By NHI Mgmt Group Editorial TeamPublished 2026-04-02Domain: Governance & RiskSource: Zluri

TL;DR: Quarterly access reviews can still fail audits when they document activity without preventing, detecting, or correcting inappropriate access, according to Zluri’s analysis of a financial services case. The real governance test is whether controls stop over-provisioning, catch drift between reviews, and fix root causes before the next cycle.


At a glance

What this is: This is an analysis of why access review programmes can look complete on paper while still failing to control inappropriate access.

Why it matters: It matters because IAM, IGA, and PAM teams need controls that enforce outcomes across human, NHI, and privileged access lifecycles, not just certify activity after the fact.

By the numbers:

👉 Read Zluri’s analysis of preventive, detective, and corrective access review controls


Context

Access reviews are only governance if they change access outcomes. A quarterly certification process can be completed on time, well documented, and still leave inappropriate access in place if provisioning, monitoring, offboarding, and remediation are not enforced by technical controls.

That gap matters across human identities, service accounts, and workloads because identity programmes often measure process completion instead of control effectiveness. For teams building maturity, the useful question is whether reviews prevent recurrence or merely produce audit evidence, a distinction that maps closely to the NHI lifecycle model in the NHI Lifecycle Management Guide.

When reviewers can approve or ignore entitlements without policy enforcement, the programme is describing risk rather than controlling it. Zluri’s example shows how easily review cadence becomes a compliance ritual unless detective and corrective mechanisms are built into the access lifecycle.


Key questions

Q: What breaks when access reviews are treated as the main control instead of a governance check?

A: When access reviews become the primary control, organisations end up certifying whatever access already exists instead of preventing bad access from being created. That leaves onboarding over-provisioning, leaver retention, and privilege creep untouched between review cycles. Governance improves only when review outcomes feed preventive, detective, and corrective controls that change access state.

Q: Why do access reviews fail even when completion rates and documentation look good?

A: High completion rates do not guarantee control effectiveness. Reviews fail when approvers rubber-stamp entitlements, when detection is absent between cycles, and when remediation is not enforced. The result is a process that satisfies audit paperwork while leaving inappropriate access active in production systems.

Q: How can security teams tell whether access governance is actually working?

A: Look for falling exception volumes, shorter remediation times, fewer recurring findings, and tighter alignment between role baselines and actual entitlements. If the same access issues reappear quarter after quarter, the programme is operating as a reporting function rather than a control system.

Q: Who is accountable when inappropriate access survives a quarterly review?

A: Accountability sits with the control owners, not just the reviewers. IAM, IGA, HRIS, and application owners all contribute to whether access is prevented, detected, and revoked on time. If no one owns the downstream revocation and root-cause correction, review completion cannot be treated as governance completion.


Technical breakdown

Process compliance vs control effectiveness in access reviews

A review process is the sequence of human and system activities used to certify access. A control is the mechanism that prevents, detects, or corrects failure regardless of whether the review itself happens perfectly. In practice, this means a quarterly certification can pass while onboarding over-provisions, leavers retain access, and privilege creep accumulates between cycles. Auditors care about whether the control operated as intended, not whether the form was completed. Mature programmes separate workflow completion from outcome assurance and test both.

Practical implication: Measure access governance by prevented and remediated exceptions, not by review completion alone.

Preventive controls that stop bad access before certification

Preventive controls shape the entitlement state before access enters the review queue. These include role baselines, approval workflows, time-bound privilege, and automatic offboarding. They reduce the number of inappropriate entitlements that managers later have to certify. Without them, access reviews become a backstop for provisioning mistakes rather than a governance layer. The article’s key point is that prevention changes the volume and quality of review findings, which is why preventive controls are the highest-maturity layer in access governance.

Practical implication: Enforce least-privilege baselines and termination-driven revocation so reviews validate policy instead of repairing predictable errors.

Detective and corrective controls that close the loop between reviews

Detective controls identify unused, orphaned, or excessive access that slipped through prevention, while corrective controls ensure those findings lead to permanent improvement. Dormant account detection, orphaned account detection, remediation SLAs, root cause analysis, and audit trail integrity form the feedback loop. Without this loop, the same exceptions recur each quarter because the underlying cause was never removed. The governance problem is not just discovering excess access, but proving the organisation can reduce it over time.

Practical implication: Build automated detection and enforced remediation so recurring findings shrink instead of reappearing every quarter.


Threat narrative

Attacker objective: The objective is not a single exploit but persistence of inappropriate access long enough to survive routine certification and remain exploitable.

  1. Entry occurs during onboarding when inappropriate access is granted beyond role requirements.
  2. Escalation happens as former employees retain access, admin privileges accumulate, and no control intervenes between quarterly reviews.
  3. Impact is control failure: the organisation documents a clean process while harmful access persists and audit exceptions remain.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Process without enforcement is not identity governance. A quarterly review can be completed with high attendance, good documentation, and still fail to control access if provisioning, monitoring, and offboarding are not technically enforced. The article’s financial services example shows that auditable activity and secure outcomes are separate things. The implication is that identity programmes must stop using process completion as a proxy for control effectiveness.

