Closely related to excessive permissions is segregation of duties (SOD) control. Essentially, SOD guards against critical processes being under the undue influence of any given person or group. In other words, the tasks involved with critical processes need be split across people and teams in order to maintain checks and balance to ensure the validity of outcomes.
In accounting we know that its a bad idea to allow one individual the authority to print and sign checks it's too eay to write fraudulent checks. In IT we know there are areas where there are equivalent conflicts of interest. We prefer to not allow users to be security or system administrators, developers to do testing, or developers have the ability to update production systems.
To properly address permissions using SOD, organizations need to understand what IT services are critical, and establish reasonable risk levels. From there, roles relative to tasks can be reviewed to see what combinations create a level of excessive permissions.
Avoid any permissions that put process confidentiality, integrity, and availability at an unacceptable level of risk. Where security is compromised, tasks need to be reallocated or compensating controls put in place to reduce risk to an acceptable level.
And remember one key fact about employees egos: When reviewing necessary changes, bear in mind that there are often a lot of emotions attached to permissions. So training and awareness activities will be needed to support the organizational change.
Clearly, excessive permissions put organizations at risk. Roles need to be periodically reviewed to ensure that the business is properly supported with segregation of duties; system privileges need to mirror the defined roles. In this day and age, security is becoming increasingly important and permission models need to reduce risks to a level that management is comfortable with.