Digital identities are seemingly everywhere and increasing. Juniper Research predicts an increase in digital ID volumes by 50% between 2022 and 2026 — from 4.2 billion to 6.5 billion. Typically, a digital identity is associated with a password to help control access to IT resources, like SaaS apps. A 2024 NordPass study calculated that the average number of passwords per person is 168, with 87 of these used for business. In 2023, 90% of organizations were victims of at least one identity-related incident.

These figures highlight a major issue in identity security, where fragmented identities are causing identity sprawl.

Here, AccessOwl explores the causes behind identity sprawl — and what can be done to mitigate the fragmentation of digital identity.

A brief definition of identity sprawl

Identity sprawl happens when multiple digital identities representing the same individual are used to access various resources. These disparate identities fragment and become siloed — managed using unsynchronized directories. Using multiple identities for one job is not only inefficient, but it also delivers a degraded user experience and an increased risk of data exposure and cyber-attacks.

What causes identity sprawl?

The fragmentation of digital identities is not an isolated event. Identity sprawl has come about as SaaS app use has soared. As the digitization of online services and SaaS apps proliferate, the need for digital identities to control access to these apps naturally follows. As more apps and services onboard users, more digital identities are created. Every user account in a new app leads to another identity created. The result is a vast portfolio of fragmented identities. A cycle of identity generation without a governance layer multiplies these fragmented and unsynchronized digital identities. But such fragmented identities are challenging to manage and can result in permission sprawl — users having unnecessary and uncontrolled access privileges, leading to a risk of data exposure. As individual users accumulate multiple digital identities, securing data and associated credentials grows more difficult, unless managed through a single identity provider (IdP) and Single Sign-On (SSO).

Another problem that exacerbates identity sprawl is the "SSO tax." This is an added expense that vendors often charge for premium single-sign-on (SSO) functionality. This added cost discourages companies from implementing SSO, resulting in the proliferation of passwords — which leads to difficulties in managing identity sprawl.

So identity sprawl leaves apps and other IT resources vulnerable to cyber-attacks, unauthorized access, and accidental data exposure.

Why is identity sprawl an issue?

The proliferation of user accounts across multiple systems is a core problem at the heart of cybersecurity weakness. Identity sprawl creates a massive attack surface. Dynamic organizations constantly see people come and go — joiners, leavers, and movers. All these scenarios create a mesh of interwoven identity management headaches.

Adding to these complex challenges, password fatigue causes people to reuse and share passwords, creating vulnerabilities in an organization's IT infrastructure. In a business context, multiple, fragmented, and uncontrolled identities can create fuzzy boundaries — where legitimate business apps and shadow IT applications coexist. Data created or shared across this vulnerable infrastructure is at risk. Compliance is impacted. A lack of visibility into which identities are used to access various IT resources leads to a lack of control and unmanageable access privileges.

In addition, many businesses choose to use multiple cloud services. Each of these services has its own silo of identities that are used to control access to IT resources. This ad hoc approach to ID assignment leads to many individual users who each have multiple identities — making management and access control  incredibly complex. The net result of identity sprawl is that breaches involving unauthorized access have soared. By May 2024, the yearly quota of breached data records stood at a staggering 35,900,145,035. Notably, Google research shows that 60% of data breaches are due to credential issues, like stolen, reused, or shared passwords. With this in mind, what can an organization do to prevent identity sprawl?

Best practices to mitigate identity sprawl

Fortunately, there are strategies and identity governance tools that can help an organization stop identity sprawl.

Centralized identity management

A "single source of truth" is the fundamental way to prevent identity sprawl. In other words, organizations should use a centralized identity governance layer, or IGA, that connects all their user identity-related systems — like HR, identity providers, SaaS apps, etc. This control layer acts as an identity orchestration system, allowing appropriate administrators to find rogue apps and control both onboarding and offboarding. Some advanced systems, like AccessOwl, orchestrate identities and access privileges by connecting and integrating with productivity suites like Google Workspace and your HRIS (Human Resource Information System). An IGA system like AccessOwl merges all the identities of a single person to reduce the risk of overlooked offboardings, permission changes, etc. Identity orchestration and governance of access rights make managing and controlling app access much easier, thereby stopping identity sprawl at its source. 

Identity sprawl and access reviews

Regular access reviews are essential for any organization that wants to prevent cyber-attacks and data breaches. Access reviews reveal precisely who has access to what, and under which conditions. Modern identity governance and administration (IGA) performs access certification reviews. The best access reviews are automated. Some of these advanced automated systems, like AccessOwl, send reviewers custom reminders directly in Slack. Once the review is completed, all access changes are processed and documented, and evidence is shared with your auditor.

What role does automated user provisioning play in combating identity sprawl?

Automating user provisioning and de-provisioning  significantly decreases identity sprawl. Automation provides a layer of control over user provisioning that prevents users from creating multiple identity accounts. A centralized, automated provisioning service, like AccessOwl, provides identities that connect across hundreds of SaaS apps. Automation of user provisioning decreases the risk of non-compliance and mitigates security issues associated with uncontrolled permissions.

Shadow IT management

According to research, around 65% of corporate apps are shadow IT applications. In other words, employees use unsanctioned and uncontrolled apps to carry out work tasks — leading to increased cyber risk. But a centralized IGA solution provides organizations with the visibility to identify unsanctioned apps. This centralized control of your IT estate ensures that provisioning and de-provisioning apply to every app that may contain your company data. If an employee leaves your company, their user access to all apps is automatically revoked.

Does single-sign-on (SSO) prevent identity sprawl?

SSO is used to enhance user experience, improve productivity, and maintain robust security. SSO is a form of centralized authentication. Once a user has successfully logged in to an app or website, they can seamlessly access other registered apps or websites during that logged-in session. Identity consolidation using single sign-on can help prevent identity sprawl — especially when combined with processes like access reviews and automated provisioning.

Identity sprawl and compliance risks

Compliance risks create ongoing work that distracts a company from its core business. Organizations can ensure compliant access control by reducing the impact of identity sprawl. An effective identity governance layer, like AccessOwl, provides the means to establish compliant access controls. So an organization can automate robust user-access controls that filter through to every SaaS app and reflect the "least privilege" access control essential to maintaining compliance.