By NHI Mgmt Group Editorial TeamPublished 2026-03-07Domain: Governance & RiskSource: Zluri

TL;DR: Auditors test access reviews for control design, operating effectiveness, and evidence quality, and they will reject completed tickets if revocations, scope, or remediation cannot be independently proven, according to Zluri. Completion metrics alone do not establish audit readiness, and that gap is where many otherwise sound IAM programmes fail.


At a glance

What this is: This is an analysis of what auditors actually test in access review audits, with the central finding that proof of control effectiveness matters more than completion metrics.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes all rely on access review evidence that can withstand independent challenge, not just internal process claims.

By the numbers:

  • 94% completion rate, 127 inappropriate access grants revoked, evidence package delivered on time.

👉 Read Zluri's guide to what auditors actually test in access review audits


Context

Access review audits test whether an identity governance control can be proven, not just whether it was performed. In practice, that means auditors look for verifiable evidence that access was reviewed, revocations were executed, scope was complete, and the remediation actually removed access from the target systems.

That distinction matters across IAM, IGA, PAM, and NHI governance because the same failure pattern repeats: organisations can show activity, but not effectiveness. For teams building repeatable evidence workflows, the NHI Lifecycle Management Guide is a useful reference point for how governance records should support provisioning, rotation, offboarding, and review.

The article's core message is that auditability is an evidence discipline. Control execution, documentation quality, and independent validation all have to line up, or the review fails at the point where an external auditor asks for proof.


Key questions

Q: What do auditors actually test in access review audits?

A: Auditors test both control design and operating effectiveness. They want to know whether the review cadence, scope, and reviewer qualifications are appropriate, and whether the process actually worked during the period. Completion alone is not enough. Auditors also validate that revocations happened, evidence is complete, and the results can be independently reproduced.

Q: Why do access review findings happen even when completion rates look strong?

A: Strong completion metrics do not prove the control was effective. Findings appear when the evidence is mutable, the scope is incomplete, the reviewer is unqualified, or the revocation was never validated. In audit terms, the control may look healthy on paper while failing the test that matters: independent proof.

Q: How can security teams prove that access revocations really worked?

A: Use system logs, application confirmations, and validation testing to show that access no longer functions after remediation. A ticket marked complete is not proof on its own. The strongest evidence is an immutable record that links the decision, the execution, and the failed access attempt after removal.

Q: Who is accountable when access review evidence cannot be verified?

A: Accountability usually sits with the control owner, the identity governance team, and the business approver, because each owns part of the evidence chain. Auditors will judge the control on what can be proven, not on internal intent. If evidence cannot be reproduced, the organisation owns the finding.


Technical breakdown

Control design versus operating effectiveness in access reviews

Auditors split testing into two questions. First, is the control designed to work, meaning the review cadence, scope, reviewer qualification, and remediation SLA match the risk? Second, did it actually operate as designed during the period under review? A process can be well-intentioned and still fail if quarterly reviews slip into the next quarter, if privileged access is handled like standard access, or if the reviewer lacks the knowledge to judge appropriateness. In IAM terms, the distinction separates policy from proof.

Practical implication: Map each access review control to design evidence and operating evidence before the audit starts.

Why system-generated evidence carries the most weight

Auditors trust evidence that is contemporaneous, complete, and hard to alter. System-generated logs, timestamps, and automated reports outrank retrospective summaries because they show what happened at the time, not what someone later reconstructed. Manual tickets and emailed confirmations can support the story, but they rarely close the gap on their own. The practical challenge for IGA teams is to ensure that every review action, revocation, and validation step creates a durable artefact that can be replayed by an auditor without relying on memory or interpretation.

Practical implication: Use immutable audit logs and timestamped workflow records as the primary evidence source for every review cycle.

Scope completeness is the hidden failure point

A review only proves something if the population under review is complete. Auditors test whether all in-scope systems, users, applications, and privileged accounts were actually included, and they will challenge any extract that cannot be shown to be exhaustive. This is especially important in environments with multiple owners, delegated administration, or third-party access, because incomplete inventory data can make a perfect-looking review meaningless. In governance terms, completeness is not a reporting feature. It is the control boundary itself.

Practical implication: Reconcile identity inventories and application scopes before certification so no review depends on partial data.


Threat narrative

Attacker objective: The auditor's objective is to determine whether the access review control can be trusted as evidence of effective governance, not just reported completion.

  1. Entry occurs at the evidence layer, where an organisation produces an access review package that looks complete but lacks immutable proof of execution.
  2. Escalation happens when auditors probe the revocation trail, test whether access was actually removed, and discover that tickets marked complete are not backed by validation.
  3. Impact follows when the control is judged ineffective despite high completion rates, creating audit findings, remediation work, and possible scope expansion into adjacent controls.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
  • DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Evidence completeness is now the real access review control. Completion rates, revocation counts, and on-time delivery are only meaningful if the underlying artefacts can be independently verified. The article shows that auditors care less about the ceremony of review and more about whether the proof set is immutable, complete, and replayable. For identity teams, the control is no longer the review meeting itself, but the evidence chain that surrounds it.

