Nature Recycles. Access Doesn't.
I just wrapped an episode of Radio Logic with Tom from FSP, and one image from our conversation has stuck with me.
Tom described enterprise access the way a biologist might describe a broken ecosystem. In nature, anabolic processes build up. Catabolic processes break down. The two stay in balance, and that balance is what keeps the system alive.
Enterprise identity has no catabolic process.
We are excellent at handing out access. We are terrible at taking it back. There is no natural decay. No built-in expiration. No system-level instinct to recycle privilege once the original business need is gone. So entitlements accumulate. Roles multiply. Service accounts persist long after the project that spawned them is forgotten by everyone except an attacker.
This is identity data debt. It compounds quietly until someone finds it.
The end criteria problem
Tom made a point I want every IAM leader to internalize. No access should ever be granted without an end criteria. Not “review in 90 days.” Not “remove if the user leaves.” An actual termination condition, baked into the grant at the moment the grant is made.
Time. Context. Task completion. Pick one. But pick something.
The absence of that single design choice is why we still find orphaned accounts in five-year-old M&A integrations, dormant admin rights sitting in production, and shadow access paths that nobody remembers approving.
Where SSO worked, and where it stopped working
Single sign-on was supposed to solve a chunk of this. And in the best cases, it did. A lever event cut the account, and the account cut access to everything downstream. Clean.
Then the SaaS estate exploded. The patchwork of apps that “almost” integrate with SSO. The tools that have their own local users. The platforms provisioned out-of-band by a business unit who needed something fast. Those are the silos where the lever event never reaches.
That gap is where attackers live now. Access is the lateral movement vector. Stale credentials are the unlocked side door.
RBAC scars are real
Tom and I have both watched organizations carry the scars of well-intentioned RBAC programs. The ones that started clean. Defined birthright entitlements per job family. Then watched the role catalog explode into thousands of composite roles, ad-hoc roles for projects, exception roles for the one VP who needed something special.
You end up with more roles than people. That is not governance. That is archaeology.
The fundamental issue is that a static role cannot carry dynamic context. A finance manager closing the month at 2pm on the first looks nothing like the same identity logging in from an unfamiliar location at 3am. The role is identical. The risk is not.
The principle I keep coming back to
Access has to be earned in the moment, scoped to the purpose, and revoked when the purpose ends.
That sounds simple. Operationalizing it is not, because it requires a few things most enterprises do not yet have in one place.
Authoritative identity data across every source, so you actually know who the identity is, what it does, and what it should be doing.
Real-time context, so the policy engine has more to work with than a job title from a six-year-old HR record.
A way to make those decisions without forcing a human to approve a thousand requests a day.
And critically, this model has to extend beyond humans. Service accounts. API keys. The wave of agentic AI identities that spin up, run a task, and should disappear. The end-criteria principle matters even more on the non-human side, because the volume is higher and the lifecycle is faster.
Where the responsibility sits
I asked Tom where this responsibility lands. Vendor? SI? Customer? His answer was the right one. All three.
Vendors have to make this easy to administer, or the business will route around the controls. System integrators have to bring the operating model and the discipline to actually run it. Customers have to demand it, fund it, and stop accepting “we will clean it up later” as a roadmap item.
Identity data debt is not a hygiene problem. It is a security problem. And like every form of debt, the interest is paid by whoever is standing in the room when the breach happens.
The full conversation with Tom is on the latest Radio Logic episode. We get into the operational-versus-security mindset, why most IAM teams are still trying to solve a 2010 problem with a 2010 architecture, and what a friction-free access model actually looks like in practice.
Watch or listen to Radio Logic Episode 3: Reducing the Identity Attack Surface.
