TL;DR: Access reviews only appear complete when they cover the systems already integrated into governance workflows; unintegrated apps, shadow IT, external identity environments, and local access remain invisible and unreviewed according to OpenIAM. The result is not mismanaged access but unmanaged access, so visibility, not review volume, becomes the decisive control boundary.
At a glance
What this is: This analysis shows that access review completeness is often a scope illusion, because unintegrated systems and identity sources remain outside certification workflows.
Why it matters: It matters because IAM, IGA, PAM, and NHI programmes can all report clean review outcomes while leaving unmanaged access paths untouched across the enterprise.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
👉 Read OpenIAM's analysis of access review coverage gaps and governance blind spots
Context
Access review coverage is a governance problem, not a reporting problem. A review campaign can only certify the systems it actually sees, which means completeness is a function of integration scope rather than true identity visibility.
For IAM and IGA teams, that distinction matters across human, non-human, and privileged access. If an application, directory, SaaS tool, or local account sits outside the governance mesh, the organisation may have evidence of review activity without evidence of control over the full access surface.
Key questions
Q: What breaks when access reviews do not cover every system with permissions?
A: Governance becomes selective rather than complete. Access can persist in unintegrated SaaS apps, legacy systems, local accounts, or external identity platforms without certification, approval history, or revocation evidence. The programme may still produce clean reports, but those reports only describe the scope it sees, not the access estate as a whole.
Q: When should organisations expand access review scope instead of increasing review volume?
A: Always, when the goal is assurance rather than activity. More reviewers and larger campaigns do not fix systems that remain outside the governance platform. Expand scope first by inventorying identity-bearing systems, then extend certification coverage to the highest-risk sources, including privileged and local access.
Q: What do security teams get wrong about successful access certification?
A: They often confuse campaign completion with control coverage. A completed certification only proves that reviewers acted on the systems included in the workflow. If critical applications, shadow IT tools, or external identity environments are missing, the organisation has process evidence but not true governance evidence.
Q: Who is accountable when access exists outside identity governance coverage?
A: Accountability sits with the organisation that defined the scope, not with the reviewers who completed it. Governance teams, IAM owners, and system owners must jointly ensure that identity-bearing systems are included or explicitly risk-accepted. Standards such as the NIST Cybersecurity Framework 2.0 support that shared governance responsibility.
Technical breakdown
Why access reviews look complete but are not
Access reviews operate against the identity sources and applications that are configured into the governance platform. Certification workflows can record decisions, approvals, and evidence for those connected systems, but they do not extend to anything excluded from the integration set. That means completeness is a property of configuration, not of the enterprise as a whole. In practice, a review can be procedurally correct and still miss meaningful access if the underlying system, local account store, or external identity domain was never brought into scope.
Practical implication: define coverage as the first control objective and validate every connected source before treating a certification campaign as complete.
How unintegrated applications create blind spots
Unintegrated applications create blind spots because governance tools cannot evaluate what they cannot ingest. This is common in shadow IT, older SaaS deployments, and legacy systems that lack modern connectors or API support. The review process then becomes selective by design, not by exception, and the organisation loses oversight over access that may still reach sensitive data or operational functions. The risk is structural because the access path exists outside the review loop, not because the reviewers made a bad decision on a visible entitlement.
Practical implication: inventory all applications that grant access and prioritise integration or compensating controls for anything still outside certification coverage.
Why privileged and local access are the hardest gaps to close
Privileged access, administrative accounts, service accounts, and local system accounts often live closer to infrastructure than to the IAM stack, which makes them easy to omit from review campaigns. These accounts may be created for operational convenience and then persist long after their original purpose has changed. When they are not tied into governance workflows, certifications can never confirm whether the access is still justified. That creates a control failure at the boundary between identity governance and infrastructure administration, where the highest-risk access often resides.
Practical implication: map privileged and local accounts separately from workforce access and require explicit inclusion in governance scope or compensating review processes.
NHI Mgmt Group analysis
Coverage blindness is the real governance failure, not review execution. OpenIAM's core point is that access reviews can only certify what has been integrated into scope, which means organisations often mistake process completion for actual control coverage. That is a structural limitation of governance architecture, not a minor operational miss. The implication is that identity governance must be judged on field of view before it is judged on review quality.
Access review scope is a control boundary, not an assurance boundary. Once a system sits outside the certification set, its access becomes effectively invisible to the governance programme even if it remains business-critical. This is why review volume cannot substitute for coverage expansion: more activity inside a narrow scope does not reduce unmanaged risk outside it. Practitioners need to treat scope definition as part of the control itself, not as a project setting.
