Access reviews fail because teams can only certify what they can see. If applications, service accounts, or privileged entitlements are missing from discovery, the review produces a clean-looking result that still leaves unmanaged access in place. Discovery coverage is therefore a prerequisite for trustworthy recertification, not a separate administrative task.
Why This Matters for Security Teams
Access reviews only work when the inventory behind them is complete. If the review scope misses service accounts, dormant applications, cloud roles, or machine credentials, the process can still produce a tidy certification while unmanaged access remains active. That creates false confidence, especially in environments where NHI sprawl is already accelerating through automation, SaaS adoption, and cloud-native pipelines. NHI Management Group’s Ultimate Guide to NHIs — Key Challenges and Risks treats discovery as a control dependency, not a housekeeping task, because incomplete visibility makes every downstream review less trustworthy. The same gap shows up in the OWASP Non-Human Identity Top 10, which highlights discovery and lifecycle issues as a recurring source of exposure.
The practical problem is that reviewers certify what they can see, not what exists. In large estates, the hidden items are often the most dangerous: old API keys, orphaned workloads, indirect entitlements, and accounts created outside standard onboarding. In practice, many security teams encounter unmanaged access only after an incident review reveals that the access review never had full scope in the first place.
How It Works in Practice
A trustworthy recertification cycle begins with discovery coverage, then moves to normalization, ownership mapping, and evidence-based review. The discovery layer should collect identities from cloud control planes, directories, CI/CD systems, SaaS platforms, and secrets stores, then reconcile duplicates and aliases into one inventory. NHI Management Group’s NHI Lifecycle Management Guide emphasizes that an identity can only be governed if it is first identified, classified, and tied to a responsible owner.
At the review stage, teams should separate direct entitlements from inherited access, because inherited role membership can hide the real blast radius. Evidence should show:
- which systems were in scope for discovery
- which identities were mapped to each system
- which entitlements were direct, inherited, or transitive
- what change occurred after certification, not just who clicked approve
Best practice is evolving toward continuous discovery plus continuous review rather than annual or quarterly snapshots. That aligns with the intent of the OWASP NHI guidance and with security programs that use policy-as-code to flag newly discovered identities before the next certification window. Where discovery feeds are weak, the review simply becomes a confirmation of the known estate, not an assurance over the real one.
These controls tend to break down in multi-account cloud environments and federated SaaS estates because ownership metadata is inconsistent, identities are duplicated across platforms, and shadow systems sit outside the discovery pipeline.
Common Variations and Edge Cases
Tighter discovery often increases operational overhead, requiring organisations to balance review speed against coverage. That tradeoff matters because some environments cannot achieve perfect central discovery before they begin governing access, especially during mergers, rapid platform expansion, or legacy modernization. Current guidance suggests starting with the highest-risk identities first, then expanding coverage iteratively rather than waiting for an impossible complete inventory.
Edge cases usually appear where identity relationships are indirect. A service account may not look privileged on its own, but it may inherit access through a CI/CD runner, vault policy, or cloud workload role. Similarly, a low-visibility application may create no direct entitlements yet still authorize access through an embedded key or delegated token. The Top 10 NHI Issues and the 52 NHI Breaches Analysis both reinforce a consistent pattern: missed discovery is often the root cause behind “successful” reviews that later prove incomplete.
For organisations prioritizing remediation, the rule is simple. Treat missing discovery results as a control failure, not as an empty scope. If a system cannot be discovered, it cannot be recertified with confidence, and if an identity cannot be tied to an owner, it should be escalated until the inventory is corrected.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Discovery gaps directly undermine NHI inventory and ownership controls. |
| NIST CSF 2.0 | ID.AM-1 | Asset management fails when identities and systems are not fully inventoried. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege review depends on knowing all active entitlements and paths. |
Maintain a continuously updated asset and identity inventory as the basis for access governance.
