Accountability usually sits with the business owner of the data or system, supported by IAM, IGA, and compliance teams that operate the workflow and evidence trail. If access is not removed, the failure is not just administrative. It shows that entitlement governance, ownership, and remediation were not connected tightly enough to the review process.
Why This Matters for Security Teams
PCI DSS access reviews are not just a checklist exercise. When a review fails audit checks, it usually means the organisation cannot prove who approved access, who validated it, and who owned remediation. That creates a control gap across identity governance, evidence retention, and privileged access oversight, which is why auditors treat weak reviews as a governance failure rather than a paperwork issue. The baseline expectations in PCI DSS v4.0 are tightly tied to demonstrable accountability and repeatable review outcomes.
The practical risk is larger than the audit finding itself. If entitlement owners are unclear, removed access can be delayed, exceptions can become permanent, and high-risk accounts can survive multiple review cycles. NHIMG’s Ultimate Guide to NHIs shows that governance failures often begin with ambiguous ownership and incomplete lifecycle controls, not with the audit event. In practice, many security teams encounter failed access reviews only after an auditor asks for evidence, rather than through intentional entitlement cleanup.
How It Works in Practice
Accountability should be assigned to the business owner or system owner who can make the access decision, not only to the team that runs the tool. IAM, IGA, and compliance teams typically operate the workflow, collect evidence, and chase remediation, but they should not become the decision authority for business access. That distinction matters because PCI audits look for a defensible control model, not simply a completed ticket trail.
A workable access review process usually includes:
- Named ownership for each application, dataset, or cardholder-facing system.
- Reviewer attestations tied to specific entitlements, not broad role bundles.
- Documented escalation paths when access is not confirmed or removal is overdue.
- Time-bound remediation for exceptions, with proof of completion.
- Retention of review evidence that shows what was checked, by whom, and when.
This is where governance often fails in the real world. If review attestations are detached from actual entitlement inventories, reviewers can approve stale data and still appear compliant. NHIMG’s Regulatory and Audit Perspectives discussion and the Top 10 NHI Issues research both reinforce a common pattern: ownership gaps create weak evidence chains, especially when access spans multiple systems or includes non-human identities and service accounts. Aligning review operations to NIST Cybersecurity Framework 2.0 can help clarify who governs, who acts, and who proves the control. These controls tend to break down when entitlement data is stale across connected systems because reviewers are approving records that no longer match actual access.
Common Variations and Edge Cases
Tighter access review governance often increases operational overhead, requiring organisations to balance auditability against reviewer fatigue and remediation speed. That tradeoff becomes sharper in large environments with many applications, inherited roles, or service accounts that do not map cleanly to a single business owner.
Best practice is evolving for cases where access is indirect or shared. Current guidance suggests the accountable owner should still be the person or function that can explain why access exists and approve removal, even if a technical team administers the account. For non-human identities, that can mean a platform owner, product owner, or application steward rather than a help desk queue. Where evidence is weak, the failure is usually not the reviewer’s signature alone but the absence of a reliable inventory, a clean remediation workflow, or a maintained exception register. The pattern also becomes messy when access reviews include outsourced operations or inherited controls from acquisitions, because ownership chains can be fragmented across different governance models. In those situations, audit findings often expose a broader accountability problem that spans both identity operations and business governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 set the technical controls, and PCI DSS v4.0 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| PCI DSS v4.0 | 7.2.5 | Access reviews must be owned, evidenced, and remediated to satisfy PCI expectations. |
| NIST CSF 2.0 | GV.RM-01 | Accountability and risk ownership are central to governance for failed access reviews. |
| OWASP Non-Human Identity Top 10 | NHI-04 | Stale or unmanaged identities often drive review failures, including non-human accounts. |
Assign a named owner to each review, verify entitlements against inventory, and track removal to closure.
