Quarterly cycles only see a snapshot, so they miss the drift that happens between review windows. By the time reviewers look, access may already have been wrong for months. Review fatigue makes the problem worse because large batches encourage superficial approvals instead of informed decisions about whether access still matches the job.
Why Quarterly Reviews Miss the Real Risk
Quarterly access reviews are built for governance reporting, not for tracking privilege drift in live environments. They capture a point-in-time view, then leave a long gap in which access accumulates, roles change, service accounts are repurposed, and standing privileges go untouched. That is a poor fit for modern identity estates where risk changes faster than the review calendar.
This matters because privilege risk is usually created by small changes that look harmless in isolation: a temporary exception becomes permanent, a contractor changes teams, or an account retains access after a project ends. NHIMG’s Ultimate Guide to NHIs notes that only 20% have formal processes for offboarding and revoking API keys, which is a strong indicator of why stale access persists long after it should have been removed. Current guidance from the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10 both point toward continuous visibility and ongoing access control rather than periodic checkbox reviews. In practice, many security teams discover excessive privilege only after an incident review reveals that the access had been wrong for months.
How Continuous Controls Expose Drift Between Review Cycles
The practical fix is to move from static review ceremonies to controls that evaluate access in context and at the moment it is used. Quarterly attestations can still serve as governance evidence, but they should not be the primary mechanism for risk detection. The better model combines identity inventory, usage telemetry, and policy enforcement so that suspicious entitlements are surfaced as they emerge.
For human users, this usually means tying reviews to role changes, inactive accounts, privileged session activity, and exceptions that outlive their approval window. For NHIs, the pattern is even more brittle: secrets age, service accounts outlast the workloads that created them, and API keys are frequently copied into code or automation tools. NHIMG’s NHI Lifecycle Management Guide is useful here because lifecycle events are where privilege should be created, reduced, or revoked, not just audited later. The underlying principle is aligned with NIST CSF 2.0: identify, protect, detect, and respond should work together, with detection feeding remediation instead of waiting for the next quarterly cycle.
- Use access reviews to confirm ownership and business justification, not to discover every violation for the first time.
- Pair reviews with automated signals such as last-used timestamps, privilege elevation logs, and entitlement changes.
- Revoke or shrink access when a role, project, or workload changes, rather than leaving it in place until the next review.
- Prioritise high-risk identities first, especially admin users, service accounts, and externally exposed NHIs.
This breaks down in organisations that lack identity telemetry, because there is no reliable signal to tell whether access is still being used, still needed, or already exploitable.
Where the Quarterly Model Still Helps, and Where It Fails
Tighter review cadence often increases administrative overhead, so organisations have to balance assurance against reviewer fatigue and operational disruption. Quarterly access reviews still have value for audit evidence, segregation of duties checks, and ownership confirmation, but best practice is evolving toward risk-based continuous review for the accounts that matter most.
The edge cases are where the simple answer fails. Long-lived shared admin accounts, third-party access, and service accounts with broad system permissions need more than a spreadsheet approval cycle. NHIMG’s Top 10 NHI Issues and the 52 NHI Breaches Analysis both reinforce the same operational lesson: excessive or stale privilege tends to hide in identities that change less visibly than humans do. One useful NHIMG data point is that 97% of NHIs carry excessive privileges, which shows why a periodic review can approve a dangerous baseline instead of correcting it. The pragmatic approach is to reserve quarterly reviews for governance, while using continuous controls to catch drift, exceptions, and misuse in real time.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be managed and reviewed continuously, not only quarterly. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Stale or excessive NHI privileges are a core risk when reviews are snapshot-based. |
| NIST AI RMF | Risk management for dynamic systems requires ongoing monitoring and governance. |
Use telemetry and change events to update access decisions before the next review cycle.
