Access Creep and the Myth of “Set It and Forget It”

I live in Ireland, known as the Emerald Isle, and the landscape is somewhat verdant. Sometimes I look at my garden, meticulously arranged and planned by my partner, and (though I admit I probably spend too much time thinking of analogies for cloud security) imagine it as a network with every plant carefully chosen, the path and borders clippable, and each container perfectly accessible for pruning, feeding, weeding, and access. You should see it on paper—it’s a thing of beauty.

However, I walk away for a week, and the Irish weather, time, growth, wildlife, and entropy do their work. I look again, and the lawn is overgrown, hardy weeds (nah, literally trees) have taken root, and the neighbours' pets have used the veg beds like a porta-potty. Take your eyes off them, and the tomatoes and peppers need harvesting, the mint has gone nuclear, and good luck finding a path again. That’s access creep, a silent, insidious drift of permissions that turns control into chaos. Once again, it’s time to pull up my sleeves and tend the garden before it evolves into The Savage Lands.

The Quiet Slide of Access Creep

Privilege creep, also known as permission or access creep, happens when users accumulate privileges they no longer need. It’s not dramatic; there’s no siren, no flashing red lights. However, over time, as roles change or projects end, and users hoard access, one moment it’s “just in case,” the next it’s an Irish lawn.    

Gartner estimates organizations now manage thousands of entitlements across cloud platforms, yet over 95% of accounts use less than 3% of what they’re given. Most of that excess does zero for productivity, but plenty for risk.  

The Human Cost and Cost-to-Business

The fallout isn’t hypothetical:

• A recent IBM report found insider threats cost companies over $11 million per incident on average. A former employee with lingering access can hijack systems or leak data, which is costly in every sense.  
• On the financial front, dormant or over‑privileged accounts often sit idle on paid licenses. Access reviews don’t just protect, they save money.  

You’re wrestling with human error, insider risk, compliance, and even SaaS bill shock.

The Myth: “Set It and Forget It”

If “set it and forget it” had a motto, it would be: “I’ll get around to it…maybe.” Rather like mowing my lawn between Irish showers. Access governance isn’t RTV furniture. It needs maintenance. Without regular audits, you end up with access debt, that ugly backlog of expired, unneeded privileges with tendrils everywhere.   

The threat landscape is only getting more complex. AI-driven non-human identities (NHIs), like bots and service accounts, are swelling your access lists. Allow one dandelion to grow, and before you know it, you have a hundred. Yet only 10% of organizations have a mature strategy for NHI lifecycle management, and fewer than a third treat digital ‘labor’ with the same governance they give humans.  

“Set it and forget it” is practically an invitation to disaster.

What Teams Can Do: Trimming the Tangle

1. Scheduled Access Reviews, But Make Them Smart
   Periodic reviews: Tailor frequency to risk, quarterly for finance or healthcare; annually for low‑risk roles.  
   Continuous reviews: Trigger audits on role change, off‑boarding, or elevated privilege assignment to catch drift in real-time.
2. Embrace Principle of Least Privilege (PoLP)
   Grant only what’s necessary, nothing more. PoLP isn’t a one‑and‑done. It thrives on real‑time monitoring, regular audits, and credential rotation with zero standing privileges.
3. Automate the Boring Stuff
   Use identity governance and PAM (Privileged Access Management) tools to:
   Automatically expire access (especially temporary) with just-in-time workflows.
   Spotlight orphaned accounts and shadow admins.
   Manage entitlements through a centralized dashboard.
4. Audit and Certification
   Periodic recertification from managers ensures access aligns with roles. And, yes, ditch the Excel sheets where, shockingly, over 50% of enterprises still store credentials.
5. Govern Non-Human Identities (NHIs) Deliberately
   AI agents, bots, tokens, they’re all identities. Treat them like humans in your governance model: tie them to owners, limit their scope, log their actions, and retire them when done.
6. Make it a Taxonomy, Not a Tangle
   Map roles clearly, catalog assets, assign owners, and define why each person (or system) needs access. Leveraging international cybersecurity standards like NIST SP 800‑53 (AC‑2) or GDPR Article 32 helps you keep that taxonomy fresh.  

Pruning Access Governance Isn’t a One-Off, It’s a Habit

Access management isn’t a project, it’s a rhythm. When teams treat it like maintenance (scheduled, automated, governed, and unapologetically relentless), they stop it from becoming a security jungle.

So plant those seeds, prune the overgrowth, water the roots. Your network stays orderly, your budget leaner, your auditors happier, and most importantly, you retain control. Because settling into “set it and forget it” doesn’t just let things slide, it lets them spiral, and constant pruning through the lies of just-in-time access is the only way to tame the wilderness.

‍