TL;DR: Quarterly access reviews often cover only a curated slice of enterprise systems while long-tail on-prem, custom, database, legacy, and non-human identities stay outside governance, according to Hydden. The control problem is not reviews themselves but partial visibility plus periodic, manual execution that leaves real risk untouched.
At a glance
What this is: This is an analysis of why access reviews often become corporate theatre and how partial visibility, periodic campaigns, and ungoverned systems undermine identity governance.
Why it matters: It matters because IAM, IGA, and PAM teams cannot credibly reduce risk if large parts of the environment, including NHI and legacy systems, never enter the review cycle.
👉 Read Hydden's analysis of why access governance still feels like corporate theatre
Context
Access reviews are supposed to verify who has access, why they have it, and whether it still makes sense. In practice, many programmes only review the systems they can afford to onboard, which leaves a large ungoverned universe outside the control plane.
That gap matters across human IAM, NHI governance, and lifecycle management. If quarterly campaigns only cover a curated subset of applications, then entitlements on legacy systems, databases, custom apps, and service identities can remain effectively invisible even while the audit report looks complete.
Key questions
A: Security teams should treat scope as the first control, not the last. If databases, legacy systems, custom apps, or service identities are excluded, the review process only certifies a subset of risk. Expand visibility, assign ownership, and measure governed coverage before claiming the programme is working.
Q: Why do periodic access reviews fail to reduce identity risk in real environments?
A: Periodic reviews fail when access changes faster than the review cycle and when the organisation relies on manual evidence collection. By the time managers certify access, the snapshot is already stale. Continuous telemetry and event-driven lifecycle controls are needed to keep decisions aligned with current risk.
Q: What do organisations get wrong about non-human identity governance?
A: They often treat service accounts and other machine identities as secondary to human access, which leaves ownership and lifecycle control unclear. In practice, NHIs are frequently the identities with the most persistent privilege. Governance should explicitly map them, review them, and revoke them when they are no longer needed.
Q: Who is accountable when access reviews give a false sense of control?
A: Accountability sits with the teams that define the review boundary and the control model. If the programme excludes large classes of systems, the resulting report is evidence of process completion, not proof of security. Audit can validate the control, but it cannot fix a scope that was incomplete from the start.
Technical breakdown
Why periodic access reviews miss the long tail of identities
Traditional access review campaigns depend on snapshots, connectors, and manual certification workflows. That model works only where the identity graph is already clean, the application can be integrated, and approvers can make sense of the data in one pass. The problem is the long tail: on-prem systems, niche SaaS, databases, file shares, and service accounts often sit outside that model because they are harder to normalise, harder to map to ownership, and harder to review on a calendar cadence.
Practical implication: build identity visibility before expanding review scope, or the campaign will keep certifying only the easy part of the estate.
How curated scope creates governance theatre
Governance theatre happens when the review process is real but the coverage is not. A campaign can reach 100% completion inside the tool while most operational risk remains outside scope. That is not a failure of policy language. It is a failure of control boundary design, where the organisation confuses evidence generation with risk reduction and treats the audit artifact as the outcome rather than the by-product.
Practical implication: measure what percentage of the real environment is governed, not just campaign completion, and treat unreviewed systems as control debt.
Why non-human identities change the access review problem
Non-human identities do not fit neatly into review workflows built around human managers and periodic certification. Service accounts, bots, workloads, and AI-connected identities are often tied to systems rather than people, which makes ownership, risk ranking, and review accountability harder. When these identities are excluded, the governance model breaks at the point where machine access is most persistent and least visible, especially in legacy or integrated environments.
Practical implication: add explicit NHI ownership and lifecycle control to access governance, or the review process will keep ignoring the identities most likely to accumulate standing privilege.
NHI Mgmt Group analysis
Access review theatre is a control-boundary problem, not an audit problem. The article makes clear that auditors are not creating the gap, they are exposing it. The real failure is that most programmes only govern a curated subset of systems, while the rest of the estate continues operating with little or no review discipline. The implication is that completion metrics are meaningless if the governed universe is incomplete.
Partial visibility creates a false sense of control in both human and machine identity programmes. Once access governance only covers the top tier of systems, the organisation starts optimising for evidence production instead of risk reduction. That pattern is especially damaging where NHI credentials, legacy entitlements, and custom integrations sit outside the review cycle. Practitioners should treat coverage as the primary governance measure, not campaign throughput.
Continuous identity governance is the right operating model for environments that change faster than review cadences. Quarterly or annual campaigns assume access remains stable long enough to be reviewed. That assumption fails when entitlements, service identities, and application dependencies shift constantly across distributed estates. The implication is that identity governance must become an operational function, with policy, telemetry, and lifecycle events replacing the old project mindset.
