Quarterly reviews fail because the entitlement picture changes long before the review cycle ends. By the time managers approve or reject access, users, roles, and applications may already have changed again. That makes the review a lagging compliance exercise rather than an effective control, especially in cloud-heavy and hybrid environments.
Why This Matters for Security Teams
Quarterly access reviews are still treated as a governance staple, but they are poorly matched to modern identity sprawl. Cloud permissions, service accounts, API keys, and delegated admin paths can change daily, while the review itself captures only a stale snapshot. That means teams often spend time validating yesterday’s access while the real exposure is created by today’s automation, privilege drift, and shadow entitlements. Current guidance in the OWASP Non-Human Identity Top 10 and NHIMG’s Ultimate Guide to NHIs both point to the same issue: static review cycles do not keep pace with dynamic identities. NHIMG research on The State of Secrets in AppSec also shows how fragmented control environments create operational blind spots, with organisations maintaining an average of 6 distinct secrets manager instances. In practice, many security teams discover toxic access combinations only after an audit exception, an incident, or an overprivileged account has already been abused.
How It Works in Practice
The failure mode is not that access reviews are useless, but that they are too coarse and too slow for how identity now works. In cloud and SaaS environments, entitlement data changes through role assignment, app integration, temporary elevation, and automation. By the time a manager or app owner approves a quarterly certification, the subject may already have moved teams, changed projects, or lost and regained access through another path. The result is a compliance artifact, not an effective control.
A stronger model combines continuous entitlement intelligence with just-in-time access and workload identity. Instead of reviewing broad standing access after the fact, teams should reduce what exists in the first place:
- Use CISA Zero Trust Maturity Model thinking to minimise implicit trust and prefer request-time decisions.
- Bind machine access to workload identity, such as SPIFFE or OIDC-based tokens, so the system knows what the workload is rather than trusting a reused secret.
- Issue short-lived credentials per task, then revoke them automatically when the task completes.
- Use policy-as-code and real-time evaluation so approvals reflect current context, not a spreadsheet exported weeks earlier.
NHIMG’s NHI Lifecycle Management Guide is useful here because it frames identity as something that must be provisioned, monitored, rotated, and retired continuously. That same lifecycle logic is what quarterly reviews miss. These controls tend to break down when access is inherited through nested groups and cross-account automation because the effective privilege path is harder to reconstruct than the visible account list.
Common Variations and Edge Cases
Tighter review processes often increase administrative overhead, so organisations have to balance governance coverage against reviewer fatigue and delayed remediation. Best practice is evolving, and there is no universal standard for replacing quarterly reviews entirely. Some high-risk applications still need periodic human attestation, especially where regulation or segregation-of-duties rules require named approval. Even then, the review should be one layer in a broader control stack, not the primary detection mechanism.
Edge cases matter. Human user access behaves differently from service accounts, CI/CD tokens, and agentic workloads. A quarterly model might still catch obvious orphaned accounts, but it will miss short-lived privilege bursts, lateral movement through tool chains, and access that is technically approved but operationally excessive. For AI agents and autonomous systems, static review is even weaker because the agent’s action path is not fully predictable at design time. Current guidance suggests treating those identities as workload identities with runtime policy checks rather than as ordinary user accounts. NHIMG’s 52 NHI Breaches Analysis is a useful reminder that identity failures are often discovered only after exploitation, not during the next scheduled review.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Quarterly reviews fail when NHI ownership and visibility are stale. |
| NIST CSF 2.0 | PR.AA-05 | Continuous identity governance is needed where periodic review lags reality. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires request-time authorization, not delayed certification. |
Inventory all non-human identities continuously and tie each to an accountable owner.