Unintegrated access becomes unmanaged access by default. The article correctly frames the problem as blind spots rather than misconfigured approvals, because the governance process never encounters the excluded identities in the first place. That distinction matters for audit, remediation, and accountability. A programme that cannot see SaaS sprawl, legacy entitlements, or local administrative accounts cannot honestly claim complete oversight.
Identity coverage debt: incomplete review scope accumulates hidden access risk whenever new systems, external identities, or local accounts are added faster than governance coverage expands. This concept captures the compounding effect of distributed identity estates: each omitted system adds more access that can persist without certification, documentation, or revocation. The practitioner conclusion is simple. Coverage must be measured as an asset inventory problem, not as a campaign completion problem.
For NHI governance, the lesson extends beyond workforce access. Service accounts and administrative identities are often the least visible and the most consequential parts of the access estate, yet they are frequently left outside standard review flows. That makes this article relevant to NHI governance as much as to human IAM. The implication is that certification design should assume hidden machine and privileged access unless proven otherwise.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- From our research: 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- For a broader governance lens, see the NHI Lifecycle Management Guide for the lifecycle controls that determine whether hidden identities ever become reviewable.
What this signals
Identity coverage debt: the longer governance teams leave unintegrated applications, local accounts, and external identity stores outside certification workflows, the more unmanaged access accumulates in plain sight. In practical programme terms, review maturity should be measured by identity source coverage, not by the number of completed campaigns.
When service accounts are not visible, access review findings can look healthier than the environment actually is. That is why NHI and IAM teams should align certification scope with the identity estate inventory and use the NIST Cybersecurity Framework 2.0 to connect govern, identify, and protect functions.
This pattern also strengthens the case for linking governance with lifecycle control. If a source system is not in the review population, it is unlikely to be consistently rotated, recertified, or offboarded, which is why the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs remains relevant to scope design.
For practitioners
- Rebuild certification scope from the ground up Map every application, directory, SaaS platform, and external identity source that can grant access, then compare that inventory to the systems currently included in access reviews. Anything missing from the certification set needs an explicit decision: integrate it, compensate for it, or document the residual risk.
- Separate visible review completion from actual coverage Track two metrics side by side: the percentage of reviewed entitlements and the percentage of identity-bearing systems covered by governance workflows. Treat the second metric as the real assurance indicator, because review completion without source coverage is only evidence of process activity.
- Pull privileged and local accounts into a dedicated scope Create a separate inventory for administrative accounts, service accounts, and local access paths, then require them to appear in certification or compensating control workflows. Do not let infrastructure-owned access remain outside governance simply because it does not live in the main IAM stack.
- Close the shadow IT review gap Work with business units to identify locally provisioned SaaS tools, departmental applications, and unmanaged access stores, then decide which ones need connector support and which ones need interim manual review. Shadow IT is a governance problem once it holds access to company data or systems.
Key takeaways
- Access review completeness is only real when every identity-bearing system is in scope, not when every campaign is closed.
- Blind spots are structural, because unintegrated applications, shadow IT, and local access never enter the governance workflow.
- The right control question is coverage first: if the system cannot be reviewed, it cannot be claimed as governed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access reviews are a governance control for permissions management and least privilege. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Unreviewed service accounts and hidden credentials are a visibility and inventory problem. |
| NIST Zero Trust (SP 800-207) | AC-1 | Zero trust depends on continuous verification across all access paths, including hidden ones. |
Treat uncovered identity sources as trust boundary defects and bring them into policy enforcement.
Key terms
- Access Review Scope: The defined set of systems, applications, directories, and identity sources that a certification campaign is allowed to evaluate. In practice, scope determines what governance can see, which means it is a control boundary as much as a project setting.
- Coverage Blind Spot: An access path, system, or identity source that exists in the environment but is excluded from governance workflows. A blind spot is more dangerous than a bad review decision because the review process never encounters the access at all.
- Identity Coverage Debt: The accumulated risk created when new applications, external identities, and privileged access sources are added faster than governance coverage expands. Over time, the organisation gains more access paths than it can certify, recertify, or revoke consistently.
- Unmanaged Access: Access that remains active without being evaluated, certified, or revoked through identity governance processes. It usually persists because the system holding the access is outside scope, not because a reviewer approved it incorrectly.
What's in the full article
OpenIAM's full article covers the operational detail this post intentionally leaves for the source:
- A breakdown of why certification campaigns appear complete even when only a subset of applications is connected to governance.
- Specific examples of the system types most often excluded from access review workflows, including shadow IT, legacy platforms, and external identity environments.
- The article's own explanation of how coverage gaps translate into unmanaged access rather than merely imperfect reporting.
- A direct comparison between review volume and review scope, showing why more activity does not close visibility gaps.
Deepen your knowledge
NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy, governance, or operations, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org