The dangerous version of privilege is often inherited, not assigned. Most identity teams review direct role assignments and call it done — but direct assignments are not where the exposure lives.
A user sits in one group. That group is nested in a second. The second is nested in a third. Somewhere near the top, a privileged role is attached. By the time the path is three or four hops deep, no native admin list shows the full story.
Why These Chains Survive
Deep privilege chains look like normal org structure, not like privilege. A broad employee group gets nested for licensing. A team group gets reused for collaboration. Another gets added during a reorg. No single change looks dangerous. The chain is dangerous in aggregate.
Standard audits answer the wrong question to find it. Most audits answer "who holds this role directly?" They are not built to answer "who can reach this role through four layers of group membership?" The exposure stays invisible as long as the question stays narrow.
What the Chain Actually Looks Like
A distribution list gets nested into a team group for a project. That team group is added to a security group for access to internal resources. The security group holds a privileged role in Entra ID. The original distribution list members — three hops out — have inherited admin access no one reviewed.
The structural fix is to close the path, not clean up individual users. Admin role assignments should be bounded to explicit, reviewed membership. Attune maps these inheritance chains continuously, so the path count is visible before an auditor asks for it — not after.
See the latest from Abnormal's product and engineering teams.
