Privilege creep, also known as permission creep, is a security risk where a user account gradually accumulates access rights and permissions beyond what is required for their current job function. This commonly occurs when an employee changes roles within an organization but their previous access rights are not revoked. It also happens when a user is added to a group that grants a broad set of permissions, some of which are unnecessary for that individual's role, directly matching the scenario described in the question. The core issue is the violation of the principle of least privilege over time through administrative oversight or overly broad group policies.

A. Improper delegation: This refers to incorrectly assigning authority or tasks to another person or system, which is a different concept than the gradual accumulation of a user's own permissions.

B. Privilege escalation: This is an active attack or exploit where a user intentionally gains elevated access by exploiting a vulnerability, not a passive accumulation of rights through normal administrative processes.

D. Improper grouping: While creating a group with excessive permissions is a cause of privilege creep, "improper grouping" is a descriptive phrase, not the specific, recognized term for the resulting security condition.

1. National Institute of Standards and Technology (NIST). (2017). NIST Internal Report 8112: Attribute Based Access Control.

Reference: Section 2.2.1, "Limitations of the RBAC Model," Page 6.

Quote: "Another issue with RBAC is that of ‘privilege creep’ or ‘role explosion’ where users tend to accumulate roles over time as they move from one project to another within the organization." This directly defines privilege creep as the accumulation of access over time.

2. National Institute of Standards and Technology (NIST). (2017). Special Publication 800-179: Guide to Securing Apple macOS 10.12 for Enterprise Deployments.

Reference: Section 3.3.1, "Limit Privileges," Page 21.

Quote: "This helps prevent 'privilege creep,' where users accumulate privileges over time as their job descriptions and tasks change." This source confirms the term and its definition in the context of enterprise security principles.

3. Purdue University. (2012). Role-Based Access Control (RBAC) and Role Engineering. The Center for Education and Research in Information Assurance and Security (CERIAS).

Reference: Section "Role Engineering," Paragraph 2.

Content: The document discusses the challenges in Role-Based Access Control (RBAC), including the problem of "privilege creep," where users accumulate permissions over time, leading to a violation of the principle of least privilege. It highlights that regular review and attestation are necessary to combat this issue.