identifying, by a policy engine, a first policy statement associated with the principal, wherein the first policy statement specifies that members of a first identity set including the principal are allowed to access a first system resource set of the IAM system;

identifying, by the policy engine, a second policy statement, wherein the second policy statement specifies that members of a second identity set are denied access to a second system resource set of the IAM system;

determining, by the policy engine, whether or not there is a shared system resource belonging to both the first system resource set and the second system resource set, and whether or not the second identity set includes the principal;

determining, by the policy engine, that the second policy statement overlaps with the first policy statement for the principal when the shared system resource belongs to the first system resource set and the second system resource set, and the second identity set includes the principal, wherein the effective access permissions associated with the principal are defined by a system resource included in the first system resource set but not included in the second system resource set;

placing, by the policy engine, when the second policy statement is determined to overlap with the first policy statement, the second policy statement into a list of policy statements associated with the first policy statement;

generating, by the policy engine, a set of effective access permissions for the principal based on the first policy statement and the list of policy statements associated with the first policy statement; and

determining an over-privileged access permission for the principal based on the set of effective access permissions without the IAM system receiving a request for accessing the first system resource set or the second system resource set of the IAM system.