Definition
The Grandfather Trap is the slow erosion of an organisation’s ability to perform essential tasks because long-standing users retain legacy permissions while new users cannot obtain them. Over time, fewer and fewer people can actually do the work.
Explanation
“Grandfathering” is common in sales: long-time customers keep their original pricing as a loyalty perk. In corporate IT, a similar pattern appears with access and permissions.
A group of users who have “always done the job” may hold rights that are now discouraged or outright forbidden such as local admin rights, access to deprecated tools, or exemptions from modern controls. They keep the lights on because those privileges let them work around new constraints. But when new staff join, they can’t get the same rights. Processes and security settings have moved on; the forms have changed; risk appetites have tightened.
Crucially, when those changes were introduced, few had the time, or the courage, to retrospectively remove legacy rights from existing users. Grandfathered users often hold soft power, and if you pull their access and something breaks, the blame lands on the person who removed it. So the path of least resistance wins: change the form for tomorrow, leave yesterday untouched.
This creates a time bomb. People leave, get promoted, or move teams. The population of users who can perform essential functions shrinks until, one day, the last “grandfather” goes, and something critical fails. No one else has the permissions (or the old tool) to fix it. You get a major incident and real financial impact. And because each step towards tighter controls was individually justified, accountability is diffuse, even though the outcome harms the organisation.
Disclaimer: As always these posts are not aimed at anyone client or employer and are just my personal observations over a lifetime of dealing with both management and frontline associates.