Access reviews are becoming standard, but manual reviews still dominate

At a glance

What this is: Netwrix’s access review survey shows periodic entitlement review is now mainstream, but many organisations still rely on manual processes that limit governance quality.

Why it matters: For IAM, IGA, PAM, and NHI programmes, the finding matters because review cadence alone does not prove effective control over human and non-human access.

By the numbers:

• 90% of organisations either already periodically review access entitlements or plan to start doing so within the nearest 3 years.
• 41% of respondents admit that they perform access reviews not only manually but on their own, without involving business users at all.
• 49% of those who have a dedicated tool for reviewing user access rights named risk reduction as the biggest benefit.

👉 Read Netwrix's access review survey analysis for the full findings

Context

Access review is the control that tests whether permissions still match business need. In practice, it is one of the few IAM processes that can expose privilege creep before it becomes an incident, but only if the review includes the right approvers and enough context to make a real decision.

This survey suggests the control is widely recognised, yet maturity is uneven. Organisations may be moving toward routine entitlement review, but many still treat it as a manual compliance exercise rather than a governance process that can reduce risk across human identities, service accounts, and broader access programmes.

The pattern is typical for enterprises that have adopted review cadence before they have standardised review quality. That makes the topic relevant not because access reviews are new, but because weak execution still undermines their value.

Key questions

Q: How should organisations run access reviews so they reduce risk instead of just meeting audit requirements?

A: Organisations should route reviews to the people who can judge actual business need, not just technical assignment, and they should prioritise high-risk access first. The review should produce a clear decision to retain, modify, or revoke each entitlement, with evidence retained for audit and follow-up.

Q: Why do access reviews often fail to remove excessive permissions?

A: They fail when the process focuses on completion rather than decision quality. If reviewers lack business context or ownership clarity, they approve what already exists instead of challenging whether access is still necessary. That leaves privilege creep in place even when the review cycle is technically completed.

Q: What is the difference between a manual access review and a governed entitlement review?

A: A manual review checks permissions in a labour-intensive way, often through spreadsheets or email, while a governed entitlement review uses defined ownership, structured evidence, and audit trails to support a defensible decision. The difference is not speed alone, but whether the organisation can trust the outcome.

Q: Who should be accountable for access review outcomes in IAM programmes?

A: Business owners should be accountable for the access decision, while IAM or security teams should be accountable for the process, evidence, and follow-up. That split keeps the review tied to operational need and prevents IT from becoming the default approver for business access it cannot fully judge.

Technical breakdown

Why entitlement reviews fail when they are only manual

Manual access reviews often collapse into spreadsheet validation, where reviewers check names rather than actual business necessity. Without system context, reviewers cannot easily tell whether a permission is still needed, inherited, or excessive. That makes the process slow, inconsistent, and vulnerable to rubber-stamping. In IAM terms, the control exists, but the evidence quality is too weak to support a reliable decision.

Practical implication: replace ad hoc spreadsheets with structured review inputs that show ownership, usage, and entitlement source.

Why business-user input changes review quality

Access reviews work best when the business owner, not just IT, can confirm whether access still aligns to a role or task. IT can validate technical assignment, but only the business can judge operational necessity in many cases. When business users are excluded, the process tends to verify administration rather than entitlement relevance, which leaves privilege creep untouched.

Practical implication: route reviews to accountable business owners for the entitlements they can actually approve or revoke.

Dedicated access review tools and governance evidence

Dedicated tools can automate evidence gathering, ownership routing, reminders, and audit trails, which reduces friction and improves consistency. The important technical distinction is that automation supports governance, it does not replace judgement. A tool is useful when it shortens the path from entitlement data to a defensible decision, especially in environments with many users, roles, and applications.

Practical implication: evaluate whether tooling improves decision quality and auditability, not just whether it makes reviews faster.

NHI Mgmt Group analysis

Access review has crossed from optional maturity marker to baseline IAM hygiene. When 90% of organisations either already review entitlements or plan to do so soon, the question is no longer whether the control belongs in the programme. The real issue is whether the process produces meaningful governance or merely satisfies a calendar requirement. Practitioners should treat review quality as the differentiator, not review presence.

