Why do access reviews belong in identity governance rather than SaaS management?

Access reviews test whether an identity should keep an entitlement, which is a governance decision tied to role, risk, and compliance. SaaS management can tell you whether an app is being used, but it cannot certify whether access is appropriate. That decision belongs in the IGA control plane.

Why This Matters for Security Teams

Access reviews are not an app inventory exercise. They are a governance control that asks whether an entitlement is still justified by role, risk, and business need. SaaS management can show whether a license is active or whether an application is being used, but usage alone does not certify appropriateness. That distinction matters because stale access is often discovered only after a breach, audit finding, or access sprawl review.

For security teams, the real issue is control ownership. Identity governance programs are designed to evaluate entitlements across systems, while SaaS tools are typically optimized for subscription, spend, and adoption reporting. Those are related signals, but they answer different questions. When access reviews are pushed into SaaS management, organisations often lose the policy layer that makes approvals defensible and repeatable. Current guidance from the NIST Cybersecurity Framework 2.0 supports governance processes that tie access decisions to accountability, not just activity. NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives also frames identity review as a control-plane function, not a software-usage report.

In practice, many security teams encounter entitlement drift only after a user, service account, or non-human identity has already retained access long after the original need expired.

How It Works in Practice

Effective access reviews start with identity data, entitlement data, and approval context. The reviewer should see who the identity is, what it can access, why that access exists, when it was last validated, and whether the business owner still accepts the risk. That workflow belongs in identity governance because it is fundamentally about authorization, recertification, and exception handling.

SaaS management may still contribute useful inputs. It can surface dormant applications, unused licenses, unusual login patterns, and disconnected app-owner records. Those signals help prioritise reviews, but they should not replace the review itself. The operational model is straightforward:

• Use SaaS data to identify candidates for review, not to approve access.
• Use identity governance to route recertification to the right owner or manager.
• Require explicit decisions for retain, reduce, or revoke.
• Attach evidence of business justification, not just activity telemetry.
• Feed outcomes back into entitlement catalogs, role models, and policy exceptions.

This separation matters even more for NHIs, where access can be granted through OAuth apps, API keys, service accounts, or automation pipelines. NHIMG’s Top 10 NHI Issues and Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs both emphasize that lifecycle control must include review, not just provisioning.

NHIMG’s The 2026 Infrastructure Identity Survey found that 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, which underscores how quickly entitlement creep becomes normalised when reviews are treated as operational hygiene instead of governance. These controls tend to break down in distributed SaaS estates with weak ownership metadata because no one can reliably answer who should approve or revoke access.

Common Variations and Edge Cases

Tighter governance often increases review overhead, requiring organisations to balance auditability against reviewer fatigue and business speed. That tradeoff is real, especially when a company has hundreds of SaaS apps, decentralised purchasing, or mixed human and non-human identities.

Best practice is evolving, but current guidance suggests that the review mechanism should match the risk of the entitlement. High-risk admin roles, privileged integrations, and external-facing OAuth grants need stronger recertification than low-risk productivity apps. For some low-risk SaaS subscriptions, periodic usage checks may help prioritise cleanup, but they still do not satisfy an access certification requirement on their own. That is where SaaS management and identity governance should connect, not compete.

There are also edge cases where review ownership is not obvious. Shared service accounts, contractor access, app-to-app OAuth grants, and machine identities often fall between IT, procurement, and security. In those cases, the review authority should be defined in policy, not inferred from who bought the software. The OWASP Non-Human Identity Top 10 is useful here because it reinforces that identity risk is about credential and entitlement control, not just application ownership.

For organisations with mature IGA, the practical test is simple: if the question is “should this identity still have this access?”, the answer belongs in governance. If the question is “which apps are installed and being used?”, SaaS management is the right tool.

Related resources from NHI Mgmt Group

• How should organisations govern SaaS licenses alongside identity access reviews?
• How should identity teams connect incident management with access governance?
• Why do SaaS management tools matter to identity governance programmes?
• What breaks when access management is separated from identity governance?