Getting ahead of policy creep

High-profile ransomware attacks continue to dominate headlines, with UK organisations among the most frequently targeted. But these attacks rarely happen in isolation. In many cases, they are enabled by something far less visible: the gradual accumulation of access and permissions across the organisation.

 

While much of the cyber-security conversation focuses on external threats, the reality is that internal complexity is often what makes organisations vulnerable in the first place. As systems scale and environments become more interconnected, maintaining control over who has access to what becomes significantly harder - especially when that access is constantly changing.

 

This growing issue, known as policy creep, is becoming one of the most significant and overlooked risks businesses face.

 

Policy creep: the silent threat

To keep hackers out, businesses must first understand how they get in. For many, the windows of opportunity they exploit appear as a direct result of policy creep.  

 

Policy creep is the slow build-up of access rights, i.e., the permissions and privileges that accumulate as employees come and go, projects evolve, and new technologies and tools are onboarded. These permissions often linger long after they’re needed, forgotten by employees and overlooked by swamped security teams. But hackers don’t forget.  

 

While one former employee’s leftover credentials may seem minor, they can still open the door to a more serious security issue. Once intruders gain entry, those same permissions allow them to move laterally across the network. The financial fallout can be intense. Recent estimates suggest that over 70% of UK organisations experienced a cyberattack in the past year, with incidents now costing millions per breach on average - highlighting just how quickly small access gaps can escalate into major business risks.

 

Why policy creep is accelerating

While hacking tactics and techniques are undoubtedly becoming increasingly sophisticated, the environments they target are also becoming more complex. Hybrid work has expanded attack surfaces, multiplying the number of devices, logins, and locations that access company networks.

 

At the same time, organisational change is becoming a major contributing factor. Ongoing restructuring and team transitions mean employees are moving on more frequently and often at scale, but access rights are not always fully or immediately revoked. Responsibilities are redistributed quickly, leading to overlapping or excessive permissions that are rarely revisited. In these moments of transition, policy creep can accelerate significantly.

 

Alongside this, businesses now rely on complex suites of SaaS tools, collaboration platforms, and AI agents, all requiring identity and access controls. Together, this digital sprawl exacerbates policy creep and makes networks harder to secure.

 

How to pivot defences

To combat policy creep, businesses must modernise their cybersecurity approach with three key shifts:

 

1.      Treat automation as essential

Growing numbers of devices, users, and credentials mean manual reviews and the legacy “eyes on glass” approach are no longer feasible for today’s complex workplace and underlying networks.

 

Controlling policy creep starts with building security into critical infrastructure, rather than treating it as a bolted-on tool, so access policies can be enforced directly at the network level.

 

The way to keep up with the sheer number of threats and vulnerabilities in a network is by leveraging AI. For example, IT teams can train AI agents to continuously monitor, identify, and retire outdated permissions contributing to policy creep before they become vulnerabilities. With this approach, policy hygiene is maintained and organisations can keep policy creep in check at scale.

 

2.      Implement an identity-based policy for access

Instead of static, role-based permissions that age quickly and are rarely revoked, businesses should adopt identity-based access, where permissions dynamically follow the individual, device, or AI agent. Universal Zero Trust enables this policy framework while freeing the organisation to reduce legacy NAC investments to specific tactical requirements.

 

In addition to a wide range of users and devices working across multiple locations, modern networks now include AI agents acting on behalf of employees or systems. And just like human users, these agents require proper governance and their own permissions for interacting with data and applications.

 

Identity-based access ensures permissions are continuously tied to the individual user, device, or AI agent and automatically expire when no longer needed to cut policy creep before it starts.

 

3.      Embed continuous verification

Once they’ve successfully gained entry, hackers count on lateral movement to escalate attacks. Continuous verification stops them in their tracks.

 

Unlike traditional methods that grant access after a single login, continuous verification requires users and devices to constantly prove they’re authorised. Combined with micro-segmentation and exceptions management, it ensures access is never a one-time approval.

 

Solutions like network fabric further support micro-segmentation, helping isolate sensitive areas of the network and limit lateral movement. By adopting integrated security platforms that combine Universal Zero Trust, cloud NAC and AI-powered threat detection and visibility, organisations can streamline operations, close security gaps and enable real-time, coordinated responses.

 

Together, these capabilities make it possible to enforce continuous verification at scale, helping organisations prevent unauthorised spread across the network and contain threats before they cause significant damage.

 

The path forward

Policy creep rarely makes headlines, but it is a hidden driver of cyber risk. Left unmanaged, it creates an environment where vulnerabilities accumulate over time and are easily exploited.

 

By embedding security at the infrastructure level and using AI to improve visibility, eliminate outdated permissions, and maintain control over access, businesses can get ahead of policy creep, creating a stronger, more resilient foundation for secure growth.

 

---

 

David Nuti is Head of Security Strategy at Extreme Networks

 

Main image courtesy of iStockPhoto.com Panya Mingthaisong