Manual entitlement review creates a governance blind spot, not just an operational burden. If reviewers are working without business input, they are validating records rather than actual access need. That weakens recertification as a control because the organisation can close the review cycle without meaningfully reducing privilege exposure. The implication is that access governance must be measured by decision quality, not completion rate.

Dedicated tooling matters because identity review is evidence-intensive. Access reviews need ownership data, entitlement lineage, exception handling, and audit-ready records. Without that structure, teams spend effort assembling context instead of making decisions. For IAM and IGA leaders, the practical conclusion is that scale exposes process design flaws faster than it exposes policy gaps.

Access review is increasingly part of the broader NHI and PAM governance conversation. The same review discipline that covers human entitlements also needs to extend to service accounts, API keys, and privileged automation where accountability is often weaker. As identity estates expand, review programmes that stop at employees will miss a growing share of real access risk. Practitioners should align review scope to the identities that actually hold power.

Review cadence without lifecycle discipline produces false confidence. Periodic reviews can only work when joiner, mover, and leaver events are feeding accurate entitlement state into the process. If lifecycle controls are weak, reviews become a retrospective clean-up exercise instead of a preventative governance control. The field should stop treating access review as a standalone activity and start treating it as one checkpoint in the full identity lifecycle.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments.
• That gap reinforces why practitioners should also review Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs when entitlement governance extends beyond human users.

What this signals

Access review is becoming a control of record, but not yet a control of confidence. The survey points to broad adoption, yet manual review habits still weaken the evidence chain that governance teams need for audit, recertification, and remediation. For practitioners, the next step is to define what a good review outcome looks like, not just how often the review runs.

Identity programmes should expect the same review discipline to stretch further into machine and automation governance. As organisations expand NHI and AI-driven access, the boundaries between human entitlement review and machine privilege oversight will blur. That is why teams should cross-reference this topic with the Ultimate Guide to NHIs and align entitlement governance with non-human lifecycle controls.

The practical signal is that access review quality will increasingly become a metric for broader identity maturity. Teams that cannot show ownership, evidence, and revocation outcomes will struggle to prove that their IAM programme is doing more than maintaining paperwork.

For practitioners

• Segment reviews by access criticality Prioritise high-risk entitlements, privileged roles, and externally exposed access before low-risk routine permissions. A single review cycle should not treat all entitlements equally, because review effort should follow blast radius, not organisational hierarchy.
• Require business ownership for approval decisions Assign each review item to an accountable business owner who can confirm whether access is still required for the role or task. IT should validate the technical record, but the business should own the usage decision.
• Use review evidence to drive revocation, not reporting Track whether each review results in retain, modify, or revoke decisions and measure how often stale access is actually removed. A review programme that produces reports but no entitlement changes is not reducing risk.
• Extend review scope beyond employee access Include service accounts, privileged automation, and other non-human identities where the same governance weakness can exist at higher scale. Use the review process to surface ownership gaps and orphaned access before they become persistent exposure.

Key takeaways

• Access reviews are now mainstream, but completion alone does not prove governance maturity.
• Manual review processes still create weak decisions when business ownership and evidence are missing.
• Enterprises should measure entitlement review by revoked access, not just by review volume.

Key terms

• Access Review: A structured check to confirm whether an identity still needs the permissions it holds. In mature programmes, the review is tied to ownership, business purpose, and evidence so that excess access can be removed rather than merely documented.
• Entitlement: A permission, role, or access right assigned to an identity. Entitlements are the practical building blocks of access governance, because they define what a user, service account, or other identity can actually do in systems and data platforms.
• Privilege Creep: The gradual accumulation of access that is no longer required for the work being performed. It usually appears when movers, temporary changes, and exceptions are not cleaned up through lifecycle controls and periodic review.
• Recertification: A formal process where an owner reaffirms, changes, or removes an identity’s access rights. It matters because it converts entitlement review from a report into a governance decision with accountability, evidence, and a follow-up action.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Netwrix: 2022 Access Reviews Analytical Note. Read the original.