What is Identity Sprawl?

Identity sprawl is the uncontrolled growth of digital identities and accounts within an organisation, leading to reduced visibility and increased security risk. As organisations expand their cloud environments and adopt new applications, the number of digital identities grows faster than they can be properly managed and secured. Identity sprawl impacts both human identities and Non-Human Identities (NHIs), including service accounts and AI agents. While NHI usage is increasing, many NHIs are not reviewed and governed as regularly as human employee accounts. Over time, this lack of visibility increases the risk of identity-based cyber attacks. Identity sprawl is often accompanied by secret sprawl, where credentials like API keys and tokens proliferate without centralised control.

How does identity sprawl happen?

Identity sprawl develops gradually as organisations scale, adopt cloud services and introduce new technologies without implementing centralised Identity and Access Management (IAM) controls.

Rapid expansion

Cloud adoption has changed how organisations manage access, enabling the deployment of new applications in minutes. However, when organisations adopt SaaS tools without centralised IAM controls, accounts are created beyond the visibility of security teams. This decentralisation leads to duplicate accounts, inconsistent access controls and fragmented data across platforms. Shadow IT further accelerates identity sprawl; when employees use tools without formal approval, unmanaged user accounts and identities expand an organisation's attack surface.

Inadequate identity lifecycle management

Identity Lifecycle Management (ILM) ensures users receive appropriate access when they join, change roles or leave their organisation. When onboarding and offboarding processes are inconsistent, identity sprawl is more likely to occur. Several common ILM issues involve granting excessive access during onboarding, failing to revoke access when employees change roles and delaying offboarding. Without consistent policy enforcement and automated provisioning, users may retain access long after they've left an organisation, creating unnecessary risk among active identities.

Accumulation of privileged accounts

Privileged accounts are frequently created to support temporary projects, vendors or operational needs. As organisations grow, these accounts may lead to too many shared privileged credentials, standing access to critical systems or infrequent reviews of privileged access. When privileged accounts aren't regularly governed, they become valuable assets for cybercriminals. Identity sprawl within privileged environments significantly increases the potential impact of a data breach.

Growth of service accounts and NHIs

In cloud-native environments, NHIs often outnumber human users. DevOps pipelines and automation tools continuously create new service accounts to enable machine-to-machine communication. This exponential growth introduces security risks if service accounts are decentralised, hardcoded credentials are embedded in scripts or tokens are unrotated. When NHI credentials aren't monitored, rotated or secured in a centralised vault, they become crucial attack vectors for cybercriminals. Since NHIs often operate without human intervention, their compromised states may go unnoticed for extended periods of time.

Identity sprawl vs secrets sprawl vs privilege creep

Identity sprawl, secrets sprawl and privilege creep are related to identity security, but they represent different security risks. Identity sprawl focuses on the expansion of identities across systems. It typically results from decentralised SaaS adoption, cloud growth without centralised IAM controls and unmanaged account creation. The primary issue with identity sprawl is volume; too many identities exist across environments, and they may be inactive or poorly monitored. For example, if an organisation adopts dozens of platforms, each requiring its own accounts, thousands of identities may accumulate over time. Despite their inactivity, these identities expand the attack surface because they grow in number beyond what proper monitoring can cover.

Despite the similarity in name, secrets sprawl refers to the uncontrolled spread of secrets, including passwords, API keys and tokens, across systems. Secrets sprawl often occurs when credentials are hardcoded into source code, API keys are stored in plaintext files or secrets are shared through insecure methods like email. The main issue with secrets sprawl isn't how many identities exist, but instead the uncontrolled dispersion of credentials that grant access. Every exposed or unmanaged secret can provide cybercriminals with direct access to critical systems. Think of an API key being embedded into a code repository and never rotated; a cybercriminal can use that secret to access cloud resources without compromising an account at all.

Privilege creep, in contrast, focuses on too much access being assigned to a specific identity. It generally occurs when access is granted but never revoked due to role changes, temporary projects or infrequent access reviews. With privilege creep, the number of identities may be manageable, but the real problem arises when individual accounts accumulate broader access than necessary. Imagine an employee joins an organisation's marketing team with access to CRM tools but eventually transfers to operations and gains access to critical systems. Because the employee's identity still has unnecessary access to CRM tools, the compromised account can expose sensitive information beyond its intended scope.

Security risks of identity sprawl

As identities multiply across environments, organisations lose visibility and suffer from weakened governance. Here are the main security risks associated with identity sprawl:

How to prevent identity sprawl

Preventing identity sprawl requires organisations to focus on visibility, lifecycle management and the enforcement of least-privilege access across both human and machine identities.

Automate provisioning and deprovisioning

Centralising identity management through an Identity and Access Management (IAM) solution is crucial to controlling identity growth. Organisations should automatically provision access based on roles and job functions using Role-Based Access Controls (RBAC) instead of granting broad access manually. Automated deprovisioning is just as important as provisioning, as access should be revoked immediately when employees leave an organisation. By eliminating manual account management, organisations reduce the number of unused or overprivileged identities.

Implement Identity Governance and Administration (IGA)

Identity Governance and Administration (IGA) ensures that access remains aligned with organisational needs over time. Regularly reviewing access helps confirm that users retain only the access necessary for their current tasks. IGA helps organisations identify orphaned or inactive accounts before they become security vulnerabilities. Without ongoing governance, identities grow beyond oversight capacity and quickly contribute to identity sprawl.

Enforce least-privilege access

Organisations should eliminate standing access to critical systems whenever possible by enforcing least-privilege access and implementing Just-in-Time (JIT) access. By ensuring that users and systems receive only the minimum access necessary, organisations can reduce the risk of privilege escalation and minimise the impact of a compromised account.

Secure privileged accounts

Privileged Access Management (PAM) plays an important role in preventing identity sprawl from escalating into a major data breach. Privileged accounts must be secured within an encrypted vault, with MFA enforced for all administrative access. Organisations need to monitor and record privileged sessions to maintain accountability and full visibility. They must also enforce automated credential rotation to reduce exposure and prevent insecure credential sharing. By securing privileged identities, organisations prevent excessive access from contributing to identity sprawl security risks.

Manage NHIs and secrets

In cloud environments, NHIs tend to outnumber human users, so preventing identity sprawl requires treating both human and machine accounts with the same level of security. Organisations should inventory service accounts, secure secrets rather than embedding them in code and automatically rotate secrets. It's necessary to apply least-privilege access to human and non-human identities to eliminate standing access and ensure machine authentication does not expand beyond proper controls. This includes managing NHI credentials, such as API keys, tokens and certificates, as secrets tied to an identity, with rotation, scoping and monitoring.