Subscribe to the Non-Human & AI Identity Journal

Why do access reviews still fail even when completion rates are high?

High completion rates do not prove that the right identities, entitlements, or systems were reviewed. If discovery is incomplete, scoping is weak, or remediation never happens, the organisation has process compliance but not control effectiveness. The failure is usually structural, not motivational.

Why This Matters for Security Teams

High completion rates can mask a weak control if reviewers are only confirming that a task was closed, not whether the right access was actually examined. Access reviews often become a governance ritual: broad entitlement lists, shallow attestations, and remediation that stalls after sign-off. That gap is especially dangerous for machine access, service accounts, and other NHIs, where standing privileges can persist unnoticed. The OWASP Non-Human Identity Top 10 and NHIMG research on the Ultimate Guide to NHIs both point to the same operational reality: identity sprawl and incomplete inventories undermine any review process that depends on human judgment alone. In practice, many security teams discover toxic access only after an incident, not through the review cycle that was supposed to catch it.

How It Works in Practice

An effective review starts long before the attestation email goes out. The scope must be built from accurate discovery data, and that means every identity, entitlement, group membership, token, API key, certificate, and service-to-service path has to be visible. If discovery is partial, the review may still “complete” while missing the most sensitive access. That is why NHI governance is inseparable from lifecycle management and inventory discipline, as outlined in NHIMG’s NHI Lifecycle Management Guide.

Practitioners should treat completion as only one metric. The more important checks are:

  • Was the review scoped to live entitlements, not stale exports?
  • Were high-risk privileges flagged for explicit justification?
  • Did remediation actually remove or downgrade access?
  • Was evidence captured for downstream audit and revalidation?

This is where current guidance suggests combining access reviews with automated entitlement analysis, owner verification, and remediation workflow enforcement. Static approval chains are not enough when identities change rapidly, especially for NHIs that may be created by automation and never appear in human-centric ownership lists. The risk is not just missed access, but false confidence created by a green dashboard. NIST’s Cybersecurity Framework emphasises that governance only has value when it drives real protection outcomes, not paperwork completion. These controls tend to break down in fragmented environments with multiple directories, shadow SaaS apps, and orphaned service accounts because the review set is never truly complete.

Common Variations and Edge Cases

Tighter access review programs often increase operational overhead, so organisations have to balance depth against reviewer fatigue and remediation capacity. That tradeoff becomes obvious in environments with thousands of entitlements, delegated admin models, or multiple business owners for the same resource. Best practice is evolving, but there is no universal standard for how much evidence each reviewer must inspect before an attestation is considered reliable.

Some edge cases create especially poor outcomes:

  • Orphaned NHIs with no clear owner, where completion is possible but accountability is not.
  • Ephemeral or JIT access, where a periodic review may miss the real decision point.
  • Federated cloud estates, where group nesting hides effective permissions.
  • Emergency access paths, where approvals exist but expirations are not enforced.

NHIMG’s analysis in the 52 NHI Breaches Analysis shows how often process gaps persist even when formal controls appear to exist. For organisations handling secrets at scale, the problem can be reinforced by delayed cleanup after credential exposure, as seen in the State of Secrets in AppSec. Completion rates look strong until the review process collides with stale data, weak ownership, or remediation that is never enforced.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Identity inventory gaps make reviews miss non-human accounts and entitlements.
NIST CSF 2.0 PR.AC-4 Access permissions must be reviewed for actual least-privilege effectiveness.
NIST AI RMF GOVERN Governance must prove control effectiveness, not only procedural completion.

Maintain a complete NHI inventory before running attestations and tie reviews to live discovery.