Subscribe to the Non-Human & AI Identity Journal

What is the difference between access review and access governance?

Access review checks whether a permission still looks appropriate. Access governance defines the policy, evidence, and control logic that decides whether access should exist in the first place. In high-value business applications, governance must include SoD, telemetry, and exception handling, not only periodic certification.

Why This Matters for Security Teams

Access review and access governance are not synonyms, and the difference matters most where permissions can create business or security impact. Access review is a point-in-time check: does this entitlement still look justified? Access governance is the policy system around the entitlement lifecycle: who may approve it, what evidence is required, when it expires, and how exceptions are handled. Without governance, reviews become paperwork that simply re-certifies weak decisions.

That distinction shows up in audit, SoD enforcement, and high-risk application access. Current guidance from NIST Cybersecurity Framework 2.0 pushes teams toward continuous, risk-based control rather than isolated recertification events, which aligns with how NHI risk actually behaves. The same pattern appears in Ultimate Guide to NHIs — Regulatory and Audit Perspectives and Top 10 NHI Issues, where weak ownership and stale access are usually control design failures, not review failures. In practice, many security teams encounter the problem only after an audit exception, an incident, or an overdue certification has already exposed the gap.

How It Works in Practice

In operational terms, access governance sets the rules before access is granted, while access review validates whether that access still fits later. Governance typically includes entitlement standards, approval workflow, SoD rules, evidence requirements, periodicity, and exception expiry. Review consumes those controls and asks whether the current state still matches policy. For NHIs, this distinction is especially important because service accounts, API keys, and automation tokens often outlive the people or systems that created them.

A practical governance model usually combines three layers. First, define access policy by asset sensitivity, data class, and business function. Second, require evidence for initial approval, such as ownership, purpose, and compensating controls. Third, enforce time-bound access and exception handling so access is not permanent by default. This is consistent with the lifecycle thinking in NHI Lifecycle Management Guide and the broader NHI control themes in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs. For practitioners, this usually means:

  • Use access review to validate existing permissions against approved purpose and current ownership.
  • Use access governance to define who can approve, what evidence is required, and when access must expire.
  • Treat exceptions as controlled risk decisions with expiry, not informal approvals.
  • Log approvals, denials, revocations, and re-certifications as audit evidence, not just helpdesk events.

The control logic should also align with OWASP Non-Human Identity Top 10, especially where over-privilege, credential exposure, and missing lifecycle controls create repeatable failure modes. These controls tend to break down when entitlement ownership is unclear across shared platforms because no single team can answer who should approve, review, or revoke the access.

Common Variations and Edge Cases

Tighter governance often increases process overhead, so organisations have to balance speed against control depth. That tradeoff is real in engineering, data, and platform teams where access changes frequently and human approval alone can become a bottleneck.

One common edge case is automated access for NHIs. A service account may need access to multiple systems, but a review process alone cannot tell you whether that access should exist. Governance has to define the task, scope, and expiry up front, then reviews verify whether the original decision is still valid. Another edge case is emergency access: current guidance suggests that break-glass access should be governed by strict approval, logging, and post-event review, but there is no universal standard for how long the exception may remain open. A third case is delegated administration, where a business owner approves access but the platform team owns enforcement. In those environments, review may be completed correctly while governance still fails because the policy model is inconsistent.

Teams that mature this area usually pair policy with telemetry and exception analytics, not just periodic certification. That is the clearest line between a review program and a governance program. For deeper context, see 52 NHI Breaches Analysis and the risk framing in Ultimate Guide to NHIs — Key Challenges and Risks. Teams that rely on review alone often discover governance gaps only after stale access has already been exploited or re-certified by mistake.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-04 Addresses lifecycle governance and privilege creep for non-human identities.
NIST CSF 2.0 PR.AC-4 Maps to least-privilege access management and entitlement oversight.
NIST AI RMF Useful where autonomous systems create dynamic access decisions and exceptions.

Apply governance controls for accountability, monitoring, and exception handling around autonomous access.

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.