Control effectiveness depends on where the failure is blocked, not where it is discovered. Preventive controls reduce inappropriate access at issuance, detective controls surface drift between reviews, and corrective controls remove recurrence. That sequencing matters because quarterly certification is too late to stop onboarding over-provisioning or leaver retention on its own. Practitioners should treat access review as a verification layer, not the primary mechanism of governance.

Access review maturity is really lifecycle maturity. The article repeatedly shows that onboarding, offboarding, dormant usage, and privilege creep are lifecycle failures, not review failures alone. A programme that cannot revoke access quickly, surface orphaned accounts, or force root-cause correction is structurally incomplete. The practitioner conclusion is to manage access reviews as one control point inside the broader lifecycle, not as the lifecycle itself.

Audit evidence matters, but only when it proves the control actually changed access state. Logs, approvals, and reports have value when they show revocation, escalation, and remediation occurred on time. Without that proof, the programme produces documentation, not governance. Identity leaders should align evidence collection to control outcomes, because that is what stands up in both audit and operational review.

Excess access is usually a systems problem, not a people problem. The article’s examples point to predictable operational drift, helpful IT defaults, and unmanaged exceptions rather than one-off mistakes. That is why the strongest governance response is policy plus automation, not repeated reminders to reviewers. Practitioners should design for failure modes that recur under normal load, not for ideal human behaviour.

From our research:

What this signals

Control-plane maturity is becoming the differentiator: teams that still equate governance with review completion will keep finding the same exceptions in every cycle. The next step is to connect certification activity to enforcement across provisioning, detection, and revocation, then prove that each control changes the entitlement state rather than merely documenting it.

The useful operating model is lifecycle-first. If onboarding, offboarding, and remediation are not automated enough to change access before the next review, quarterly certification will remain a lagging indicator of drift rather than a governance mechanism. That is true for human access, service accounts, and workload identities alike, which is why the control map needs to span the whole identity surface.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security, access review programmes also need to account for entitlements that sit outside the standard review queue. The governance signal is not how many reviews you run, but how much of the real access estate those reviews can actually reach.


For practitioners

  • Separate process metrics from control metrics Track how many entitlements were prevented, detected, and remediated, then compare those numbers against review completion rate and SLA adherence. If the review finishes on time but exceptions persist, the programme is documenting compliance rather than controlling access.
  • Enforce preventive baselines at provisioning Use role baselines and approval workflows to block access that exceeds birthright permissions during onboarding or role change. Make the baseline the default, then require explicit justification for exceptions so access review findings shrink before the quarterly cycle begins.
  • Automate offboarding and orphan detection Trigger revocation from termination events and continuously scan for orphaned accounts, including contractor and service accounts with no active owner. This closes the gap between leaving a role and losing access, which is where many recurring exceptions begin.
  • Treat remediation as a timed control, not a ticket queue Set separate revocation SLAs for privileged and standard access, and escalate automatically when remediation stalls. If findings can sit in backlog for weeks, the review is identifying risk without reducing it.
  • Use root cause analysis to redesign the control plane Group findings by pattern, then fix the upstream condition that made the same exception reappear in the next quarter. If the cause is recurring over-provisioning, change the provisioning policy, not just the reviewer instruction.

Key takeaways

  • Access review programmes fail when they document activity without enforcing entitlement outcomes.
  • Preventive, detective, and corrective controls are all required if quarterly reviews are to reduce rather than merely record access risk.
  • The strongest governance signal is recurring exception reduction, not review completion rate.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access entitlements must be managed and reviewed against policy.
OWASP Non-Human Identity Top 10NHI-03Control failure here centers on weak rotation, revocation, and access enforcement.
NIST CSF 2.0DE.CM-8Detective controls are needed to surface dormant and excessive access between reviews.

Add continuous monitoring so access drift is detected before the next certification cycle.


Key terms

  • Access Review Control: An access review control is a mechanism that prevents, detects, or corrects inappropriate access state. It is different from a review process, which only describes who certifies what and when. Mature governance needs the control to change access outcomes, not just produce evidence.
  • Preventive Control: A preventive control stops inappropriate access before it is granted. In identity programmes this usually means baselines, approval gates, time limits, and automated revocation logic that operate upstream of certification. The goal is fewer exceptions reaching the review queue in the first place.
  • Detective Control: A detective control identifies access drift after it has occurred but before the next planned review. Common examples include dormant account detection, orphaned account detection, and excessive permission alerts. Detective controls do not fix the problem by themselves, but they create the evidence needed for correction.
  • Corrective Control: A corrective control ensures that a discovered access issue is fixed and does not recur. In practice this means remediation SLAs, root cause analysis, and proof that the underlying process or policy was changed. Without correction, the same entitlement failures return in the next cycle.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

  • The full 10-control breakdown with specific preventive, detective, and corrective mappings for access governance.
  • Practical examples of how dormant, orphaned, and excessive access detection works across real application environments.
  • Implementation guidance for remediation SLAs, root-cause analysis, and audit trail integrity in quarterly review programmes.
  • The control-by-control table that maps each access problem to the mechanism that prevents or corrects it.

👉 Zluri’s full post includes the 10-control framework, lifecycle examples, and remediation detail

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org