Access reviews are broken: what agentic UARs change for IAM

At a glance

What this is: This is an analysis of why enterprise access reviews become rubber stamping and how agentic UARs aim to improve decision quality with better evidence and bounded automation.

Why it matters: It matters because IAM, PAM, and NHI programmes all rely on review quality, and weak attestation logic leaves excess privilege in place across human users, service accounts, and emerging AI-driven workflows.

👉 Read Twine Security's analysis of why access reviews become rubber stamping

Context

Access reviews are supposed to be the backstop for least privilege, but at enterprise scale they often become a throughput exercise rather than a control. When reviewers cannot see enough evidence to make a safe deny decision, the path of least resistance is approval, even when the entitlement no longer makes sense.

That matters beyond human IAM. The same governance pattern shows up anywhere access is delegated, recertified, or certified at scale, including service accounts and AI-assisted workflows. If the programme only measures completion, not decision quality, it is optimising the wrong outcome.

For teams looking to anchor this work in a broader governance model, the question is not whether access reviews exist, but whether they produce defensible decisions with traceable evidence. That is the line between a control that reduces privilege and a process that merely moves tickets forward.

Key questions

Q: How should security teams use AI in access reviews without losing control?

A: Use AI to collect evidence, rank risk, and draft recommendations, but keep final approval with a human for high-impact access. The control boundary must be explicit, with auditable rationale, policy enforcement, and rollback handling. If the workflow cannot show why a decision was made, it is helping throughput more than governance.

Q: Why do access reviews so often become rubber stamping?

A: Rubber stamping happens when reviewers face too many items, too little context, and too much fear that removing access will break work. In that situation, approval becomes the safest default. The fix is not more reminders alone. The fix is better evidence, clearer prioritisation, and review items that are actually defensible.

Q: What should organisations measure to know whether access reviews are working?

A: Measure revoke and downgrade rates where evidence supports action, the completeness of evidence attached to each item, and whether audit packages can be reproduced later. If the programme only improves on-time completion, it has not fixed the underlying decision problem.

Q: Who should retain responsibility when AI assists access certification?

A: Human reviewers should retain responsibility for high-risk access decisions, especially privileged or sensitive entitlements. AI can recommend, enrich, and prioritise, but it should not erase accountability. The organisation must be able to show which person approved each material change and why.

Technical breakdown

Why access reviews collapse into rubber stamping

Rubber stamping is not usually a people problem. It is a workflow design problem created when reviewers must make binary decisions across large entitlement sets with weak context and high perceived downside to removing access. In that environment, the process rewards speed over judgment. Reminders and escalations can improve completion rates, but they do not create decision signal. The real failure is that the review record often shows a permission string, not the business reality behind it, so the reviewer lacks the evidence needed to deny safely.

Practical implication: Measure whether reviews improve revoke quality, not just completion speed, and treat low-context entitlement records as a control defect.

What agentic UARs actually automate

Agentic user access reviews are not black-box auto-revocation. They use AI to assemble evidence, prioritise risky entitlements, and generate recommendations such as approve, deny, modify, or time-bound, while keeping final authority inside human review and policy boundaries. The architecture matters: the system must be controlled, meaning it can only act within explicit permissions, and auditable, meaning every recommendation can be traced back to source evidence and policy logic. Without those two properties, the workflow becomes a faster version of the same broken process.

Practical implication: Require hard permission boundaries and traceable recommendation logic before allowing AI into certification or recertification flows.

Why evidence provenance is the real control surface

The value of agentic UARs comes from evidence quality, not from the label of being AI-powered. Effective workflows enrich the review with identity context, grant context, usage data, resource sensitivity, and reproducible rationale. That makes decisions defensible months later, even after tool changes or personnel turnover. It also forces a clearer separation between recommendation and approval, which is crucial when access changes are high impact. In practice, the review record becomes the control, because the output must survive audit, dispute, and rollback.

Practical implication: Demand audit-ready rationale with source provenance for every recommendation, especially where privileges are sensitive or business-critical.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Rubber stamping is a control-design failure, not reviewer laziness: Access review programmes collapse when they ask humans to make high-volume entitlement decisions with poor evidence and high disruption risk. That structure predictably drives blanket approval, even in well-intentioned teams. The implication is that attestation quality has to be treated as a control property, not a training issue.

