Executive summary
In every enterprise, permissions only ever grow. Access is added to unblock work, resolve incidents, and meet project deadlines — but it's almost never removed. The result is systemic over-privilege: users with far more access than they need, accumulated over years.
This isn't negligence — it's structural. Without deliberate reduction mechanisms, least privilege is impossible. And when attackers compromise an account, they inherit all that accumulated access as their starting position.
How privilege creep happens
The "just in case" grant
What happens: Users request broad access because they're not sure exactly what they need. Approvers grant it to avoid back-and-forth. "Better to have it and not need it."
Why it persists: Nobody revisits the grant after the immediate need passes. The access remains because removing it feels risky and creates work.
Result: Every cautious over-grant becomes permanent. Users accumulate permissions they've never actually used.
The role change that doesn't trigger review
What happens: An employee moves teams, changes managers, or takes on a new project. New access is added for the new role, but old access isn't reviewed or removed.
Why it persists: Mover processes focus on what's needed next, not what's no longer needed. Removal requires knowing what to remove — and nobody has that visibility.
Result: Long-tenured employees accumulate access from every role they've held. Their entitlement footprint grows with every transition.
The project that ended but the access didn't
What happens: Temporary access is granted for a project, incident, or audit. The work completes, but the access remains. There's no trigger for removal.
Why it persists: Project closure doesn't automatically cascade to access removal. Access is granted in IAM systems; project status lives elsewhere.
Result: Temporary becomes permanent by default. Access granted for work completed years ago is still active today.
The inherited permissions from copied roles
What happens: New roles are created by copying existing ones. The copied role had accumulated permissions over time. The new role inherits all of them.
Why it persists: Role design is done under time pressure. "Copy and modify" is faster than "design from scratch." Nobody audits what's being copied.
Result: Role bloat compounds. Every new role carries forward the accumulated permissions of its predecessors.
Why least privilege fails
Organisations espouse least privilege but can't achieve it. The structural barriers:
Addition is easy, removal is hard
Granting access has a clear process. Removing access requires knowing what to remove, who owns it, and whether it's still needed.
No visibility into actual usage
Without entitlement analytics, you can't distinguish between permissions that are used and permissions that just exist.
Fear of breaking things
Removing access might break something. Without confidence in dependencies, teams default to "leave it alone."
Access reviews that confirm, not challenge
Certification campaigns ask "is this still appropriate?" — and the answer is always yes, because saying no creates work.
No reduction incentive
Nobody is rewarded for reducing access. There's no metric, no KPI, no visibility. Reduction is invisible work.
Role models that don't reflect reality
RBAC assumes stable roles with defined permissions. Reality is fluid — roles change faster than models can track.
The security cost of over-privilege
Over-privileged access isn't just an audit finding — it's an attack surface multiplier:
Compromised accounts start with maximum impact. When an attacker takes over an account, they inherit every permission that account has accumulated. Over-privileged accounts give attackers a head start.
Lateral movement becomes trivial. Accounts with broad access can reach more systems. Attackers don't need to escalate privilege if the initial foothold already has it.
Blast radius expands silently. The permissions are already there, waiting. An attacker exploiting an over-privileged account can access sensitive data without triggering privilege escalation alerts.
Recent ransomware and data breach investigations consistently find that attackers exploited accounts with far more access than their legitimate business function required.
What effective privilege management looks like
Organisations that maintain least privilege treat access reduction as a continuous discipline:
Usage-based visibility
Analytics show which permissions are actually used versus merely assigned. Unused access is flagged for review.
Time-bound grants by default
Access expires unless explicitly renewed. The default is removal, not persistence.
Mover triggers reduction
Role changes automatically prompt review of existing access, not just addition of new access.
Challenge-based reviews
Certifications require justification for retention, not just confirmation. Reviewers must explain why access is still needed.
Role hygiene discipline
Roles are periodically reviewed and trimmed. New roles are designed from requirements, not copied from existing bloated templates.
Reduction metrics
Access reduction is measured and reported. Teams have visibility into their privilege footprint and incentives to reduce it.
How Solluna Caelum approaches this
We focus on making reduction possible, not just desirable. Our approach:
1. Visibility first: Map actual permissions across systems. Understand what access exists today — not what policies say should exist.
2. Usage analysis: Where possible, correlate permissions with actual usage. Identify dormant entitlements that are candidates for removal.
3. Risk-based prioritisation: Focus reduction efforts on high-risk access first — privileged accounts, sensitive data access, critical systems.
4. Safe reduction pathways: Design processes that make removal safe — staging, rollback capability, and impact assessment before action.
5. Structural prevention: Implement time-bound grants, mover-triggered reviews, and role hygiene practices that prevent future accumulation.
Ready to tackle your permissions debt?
If privilege creep is out of control — or if you need to demonstrate least privilege to auditors — let's talk about building reduction into your access lifecycle.
Related taxonomy: Privilege Creep · Least Privilege Enforcement · Entitlement Analytics · Access Certification · Role Engineering