They miss the access that matters most when the programme is built around calendar cadence instead of identity risk. Quarterly reviews can certify old entitlements, but they often overlook accounts that are unowned, rarely used, or inherited through indirect paths. High-risk access changes faster than the review schedule, so the control has to be more targeted.
Why This Matters for Security Teams
user access review often fail because they are designed to validate the existence of access, not the risk created by that access. A clean review can still miss service accounts, inherited entitlements, stale API keys, and indirect access paths that are invisible in a spreadsheet-style certification process. That gap matters because the most damaging access is often the least obvious: dormant credentials, over-scoped roles, and accounts nobody “owns” operationally.
NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, which makes any review process incomplete from the start. The problem is not just human oversight. It is a control design issue. Reviews that happen on a fixed cadence cannot keep pace with privilege changes, automation sprawl, or credentials embedded in pipelines and applications. The Ultimate Guide to NHIs also highlights how quickly NHI exposure grows when lifecycle management is weak.
Current guidance across identity programmes increasingly favours risk-based review scoping, but there is no universal standard for this yet. In practice, many security teams discover the access that matters most only after an incident forces a search through logs, vaults, and application configs, rather than through intentional access certification.
How It Works in Practice
Effective access reviews start by separating all access into risk tiers instead of treating every entitlement as equally important. High-risk access should be reviewed on a shorter cycle, with special attention to privileged roles, externally exposed accounts, machine identities, and indirect permissions inherited through groups or automation. For NHIs, the review has to include where the credential is used, who can rotate it, and whether the account still serves a live workload. That is the core lesson in the NHI Lifecycle Management Guide.
Practitioners should pair certification with telemetry, because access reviews are stronger when supported by recent usage, last-seen data, token age, and owner validation. The OWASP Non-Human Identity Top 10 is useful here because it frames stale credentials, excessive privilege, and poor secret hygiene as concrete attack paths rather than administrative issues. A review that cannot answer “who uses it, how often, and for what purpose” is usually only checking documentation, not actual exposure.
- Review by risk, not by calendar alone.
- Use usage telemetry to flag dormant and unusual access.
- Require an accountable owner for every service account and secret.
- Trace indirect entitlements, including inherited group membership and CI/CD access.
- Revoke or rotate access immediately when ownership is unclear or usage is absent.
For human access, this often means tying reviews to role criticality and recent activity. For NHI access, it means validating the credential lifecycle and downstream dependencies before removal. These controls tend to break down in large hybrid environments because entitlement data is fragmented across IAM, PAM, cloud consoles, and application-specific accounts.
Common Variations and Edge Cases
Tighter review scope often increases operational overhead, requiring organisations to balance deeper validation against reviewer fatigue and system complexity. That tradeoff is especially real when access is inherited through nested groups, shared service accounts, or platform abstractions that hide the true principal behind a friendly label.
Best practice is evolving toward continuous or event-driven review for the highest-risk access, but there is no universal standard for this yet. Some environments only need stronger sampling and better ownership assignment; others need automated detection of risky changes between certification cycles. The 52 NHI Breaches Analysis shows why this matters: when identities are not fully visible, access reviews tend to bless what is documented while missing what is operationally active.
Edge cases include break-glass accounts, third-party access, and machine identities used by ephemeral workloads. These should not be handled like ordinary user entitlements. They need separate review rules, tighter expiry, and evidence that the access is still required for a specific function. Otherwise, the review process becomes a compliance exercise that preserves hidden privilege instead of reducing it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Addresses visibility gaps that cause important access to be missed. |
| NIST CSF 2.0 | PR.AA-01 | Identity management depends on knowing who or what has active access. |
| NIST AI RMF | Risk-based governance supports prioritising the access that changes fastest. |
Use AI RMF governance to prioritise review effort by risk, impact, and change rate.
