Term · 3. Account Management & Provisioning

Entitlement Creep

IDM/IGA Domain

Personal Data JML ISO/IEC OWASP Introduced by: Big4 (Deloitte / PwC / EY / KPMG)

Definition

Gradual accumulation of access rights beyond what's needed for current job, as users change roles without losing prior access. Common in long-tenured employees: original access from initial role + each new role added without old removed. Major source of over-privileged accounts, SoD violations, and attack surface expansion.

Application: Remediation: periodic access certifications (typically quarterly), automated access reviews triggered by role change, role mining to identify entitlement patterns, and JIT access for transient elevated privileges. ISPM tools highlight high-risk creep accumulations.

Related terms

Over-provisioning

Granting access beyond what's needed for the role — common cause of attack surface expansion and SoD violations. Sources …
Orphan Account

Account in a target system that cannot be correlated to any identity in the identity warehouse — abandoned by previous o …
Offboarding

End-of-lifecycle process when an identity is terminated — disable accounts, revoke entitlements, terminate active sessio …
Deprovisioning (Deprov)

Removal of an identity's access from a target system — typically triggered by termination (Leaver), role change (Mover), …
HR Policy

Policies governing identity lifecycle based on HR data — what triggers provisioning, what role mapping applies, what app …
OWASP NHI Top 10

OWASP Non-Human Identities (NHI) Top 10 (2025) — community-curated catalogue of the most critical risks affecting non-hu …

← Back to glossary · Open in main list