In RBAC, what is a common pitfall that arises when roles accumulate permissions over time?

When permissions accumulate in a role over time, you get role creep. In RBAC, roles are meant to reflect a job function with only the permissions needed to perform it. But as requirements evolve, new permissions can get added to a role without removing former ones, so the role ends up granting more access than originally intended. This undermines the principle of least privilege and makes audits and access reviews more difficult because the role no longer aligns with the actual duties. Ambiguous ownership describes unclear accountability for a role, which is a governance issue but not the dynamic that creates extra permissions. Overly broad roles describe the result of the accumulation but don’t explain the ongoing process that leads to it. Frequent role reviews are a control to prevent or catch role creep, not the pitfall itself.