Unowned non-human identities are where access review models break down first. Human-centric review workflows depend on named managers and obvious reporting lines, but service accounts and workloads often lack both. That creates a governance blind spot where standing access can persist without a clear reviewer or offboarding trigger. Practitioners need to recognise that NHI lifecycle control is not an add-on to IGA, it is the missing prerequisite for meaningful certification.
Continuous evidence changes the conversation from compliance performance to control effectiveness. If the organisation can show what changed, why it changed, and how access was adjusted in near real time, then the audit becomes verification rather than the only control. That shifts identity governance from a periodic ceremony to an operational discipline. The field should move away from ceremonial completion and toward measurable reduction in exposed access.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.
- Access governance and secrets management are converging problems, so readers should also review the NHI Lifecycle Management Guide for lifecycle control patterns that reduce exposure windows.
What this signals
Access governance debt compounds wherever identity data is fragmented. The article’s core warning is that a clean-looking review cycle can hide a broken control boundary. That same pattern shows up across lifecycle, secrets, and service-account management, where the most dangerous identities are often the least visible to managers and auditors. Teams should assume coverage gaps, not campaign completion, are the real risk indicator.
Continuous control will become the baseline expectation for mature IAM programmes. Periodic certification still has value for audit evidence, but it cannot be the primary mechanism for reducing entitlement risk in fast-changing estates. Practitioners should prepare to connect review decisions to authoritative lifecycle events, identity telemetry, and stronger ownership mapping, especially for non-human identities.
Review programmes that ignore the long tail will increasingly be treated as control debt. If the environment includes service accounts, legacy applications, and custom integrations, then a quarterly process will not keep pace with real operational change. The practical next step is to align identity operations with the NIST Cybersecurity Framework 2.0 and treat governance coverage as an ongoing control objective.
For practitioners
- Quantify governed coverage, not just campaign completion. Measure what percentage of applications, databases, legacy systems, and service identities are actually in scope for access review. Separate the fully governed estate from the unreviewed long tail so leaders can see where identity risk remains invisible.
- Build ownership for the ungoverned universe. Map every account to a human owner or system owner, including service accounts, bots, and custom integrations. Without explicit ownership, review decisions become guesswork and offboarding becomes inconsistent.
- Shift from periodic campaigns to event-driven control. Trigger entitlement changes, recertification, and removal workflows from authoritative lifecycle events and risk signals rather than waiting for the next quarterly cycle. Prioritise systems where stale access and brittle connectors are most common.
- Automate low-risk review decisions. Use policy, peer groups, and historical patterns to auto-approve access that is stable and low risk, then reserve human review for exceptions, anomalies, and high-impact entitlements. This reduces reviewer fatigue without expanding blind spots.
- Track risk reduction as the primary KPI. Report orphaned accounts removed, high-risk entitlements reduced, and unreviewed systems brought into scope. Those metrics show whether identity governance is shrinking attack surface rather than producing better paperwork.
Key takeaways
- The main failure is not access reviews themselves, but the narrow scope and periodic cadence that leave most real risk outside governance.
- The scale problem is operational as much as technical, with onboarding a complex application to traditional IGA taking 6-8 weeks and roughly $180,000 in services.
- Practitioners should shift to continuous, event-driven governance with explicit ownership for human and non-human identities, or the theatre will continue.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Periodic reviews miss stale access and unmanaged credentials across the long tail. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access authorization are directly implicated by incomplete review scope. |
| NIST Zero Trust (SP 800-207) | AC-2 | Continuous verification better matches changing entitlement risk than quarterly review cycles. |
Use PR.AC-4 to validate that access certification covers all critical identity classes, not just top-tier apps.
Key terms
- Access Review Theatre: A situation where access certification appears complete but only covers a narrow, curated slice of the environment. The organisation produces audit-ready evidence while large parts of the identity estate, especially legacy and non-human access, remain outside meaningful governance.
- Ungoverned Universe: The set of systems, applications, and identities that are not included in an identity governance programme. It often includes legacy platforms, custom software, databases, file shares, and service identities that are difficult to onboard but still carry real access risk.
- Continuous Identity Governance: An operating model where access decisions, lifecycle changes, and risk signals are handled as an ongoing process rather than a periodic campaign. It uses authoritative events, telemetry, and policy automation to keep access aligned with current business and security conditions.
- Non-Human Identity Ownership: The assignment of accountable business or technical ownership to service accounts, bots, workloads, and other machine identities. Without ownership, reviews, offboarding, and risk acceptance become unclear, which allows standing access to persist long after the identity’s purpose has changed.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Hydden: access governance is still corporate theatre in most enterprises. Read the original.
Published by the NHIMG editorial team on 2026-02-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
