The Zero Trust Blind Spot: How ‘Policy Creep’ is Leaving UK Firms Exposed

This slow build-up of access rights, known as ‘policy creep’, is a major concern for organisations. It isn’t a new problem, but it’s worsening. With 43% of organisations experiencing a cyber attack in the last 12 months and UK businesses losing over £44 billion to cyber crime in the last five years, no company can afford to ignore this security ‘blind spot’.

Hidden risk in plain sight 

‘Policy creep’ is straightforward: permissions and privileges expand over time, but they’re rarely reduced. This leads to overlapping access and ‘blind spots’, even in the most sophisticated of security systems. Old accounts and forgotten permissions often linger, silently weakening overall defence, all due to a lack of hygiene in policy management.

Attackers know this. They don’t waste energy breaking down the front door when they can slip through a side entrance left open by human error. Once inside, these same unchecked permissions allow lateral movement across networks, escalating minor incidents into costly breaches with an unnecessarily large blast radius.

Why it’s worsening 

Several trends are amplifying ‘policy creep’. Hybrid working has multiplied the number of devices and locations requiring access. The explosion of SaaS tools and collaboration platforms has created countless new accounts and credentials to manage. Identities now extend far beyond people and devices. Artificial Intelligence (AI) agents also require proper governance and their own permissions to act on behalf of users, in turn layering the risk.

Each of these factors broadens and diversifies the attack surface. Every new exception or unused login is another crack in the armour. At scale, those cracks widen, leaving systems increasingly exposed to risk under the weight of ‘policy creep’. 

With compromised employee credentials still the foremost cause of breaches, the human factor remains critical. Technical controls matter just as much, though. A single incident can quickly escalate into millions of pounds when fines, recovery and reputational damage are factored into the equation.

Fighting ‘policy creep’ 

The good news is that ‘policy creep’ is not inevitable. UK security leaders can take concrete steps to regain control:

Leverage AI-powered security into network infrastructure

The most effective defence happens when security is enforced at the network level and baked into critical infrastructure, not bolted on as an afterthought.

Many companies are investing in AI-powered platforms as a force multiplier, unifying network, security and AI in a single place, and making everything easier to manage. This reduces complexity, closes ‘blind spots’ and makes threats easier to prevent, detect and stop. It also allows IT staff to see the big picture instantly, respond faster and avoid burnout.

Automate policy hygiene

The ‘eyes on glass’ approach in management is outdated and inefficient. Manual reviews are too slow. Automation isn’t optional.

With a unified platform powered by AI agents, IT teams can train those agents to identify and retire outdated permissions before they multiply: a task that’s quickly becoming impossible to manage on a manual basis.

Adopt identity-based access

Static, role or traffic flow-based permissions quickly become outdated and lack the granular detail today’s security demands. By tying access dynamically to the individual, a device or even an AI agent, permissions follow the entity and expire when they should.

Embed continuous verification

Never trust and constantly verify. Access should never be a one-time approval. Real-time checks, exceptions management and micro-segmentation make it far harder for attackers to move laterally once inside.

From ‘policy creep’ to policy control

‘Policy creep’ is silent, but its consequences are loud. It can erode resilience, create hidden vulnerabilities and hand attackers the keys to the kingdom. UK security leaders who act now can close these gaps and regain control by focusing on smarter and more dynamic policy management.

The solution isn’t about piling on more tools; it’s about enforcing policy continuously at the network level. By building security into the infrastructure, organisations can move towards a Zero Trust framework, leverage AI to eliminate policy creep, maintain strong hygiene, continuously monitor the network and achieve greater ‘human-in-the-loop’ visibility across the environment.

This creates a self-reinforcing loop of protection, detection and response, making it easier to identify and quarantine threats at an identity level before they escalate into wider operational disruptions.

The end result is a stronger and more resilient system where ‘blind spots’ are closed, risks are managed and people and assets stay protected even when AI and modern digital operations introduce new challenges and complexity.

David Nuti is Head of Security Strategy at Extreme Networks (www.extremenetworks.com)