Access reviews are working only if they remove stale privileges before they become usable in production. Good signals include fewer dormant service accounts, faster revocation after role or workflow changes, and audit logs that consistently match approved principals to real activity. If reviews happen but access patterns do not change, the process is cosmetic.
Why This Matters for Security Teams
Salesforce access reviews only matter if they change what can actually be used, not just what is recorded as approved. For NHIs, dormant OAuth grants, service accounts, and integration users can remain active long after the business owner thinks they have been removed. That creates a gap between governance evidence and real exposure, especially when reviews are periodic but the environment changes continuously.
Industry research shows how common that gap is: only 5.7% of organisations have full visibility into their service accounts, and 91.6% of secrets remain valid five days after notification, which is long enough for stale access to be abused. The pattern is well documented in the Ultimate Guide to NHIs and aligns with the access-control concerns raised in the OWASP Non-Human Identity Top 10.
In practice, many security teams discover that a review was cosmetic only after an integration starts using an entitlement that should have been removed weeks earlier.
How It Works in Practice
To know whether Salesforce access reviews are working, security teams need evidence of revocation, not just evidence of completion. The core test is whether approved principals still match the principals seen in logs, API activity, connected app grants, and delegated admin paths. If the review says an account should be removed, that change should propagate into Salesforce permissions, connected application scopes, and any upstream identity source that can recreate the access.
Good practice is to tie each review to a measurable control outcome:
- compare approved principals against active users, integration users, and OAuth-connected apps;
- verify that removed access disappears from audit logs and login history;
- check that role changes trigger revocation or re-certification within a defined SLA;
- confirm dormant principals are disabled, not merely annotated as reviewed;
- measure whether reappearing access is blocked by upstream policy, not manually cleaned up later.
This becomes much stronger when the identity source of truth is paired with runtime controls. The NHI Lifecycle Management Guide explains why lifecycle events matter more than annual attestations, while the CISA identity management guidance reinforces the need for continuous validation and least privilege. Where Salesforce is connected to SaaS apps, OAuth visibility is critical because an approved review may still leave a token or app grant alive outside the main user record. That is why many teams also map their process to OWASP Non-Human Identity Top 10 controls around lifecycle, secrets, and privilege reduction.
The process breaks down when Salesforce is treated as the only system of record, because connected apps, API tokens, and delegated integrations can preserve effective access after the visible account has been reviewed.
Common Variations and Edge Cases
Tighter review controls often increase operational overhead, requiring organisations to balance revocation speed against the risk of interrupting business-critical automations. Best practice is evolving, and there is no universal standard for how often every Salesforce entitlement should be re-certified.
One common edge case is the integration user that appears low risk but actually drives downstream automation. Another is an OAuth app that survives the review because the human sponsor approved the user while ignoring the app-level grant. A third is delegated administration, where a removed reviewer can still recreate access through a linked process. In those cases, the review may look successful on paper while the effective permission path remains intact.
Security teams should treat a review as effective only when it produces durable state change and measurable reduction in standing access. The 52 NHI Breaches Analysis and the Salesloft OAuth token breach both show how quickly OAuth-based access can be abused when reviews do not remove live credentials. That is why current guidance suggests testing revocation outcomes, not just attestation completion, especially in environments with many third-party apps and shared service identities.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers stale NHI credentials and access that survive reviews. |
| NIST CSF 2.0 | PR.AC-4 | Supports least-privilege access review and revocation verification. |
| NIST AI RMF | Provides governance language for continuous monitoring and accountability. |
Use AI RMF-style governance to require measurable, ongoing evidence that access decisions remain correct.
Related resources from NHI Mgmt Group
- How can security teams know whether endpoint policy enforcement is actually working?
- How do security teams know whether JIT access is actually reducing risk?
- How do security teams know whether governed semantics are actually working?
- How do security teams know whether identity false-positive reduction is actually working?
