Identity and access sprawl is the ungoverned accumulation of user accounts, permissions, and access relationships across an organization's digital environment—typically growing faster than it can be managed or reviewed.
‍
Identity and access sprawl describes the state in which an organization's digital permissions have grown beyond what anyone has a clear picture of. Accounts pile up across SaaS applications. Employees accumulate permissions that were never revoked. OAuth grants connect applications to each other in ways nobody formally approved. Former employees retain active accounts in third-party tools long after their primary directory account was disabled. Service accounts and API keys propagate across systems without centralized tracking.
‍
The term "sprawl" is apt: this isn't a failure mode with a clear cause. It's the natural outcome of an organization operating at speed. Every time an employee signs up for a new SaaS tool, every time an OAuth integration is authorized, every time a temporary permission is granted and not reviewed—the sprawl grows. Over time, the gap between the access map the security team believes exists and the one that actually exists becomes significant.
‍
Sprawl develops through several overlapping mechanisms:
‍
SaaS adoption without governance. Employees routinely adopt SaaS tools for productivity reasons without IT involvement. Each tool creates accounts. Many of those accounts are never inventoried, never connected to the IdP, and never deprovisioned when the employee leaves.
‍
Weak offboarding. Organizations that deprovision the primary directory account often miss accounts in SaaS applications that were never part of the managed stack. A departing employee may retain active access to a dozen tools through credentials, saved sessions, or OAuth authorizations that were never revoked.
‍
OAuth integration proliferation. OAuth grants are easy to create and rarely reviewed. An employee connecting a SaaS app to another, or an AI tool to a cloud storage account, creates a durable access relationship. Those relationships accumulate—and if one application in the chain is compromised, attackers can traverse the web.
‍
Role and permission accumulation. Users gain permissions for specific tasks and those permissions never get right-sized. Over time, the effective permission set of a typical employee looks less like what their role requires and more like everything they've needed access to across their tenure.
‍
Non-human identity growth. Service accounts, automation bots, API keys, and AI agent credentials all represent identities with permissions. They're often created outside formal provisioning workflows and lack the lifecycle management applied to human identities.
‍
Sprawl is not just an IT hygiene issue. It's a security risk with direct consequences.
‍
Every stale account is a potential entry point for an attacker using compromised credentials. Every over-permissioned identity is a resource an attacker can exploit once they're in. Every unreviewed OAuth grant is a data pathway that may expose content in ways the granting user never considered. In a high-sprawl environment, the blast radius of any single identity compromise is much larger than it should be.
‍
Sprawl also makes incident response harder. When a compromised account needs to be locked down, the security team needs to know everything that account was connected to. In a high-sprawl environment, building that picture takes time—and time is what attackers rely on.
‍
The organizations most exposed are the ones that conflate their IdP's user list with their full identity inventory. What their IdP shows is the starting point. What it misses is the sprawl.
‍