Access review governance fails when remediation is treated as a ticket closure event. A marked-complete workflow step does not prove that access disappeared from the target system, especially when validation testing is absent. That is the failure mode this article exposes: remediation without verification creates a false sense of control effectiveness. Practitioners should treat completed access review work as unproven until the revocation result is confirmed in-system.

Scope completeness is the hidden control gap across human, machine, and privileged access. The same weakness appears whether the object is a user, a service account, or a privileged admin path: if the inventory is incomplete, the review is not evidence of governance. This is where IAM, PAM, and NHI programmes converge around one problem. The implication is that identity governance must prove population completeness before it can prove certification quality.

Audit readiness is an operating model, not a last-minute evidence bundle. The post makes clear that organisations fail when they build access review processes for internal convenience rather than external scrutiny. Auditor testing methods, evidence hierarchy, and retention expectations all assume that controls generate proof by default. The practitioner conclusion is straightforward: if a review cannot survive reperformance, it is not audit-ready.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
  • That confidence gap makes audit-ready evidence even more important, so review governance and lifecycle proof should be anchored in NHI Lifecycle Management Guide patterns rather than manual after-the-fact reconstruction.

What this signals

Evidence-led governance is becoming the baseline for identity programmes. The practical shift is away from proving that a workflow was executed and toward proving that the workflow produced durable, testable artefacts. For teams managing humans, service accounts, and privileged access, that means evidence design belongs in the control architecture, not in the audit scramble. A programme that cannot reproduce its own decisions will keep failing external scrutiny.

Immutable proof will matter more as identity estates become more distributed. As access moves across SaaS, cloud, and delegated administration models, auditors will keep pressuring organisations to show full population coverage and validated revocation. That is where the gap between internal completion metrics and external confidence widens. The response is to treat evidence capture as part of the identity lifecycle, not as an administrative add-on.

Access review maturity now depends on whether control outputs can be replayed end to end. In practice, that means the team must know where the source extract came from, who approved the decision, what changed in the target system, and how the result was validated. The programme signal is simple: if an auditor can question any link in that chain and the answer is not immediate, the control is not mature enough.


For practitioners

  • Separate completion evidence from effectiveness evidence Store the review sign-off, the revocation action, and the post-remediation validation as three distinct artefacts so auditors can test each step independently.
  • Make scope completeness a pre-review gate Reconcile system inventories, identity sources, and privileged account lists before certification starts so the auditor is not relying on a partial extract.
  • Use immutable system logs as the primary record Keep review timestamps, approval history, and access-change events in system-generated logs that cannot be rewritten after the fact.
  • Retain evidence on the audit clock, not the project clock Apply the longest required retention period to review packages, supporting extracts, and validation results so prior periods remain retrievable when challenged.

Key takeaways

  • Access review audits fail when organisations cannot prove that revocations, scope, and validation actually happened.
  • Auditors weight immutable system evidence, not completion metrics or retrospective explanations, when judging control effectiveness.
  • The strongest defence is a lifecycle-backed evidence model that can survive reperformance, retention checks, and scope challenge.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access review evidence supports least-privilege access governance.
NIST SP 800-63Identity proofing and assurance concepts inform reviewer qualification.
NIST Zero Trust (SP 800-207)AC-4Zero Trust depends on continuous verification of access and privilege.

Align review workflows to continuous verification and prove access removal at the control boundary.


Key terms

  • Control Design: The way a control is structured so it should achieve its intended outcome if executed correctly. In access review audits, design focuses on cadence, scope, reviewer qualification, and remediation requirements. A control can be perfectly operated and still fail if the design does not match the risk or framework requirement.
  • Operating Effectiveness: Evidence that a control worked in practice during the period being audited. For access reviews, this means the process ran on time, covered the right population, produced the right artefacts, and led to real access changes. Auditors separate this from design because a well-written process can still fail in execution.
  • Evidence Hierarchy: The order auditors use to judge how reliable proof is. System-generated logs and timestamped records are stronger than manually written summaries because they are harder to alter and closer to the event itself. In identity governance, the hierarchy determines whether an access review can be trusted or merely described.
  • Reperformance: An audit test where the reviewer independently repeats the control to see whether the result matches what the organisation claimed. In access review audits, reperformance can include attempting authentication after revocation or recalculating completion rates. It is one of the strongest checks because it proves the outcome, not the narration.

What's in the full article

Zluri's full research covers the operational detail this post intentionally leaves for the source:

  • Evidence-package structure for SOX, SOC 2, ISO 27001, PCI DSS, and HIPAA audit trails
  • Framework-by-framework testing expectations for access review cadence, scope, and remediation proof
  • Examples of auditor questions and the evidence artefacts they use to challenge control effectiveness
  • Practical preparation timeline for internal testing, evidence indexing, and pre-audit remediation

👉 Zluri's full article covers framework-specific audit procedures, evidence hierarchy, and remediation verification in more depth.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org