Role drift and security capability gaps are two faces of the same problem. When licensing no longer reflects how people work or what threats they face, the enforcement layer of your operating model is already out of date.
In the previous blogs in this series (blog 1: Identity Entropy and blog 2: The Governance Debt Hiding in Plain Sight), we established that identity entropy is structural and that dormant accounts represent accumulated governance debt. Both are expressions of the same underlying dynamic: Microsoft 365 evolves more slowly than the organisations running on it.
There is a third pattern, and in many Swiss SMEs it is the least visible of all. It has two related dimensions.
The first is role drift: the gradual decoupling of license assignment from actual job responsibility. The second is the security capability gap: the space between what an organisation has licensed and what it has actually configured and enforced. In practice, these two problems are closely connected. And together, they create a form of misalignment that is easy to overlook precisely because nothing appears broken.
Licenses are typically assigned at onboarding. A role template is applied, a license tier is selected, and the account is provisioned. After that, changes are incremental — and often informal.
But roles do not remain static. Over time:
The license, however, often remains what it was on day one. That is role drift. Licensing becomes a historical artifact rather than a current reflection of responsibility. From a governance perspective, the control layer no longer matches the operational reality it is supposed to govern.
At first glance, role drift appears to be a cost-management issue. Someone holds a license that exceeds the requirements of their current role. Someone else may lack capabilities they actually need. Both create inefficiency.
But the deeper issue is misalignment in control. In Microsoft 365, license tiers directly determine access to enforcement capabilities:
When roles evolve but licensing does not, the enforcement layer falls out of sync with organisational structure. A compliance-related role may lack appropriate DLP tooling. A frontline user may carry an enterprise-level access scope they no longer need. The control model becomes inconsistent across similar functions, creating audit exposure even when no incident has occurred.
Role drift explains one form of misalignment: license assignments that no longer reflect role realities. There is a second, closely related gap that deserves equal attention.
Many SMEs have licensed security capabilities that they have not fully deployed.
This happens for understandable reasons. A security module is purchased after a board discussion or a risk review. The procurement decision is sound. But rollout requires configuration work, testing, and sometimes cross-functional coordination. Operational pressure intervenes. The capability is licensed but remains partially enforced—or not enforced at all.
Common examples in Swiss SMEs include:
Each of these situations has a common structure: the organisation believes it has control in place because it has paid for it. The invoice suggests protection. But protection requires both licensing and configuration. One without the other is an assumption, not a control.
Many CIOs look at a stable Microsoft 365 invoice and interpret that stability as evidence of disciplined management. Flat cost means things are under control. But cost stability does not guarantee control alignment. It can mask:
In other operational domains, this kind of misalignment would surface quickly. If production systems were configured inconsistently across sites, the gap would be visible in output variance. In digital identity and licensing, misalignment accumulates invisibly — until it surfaces during an audit, a security review, a pricing transition, or an incident investigation. By that point, reactive correction is considerably more disruptive than structured review would have been.
Role drift and the security capability gap share the same root causes. They persist because:
In SMEs, resource constraints amplify all of this. Operational focus prioritises delivery and continuity. Re-baselining license and security alignment feels secondary to running the business. Yet licensing in Microsoft 365 is not peripheral to operations — it is the architectural layer that determines who can access what, and which controls are technically enforceable. If they do not reflect how people work and the risks they face, governance assumptions are already outdated.
Addressing role drift and the security capability gap does not require continuous reconfiguration. It requires structured re-baselining at defined intervals.
In practice, this means:
This is operational alignment work. It is not optimisation theatre, and it is not a one-time project. It is the discipline of ensuring that the control layer reflects current operational reality rather than the decisions made at onboarding two or three years ago.
You do not need an external benchmark to assess your position. Three questions are sufficient:
If the answers rely on informal processes rather than a defined cadence, both gaps are likely present. That is not a failure of competence. It is the predictable outcome of organizational change without structured recalibration.
Role drift and the security capability gap are not dramatic failures. They do not generate alerts. They do not appear on invoices. But in digitally dependent organizations, small misalignments in the control layer compound over time — in cost, in audit exposure, and in the gap between assumed protection and actual enforcement.