They fail because reviewers optimise for finishing the queue rather than evaluating each entitlement carefully. That leads to approve-all behaviour, missed privilege creep, and stale access remaining in place. Fatigue turns certification into a throughput exercise, which weakens the very control the review was meant to enforce.
Why This Matters for Security Teams
Access reviews fail under reviewer fatigue because the control becomes a cognitive filtering problem, not a policy decision problem. When queues are long and entitlements look repetitive, reviewers stop interrogating context and start searching for a fast path to completion. That weakens recertification, leaves privilege creep unchallenged, and creates a false sense of control. OWASP’s OWASP Non-Human Identity Top 10 frames this as a governance issue as much as an identity issue, because the quality of review matters as much as the existence of review.
The operational consequence is usually missed until audit, incident response, or access abuse exposes the gap. NHI Management Group’s Ultimate Guide to NHIs stresses that lifecycle controls only work when they are actionable and current, not merely scheduled. In practice, many security teams encounter stale access only after a manager has approved a long queue of entitlements without truly evaluating them.
How It Works in Practice
A fatigued reviewer typically optimises for speed in three ways: approving familiar entitlements automatically, treating grouped access as equivalent even when risk differs, and relying on the system to surface exceptions rather than investigating each item. That is why access reviews need more than a calendar date and a sign-off workflow. They need context, prioritisation, and evidence.
Current guidance suggests shifting from broad, manual recertification to risk-based review design. That means:
- prioritising privileged, dormant, and externally exposed access first
- collapsing low-risk repetitive items only when the grouping logic is defensible
- surfacing last-used date, business owner, data sensitivity, and privilege tier alongside each entitlement
- forcing exceptions to require an explicit deny, not just a passive skip
- tracking reviewer behaviour for approve rates, review time, and override frequency
This is where the NHI Lifecycle Management Guide becomes practically useful: lifecycle ownership should determine who can attest, who can revoke, and how quickly stale access is removed. For machine identities and service credentials, the same principle applies even more strictly because stale access is harder to spot and easier to exploit. The State of Secrets in AppSec research shows how confidence in controls can diverge from actual remediation outcomes, which is a familiar pattern in review programmes too. These controls tend to break down when reviewers are asked to certify hundreds of low-context entitlements in a single campaign because attention collapses before decision quality does.
Common Variations and Edge Cases
Tighter review requirements often increase operational overhead, requiring organisations to balance assurance against reviewer capacity. That tradeoff is real: adding more evidence, more attestation steps, or more frequent campaigns can improve precision, but it can also make fatigue worse if the review population is not segmented first.
Best practice is evolving, and there is no universal standard for this yet, but several patterns are consistently more resilient. High-risk access should be reviewed more frequently than standard employee access. Standing privileges should be separated from ordinary app access. Reviews for contractors, shared accounts, and service identities should not use the same workflow as human entitlements. Where teams rely on blanket approval thresholds, fatigue usually creates a hidden exception culture.
It is also important not to confuse speed with control maturity. A fast approval cycle can still be weak if it lacks clear ownership, business justification, and revocation follow-through. That is why the strongest programmes pair access reviews with periodic access mining, evidence of actual usage, and automated deprovisioning. Without that linkage, reviewer fatigue simply becomes a mechanism for preserving old access under a compliant-looking process.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Review fatigue allows stale NHI access to persist without challenge. |
| NIST CSF 2.0 | PR.AC-4 | Access reviews are a core least-privilege control under identity governance. |
| NIST AI RMF | GOVERN | Fatigued review processes weaken accountability and oversight for identity decisions. |
Define ownership, escalation, and review quality metrics for attestation programmes.
Related resources from NHI Mgmt Group
- Why do privileged access reviews still fail in mature IAM programmes?
- How should security teams run privileged access reviews without missing high-risk accounts?
- How should security teams run access reviews for non-human identities?
- When do NHI access reviews create more value than a one-time cleanup?
