Policy creep can erode zero trust, saysDavid Nuti, Head of Security Strategy, Extreme Networks.
Every security leader knows the external threats: ransomware, phishing and sophisticated nation-state attacks are just some examples. But what many don’t consider is that the most damaging breaches can often start inside the organisation. A shared folder left open. A contractor account that never gets removed. Layers of forgotten permissions that quietly expand over time.
This slow, silent expansion, known as policy creep, is fast becoming one of the most overlooked vulnerabilities in enterprise security. It’s not a new challenge, but it’s growing worse as businesses pile on new technologies, hybrid work setups and AI tools onto legacy infrastructure.
The silent threat within
Policy creep is simple in concept but can have massive consequences. Every time access rights are granted but not revoked, the result is cumulative risk. These permissions don’t just hang around innocuously – they multiply. Over months or years, the network becomes loaded down with redundant access paths that undermine Zero Trust principles and weaken visibility.
Attackers know this well. They no longer need to bother with the front door when a forgotten credential can open the back one. Then, once they’re in, unchecked permissions make it easier to move laterally, turning a minor intrusion into a full-scale breach with all the accompanying financial, operational and reputational fallout.
The data clearly reveals how high the stakes have become. Forty-three percent of organisations experienced a cyberattack last year. The cost of a single breach now averages $4.44 million globally. And UK organisations are confronting the same issue when factoring in disruption, fines and reputation loss.
How to bring policy back under control
Stopping policy creep doesn’t require starting from scratch. It demands precision, automation and continuous governance.
- Build security into the network itself
The strongest protection starts at the network layer. When security is designed into the infrastructure, rather than added on later, it becomes part of how the entire system operates. More organisations are turning to AI-enhanced platforms that bring networking, security and automation together in one environment. This simplifies management, closes visibility gaps and helps teams detect, prevent and contain threats faster. With that kind of unified view, IT staff can act quickly, stay ahead of incidents and ease the strain that often leads to burnout. - Automate policy hygiene
Constant manual monitoring with eyes-on-glass is archaic. Manual reviews are too slow, and the sheer scale of modern networks makes human oversight alone impossible. Automation must take the lead. With a unified platform powered by AI agents, IT teams can consolidate and organise policy and retire outdated permissions before they multiply. This constrains, rather than expands, the breach blast radius. - Move to identity-based access
Replace static, role-based permissions with adaptive, identity-led models. Access should follow the user, device or AI agent dynamically and expire automatically when no longer needed. Evaluate your path to retiring traditional NAC in favour of a Universal ZTNA architectural replacement. - Enforce continuous verification
A ‘never trust, always verify’ ethos can’t just be talk. Real-time checks, micro-segmentation and automated exceptions management reduce lateral movement and make the environment more resilient.
Restoring balance between people and policy
Policy creep may be quiet, but its effects can be catastrophic. It can erode visibility, amplify insider risk, and weaken the Zero Trust model.
The fix isn’t about piling on more tools. It’s about making the ones you already have work smarter together. When security is embedded into the infrastructure itself, teams can use automation and AI to flag outdated permissions, tighten hygiene and spot irregular behaviour in real time, mitigating the inevitable exposure caused by policy creep.
That kind of connected visibility turns defence into a living system across the connective tissue that is the network: a system that learns, adapts and reacts before small cracks can be exploited and become breaches. It lightens pressure on people, strengthens resilience and keeps assets protected, ensuring security evolves in step with increasingly complex networks, data, and AI environments.
