts a retired service account, allowing that identity to keep API access long after the original owner has left.
- A security team discovers that a delegated mailbox rule created for incident response was never removed, creating a durable path for message exfiltration.
- During investigations, analysts compare current permissions against intended baselines and then map the findings to lessons from the Salesloft OAuth token breach, where token misuse highlighted the operational value of drift-aware review.
- Identity teams align tenant review workflows with guidance from the NIST Cybersecurity Framework 2.0 to keep privileges, logging, and configuration changes continuously observable.
In mature environments, tenant drift checks are often paired with app consent reviews, privileged role audits, and recurring service-account inventories rather than ad hoc troubleshooting.
Why It Matters in NHI Security
Tenant drift matters because cloud tenants rarely fail all at once. They accumulate small permission errors that attackers can chain into persistence, lateral movement, or data access. For NHIs, this is especially dangerous because machine credentials are often approved once and then left to operate indefinitely. When drift is present, an apparently low-risk integration may still retain broad read, write, or mailbox delegation power that outlives its business purpose.
NHI Mgmt Group reports that 97% of NHIs carry excessive privileges, and that figure is a strong indicator of how quickly tenant drift can turn into a governance problem rather than an isolated admin mistake. That same dynamic shows up when organisations fail to remove stale admin settings, unreviewed OAuth grants, or third-party app trust. The lesson is that tenant drift is not just a configuration issue; it is a visibility and ownership issue that must be monitored over time. It also intersects with NHI lifecycle controls, because offboarding and rotation lose value if tenant settings continue to preserve old access paths. Organisationally, the risk is usually recognised only after a suspicious login, token abuse, or unexpected data movement, at which point tenant drift becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret and credential misuse that often persists through tenant drift. |
| NIST CSF 2.0 | PR.AC-4 | Access management and least privilege align directly with drift reduction. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires ongoing verification of access and configuration state. |
Treat tenant settings as dynamic and revalidate trust, privilege, and app access continuously.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