Controlled autonomy is the only defensible model for agentic UARs: AI can improve access reviews only when it stays inside explicit permission boundaries and produces traceable rationale. If the system can recommend without being able to execute sensitive changes, human accountability remains intact. The implication is that automation should be constrained by design, not trusted by default.

Access review governance must shift from completion metrics to decision quality: A programme can close every campaign on time and still leave excessive privilege untouched. Decision quality, revoke rate where evidence supports it, and reproducible audit outputs are the real measures of maturity. Practitioners should stop treating completion as proof of control effectiveness.

Traceable rationale is the new governance currency for certification workflows: The strongest review model is the one that can explain why an entitlement stayed, changed, or was removed after the fact. That requires data provenance, policy enforcement, and rollback handling to be part of the operating model. Practitioners should evaluate any UAR workflow by whether its rationale survives audit.

Agentic UARs expose the same governance weakness that affects NHI programmes: identity processes fail when they depend on humans seeing enough context at the moment of decision. The same structural issue appears in service account governance, where missing context allows privilege to persist unchallenged. Practitioners should align review design across human and non-human access models.

From our research:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
• 59% of infrastructure leaders cite "confidently wrong" AI configuration as their top fear, underscoring how easily automated decisioning can produce certainty without sound control.
• That governance gap is why readers should also review OWASP Agentic AI Top 10 for tool-boundary and agent-control failure modes.

What this signals

Controlled autonomy will become the default design test for review automation: IAM teams should expect access review tooling to be judged less on workflow efficiency and more on whether it can prove why a decision was made. The programme signal is clear. If the review record cannot survive audit, the process is not mature enough for delegated decision support.

With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, per the 2026 Infrastructure Identity Survey, the same pattern of weak governance is already visible in broader identity practice. Review automation should therefore be evaluated as part of a wider entitlement-control strategy, not as a standalone productivity feature.

The next stage of maturity is not more review volume, but better decision surfaces. That means integrating entitlement provenance, usage telemetry, and exception handling into the workflow so reviewers can act with confidence rather than defaulting to approval.

For practitioners

• Rebuild review criteria around decision quality Track revoke, downgrade, and time-bound outcomes alongside completion rates so the programme measures whether reviewers are making better decisions, not simply faster ones.
• Require evidence provenance for every entitlement Force each review item to show why access exists, what it enables, how recently it was used, and which source systems produced the evidence before the reviewer sees it.
• Set hard permission boundaries for agentic workflows Allow the system to assemble evidence and recommend actions, but restrict execution to safe, policy-approved steps such as ticket creation or confirmation requests.
• Separate recommendation from approval in high-risk access Keep privileged and sensitive entitlements under human approval, and make that approval explicit in the workflow rather than implied by a default action.

Key takeaways

• Access reviews fail structurally when they optimise throughput over decision quality, which makes rubber stamping the predictable outcome.
• Agentic UARs only improve governance when they preserve human accountability, enforce permission boundaries, and generate audit-ready rationale.
• The practical test is not whether every review closes, but whether the programme can support safe revocation, downgrade, and exception handling with evidence.

Key terms

• Rubber Stamping: A review pattern where approvers accept most entitlements with little real evaluation. It usually appears when decision context is weak, entitlement volume is high, and the perceived cost of removal is higher than the cost of approval. The control fails because the process rewards completion, not judgment.
• Agentic User Access Review: An access review workflow that uses AI to gather evidence, prioritise items, and draft recommendations while keeping human ownership for material decisions. In practice, it is only safe when action boundaries are explicit, recommendations are traceable, and the system cannot silently cross into privileged execution.
• Decision Quality: The extent to which a review outcome reflects the actual business need, usage evidence, and risk level of the entitlement being assessed. For identity governance, decision quality matters more than campaign completion because it determines whether excess privilege is removed, downgraded, or left in place.
• Evidence Provenance: The traceable origin of the data used to support an access decision. Good provenance shows which systems supplied the evidence, when the data was collected, and whether it was complete or stale. Without provenance, a reviewer can only trust the recommendation, not verify it.

Deepen your knowledge

Access review governance and decision quality are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is moving toward AI-assisted certification or broader identity automation, it is worth exploring.

This post draws on content published by Twine Security: Access reviews are broken, and agentic UARs change the calculus. Read the original.