Access review failure is a visibility problem, not just process

At a glance

What this is: This is an analysis of why access reviews break down in SaaS-first environments, with the main finding that fragmented discovery and delayed revocation make certifications incomplete.

Why it matters: It matters because identity governance teams need access reviews that actually reflect cloud, SaaS, contractor, and shadow app reality across human and non-human access paths.

By the numbers:

• 53% of security teams lack continuous and up-to-date visibility into their cloud and SaaS environments.

👉 Read Zluri's article on the top access review challenges IT teams face

Context

Access reviews are supposed to confirm that each identity still has the right level of access, but the control fails when the organisation cannot see the full access surface in the first place. In SaaS-heavy environments, the gap is not the certification itself, but the discovery, context, and removal steps that should make certification meaningful.

This is an IAM and identity governance problem, not just a compliance workflow problem. When apps sit outside SSO, reviewers lack usage context, and revocation happens in a separate ticketing path, the process can produce clean-looking evidence while leaving active access in place. That is why identity programmes need a broader view of the full access lifecycle, not only the review event.

Key questions

Q: What breaks when access reviews only cover apps tied to SSO?

A: The review scope becomes incomplete because direct-login SaaS, department-owned tools, and shadow applications remain outside certification. That means reviewers can sign off on a partial identity surface while sensitive access persists elsewhere. Strong governance starts with discovery coverage, not with the approval step.

Q: When should organisations move from fixed access review cycles to event-based reviews?

A: They should do it when role churn, contractor turnover, or privilege changes happen more often than a quarterly or annual cycle can reflect. Event-based reviews are better for access that changes with business activity, while fixed cycles are acceptable only for low-risk, stable entitlements.

Q: What do security teams get wrong about access review context?

A: They often treat approval as a binary task instead of a risk judgment. Without usage, last-login, role-change, and privilege data, reviewers cannot tell whether access is still justified. The result is rubber-stamping, which reduces the review to a compliance ritual instead of a control.

Q: Who is accountable when access is approved for removal but not actually revoked?

A: Accountability should sit with the owner of the closed-loop workflow, because certification is not complete until the change is enforced in the target system. If removal depends on manual tickets or disconnected follow-up, the programme has a governance gap that auditors and attackers can both exploit.

Technical breakdown

Why SaaS discovery determines access review scope

Access review quality starts with inventory quality. If apps are discovered only through SSO or HRMS integrations, any application reached through direct login, browser-based access, or business-owned procurement sits outside certification scope. That creates a structural blind spot because the governance system can only review what it knows exists. In SaaS-first environments, discovery has to map users to apps even when provisioning is informal or shadow IT is involved. Without that layer, review completeness becomes an assumption instead of a control outcome.

Practical implication: expand discovery beyond SSO so the review population includes unmanaged SaaS, department-owned tools, and external access paths.

Why reviewer context changes certification quality

A reviewer who sees only a name and a role is being asked to certify access without enough evidence. The important signals are account activity, last login, privilege level, and whether the person has changed teams or gone inactive. Context turns access review from a rubber-stamp exercise into a risk judgment. The technical point is simple: certification systems that do not surface current usage and ownership data force human approvers to guess, and guesswork is where governance fails.

Practical implication: enrich certification screens with usage, role, and account-status data before asking reviewers to approve or revoke access.

How revocation fails when it is detached from certification

Many programmes treat certification and deprovisioning as separate workflows. The reviewer marks access for removal, but the actual change depends on a ticket, a follow-up task, or an app owner acting later. That breaks closed-loop governance because the control is not complete until the entitlement is actually removed in the target system. In practice, the delay between decision and enforcement is where risk remains active. Audit-ready logging matters, but it does not compensate for a revocation path that can stall outside the governance platform.

Practical implication: connect certification decisions directly to revocation workflows and verify that removal is enforced in the application, not only recorded.

NHI Mgmt Group analysis

Access review failure is usually a visibility failure first. Zluri is describing a control that cannot govern what it cannot discover, because unmanaged SaaS, contractor access, and direct-to-app logins sit outside the normal certification view. That is not a minor process gap. It means the programme is certifying a partial identity surface while assuming it is complete. Practitioners should treat discovery coverage as part of review design, not as a separate inventory exercise.

