If identity and access management processes are inadequately defined or implemented, there is no guarantee that access will be restricted to the extent necessary, which violates the need-to-know or least-privilege principles. Administrators may not receive information about personnel changes as a result, which means the user ID of an employee who has left may not be deleted, for example, allowing the employee to continue to access sensitive information.
It is also possible that employees who move to another department will keep their old authorisations and thereby collect extensive authorisations over time.