Reviewer context is the difference between governance and box-ticking. When managers and app owners are given user lists without usage, ownership, or role-change evidence, the control turns into an approval queue. That is why review fatigue and blind certification appear together. The article’s core point is that access reviews fail when the reviewer has no basis for a decision, so the control outcome becomes procedural rather than risk-based. Practitioners should judge certification quality by the evidence shown to approvers, not the number of reviews completed.

Closed-loop revocation is the real control, not the certification event. A review that ends with a spreadsheet or ticket is only an intention until access is actually removed. Zluri’s article exposes the governance assumption that a signed-off review equals reduced exposure, and that assumption fails whenever enforcement is detached from decision-making. The implication is straightforward: identity governance must measure completion at the point of revocation, not at the point of approval.

Dynamic review timing is now a governance requirement, not an optimisation. Fixed quarterly or annual cycles treat all access as equally stable, which does not match SaaS role churn, contractor turnover, or privilege changes. That creates predictable review lag for the identities most likely to drift out of policy. Practitioners should move toward event-triggered and risk-weighted certification because the old cadence model cannot keep pace with how access changes now.

Access review is becoming an identity lifecycle control, not a standalone audit task. The strongest programmes are linking discovery, reviewer context, revocation, and evidence into one lifecycle loop. That matters across human users, contractors, and non-human access paths because lifecycle failure in any one of them becomes an audit and security exposure. Practitioners should align certification with broader identity lifecycle governance instead of treating it as an isolated compliance checkbox.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For a broader governance baseline, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Review programmes are moving from periodic certification to continuous control verification. The practical signal for IAM teams is that discovery coverage, reviewer evidence, and revocation enforcement now matter as much as the review record itself. If your access review process cannot prove who has access, why they have it, and whether removal actually happened, then the control is still only partially implemented.

Lifecycle alignment is the next maturity step. Access reviews that do not connect to onboarding, movers, leavers, and external identity offboarding will keep producing stale entitlements. The same governance discipline now has to span employees, contractors, and non-human accounts if you want certification to reduce risk instead of just documenting it.

For practitioners

• Expand discovery beyond SSO-only coverage Combine browser data, desktop signals, finance records, and identity integrations so apps reached outside central provisioning still enter the review population. Include department-owned tools and shadow IT in the same governance map as managed SaaS.
• Enrich review decisions with live usage evidence Surface last login, activity trends, privilege level, and account status inside the certification workflow so reviewers can distinguish stale access from active business use. Flag role changes and inactivity before approval.
• Tie approval to enforced revocation Make removal an automated downstream action whenever possible, and verify that the entitlement disappears in the target application rather than only in the governance record. Track completion separately from reviewer sign-off.
• Shift high-risk access to event-driven reviews Trigger certifications on department moves, promotions, privilege changes, and contract endings instead of waiting for the next calendar cycle. Reserve fixed cadence reviews for low-risk access with stable ownership.

Key takeaways

• Access reviews fail when discovery is incomplete, because a certification can never govern apps and identities it does not see.
• Reviewer context and closed-loop revocation determine whether access reviews reduce risk or simply produce audit evidence.
• Identity teams should move high-risk entitlements to event-driven review and measure completion at removal, not approval.

Key terms

• Access Review: An access review is a governance process that asks whether a user, contractor, or system still needs a given entitlement. In practice, it only works when the programme has complete scope, current usage evidence, and enforced revocation, otherwise it becomes documentation rather than control.
• Closed-loop Revocation: Closed-loop revocation means a removal decision is automatically carried through to the target system and verified as complete. It matters because a certification that ends in a ticket or spreadsheet is not a finished control until the access actually disappears.
• Shadow SaaS: Shadow SaaS is software adopted outside central IT and identity governance processes. These apps often bypass SSO, provisioning, and certification workflows, which makes them difficult to review and easy to overlook during access governance.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Zluri: Top Access Review Challenges IT Teams Face. Read the original.