TL;DR: Traditional access reviews assume reviewers can judge whether access should remain from permissions alone, but real risk is shaped by effective authority across groups, delegation, service identities, and cross-system relationships, according to Gathid. That makes most review decisions approximations, not assurance, because the control is measuring intent rather than what an identity can actually do.
At a glance
What this is: This is an analysis of why access reviews often miss real risk: permissions describe intended access, but effective authority determines what identities can actually do across systems.
Why it matters: It matters because IAM, IGA, PAM, and NHI governance teams need to review capability and escalation paths, not just entitlement lists, or they will keep approving hidden privilege.
👉 Read Gathid's analysis of why access reviews miss effective authority
Context
Access reviews are meant to confirm whether access is still appropriate, but the control weakens when reviewers are only shown permissions. Permissions describe intended access, while effective authority reflects what an identity can actually do once inheritance, delegation, service identities, and cross-system relationships are taken into account.
That distinction matters across IAM, IGA, PAM, and NHI governance because a clean entitlement list can still hide end-to-end control. The issue is not review fatigue or poor judgment, but a structural mismatch between what the reviewer sees and what risk actually depends on.
Key questions
Q: What breaks when access reviews are based only on granted permissions?
A: Reviews based only on granted permissions miss whether access was actually used, whether it was excessive, and whether it still matches the job or workload. That creates false confidence and weak audit evidence. Security teams need activity-aware review data so they can prove that privilege is not just assigned correctly but also kept current.
Q: Why do access reviews miss hidden privilege paths?
A: Access reviews usually examine entitlements one system at a time, which means they can miss how separate permissions combine into control across platforms. A nested group, inherited role, or surviving automation credential may look acceptable in isolation but create dangerous authority in aggregate. That is why relationship-aware analysis is necessary.
Q: What do security teams get wrong about access reviews?
A: Teams often treat access reviews as proof of control, when they are really only a point-in-time check. If reviewers cannot see current activity and business context, they may approve access that is technically valid but operationally obsolete. The better test is whether the governance model can explain why access still exists.
Q: Who is accountable when a review approves excessive authority?
A: Accountability sits with the access owner, the control owner, and the governance process that accepted an incomplete evidence set. If the review cannot show effective authority, then the organisation has not actually demonstrated control. Regulators and auditors will judge the outcome by whether risk was truly evaluated, not whether a campaign was completed.
Technical breakdown
Permissions versus effective authority
Permissions are a declarative layer. They show what policy or provisioning says should exist, but they do not reveal how access behaves after inheritance, nested roles, delegated rights, or service identities are introduced. Effective authority is the realised capability that emerges when those relationships combine. In practice, two identities with the same direct entitlements can have very different operational power once cross-system paths are considered. That is why a review built only on permission data can look complete while missing the actual control surface.
Practical implication: reviewers need authority-aware views that expose combined capability, not just entitlement membership.
Why access review campaigns approve hidden risk
Access review campaigns usually ask a business owner to validate a list of roles or entitlements. That works only if the list captures the full decision surface. In many environments, it does not. A role can appear routine, while another linked system allows transaction initiation, approval, or reconciliation. A service account can retain permissions after its business purpose has ended. The review then becomes an approximation, because the reviewer is judging fragments instead of the complete authority structure.
Practical implication: review evidence should include cross-system reach, delegated access, and service identity relationships before approval or revocation.
How authority visibility changes the control model
Authority visibility shifts access reviews from entitlement checking to capability assessment. Instead of asking whether an entitlement looks correct in isolation, the control asks whether the identity can actually perform sensitive actions end to end. That requires modelling relationship paths, inherited rights, and escalation routes across applications and infrastructure. For regulated organisations, this also improves defensibility because auditors can see what authority existed at a point in time and why a decision was made. The control stops being procedural and becomes evidentiary.
Practical implication: build review workflows around capability paths and point-in-time authority snapshots, not static role descriptions.
NHI Mgmt Group analysis
Access reviews fail when permissions are treated as the unit of risk. Permissions express intent, but effective authority is what creates exposure. When reviewers approve access from entitlements alone, they are validating a partial model of identity behaviour. The implication is that access review design must be anchored to realised capability, not the permission list that produced it.
Effective authority is the named concept that explains why routine reviews miss real privilege. Inheritance through groups, delegated access, service identities, and cross-system relationships can combine into end-to-end control without any single entitlement looking dangerous. That is why approvals often preserve concentration of authority even when individual line items appear normal. Practitioners should treat authority concentration as the real review target.
Authority visibility is now a governance requirement, not a reporting enhancement. A review that cannot show how access combines across systems cannot demonstrate whether risk was actually assessed. That weakens IGA, PAM, and audit assurance at the same time. The practical conclusion is that identity programmes must model relationships, not just accounts and roles.
Service identities expose the limits of human-shaped review logic. When a service account retains privileges beyond its purpose, reviewers looking at role recertification alone may never see the stale authority. The same review pattern used for people can therefore preserve machine access long after operational need has changed. Practitioners should separate human approval workflows from non-human authority analysis.
Access review effectiveness should be judged by what it can surface, not by how many campaigns it completes. A compliant review cycle can still miss escalation paths, delegated control, and cross-system execution. That means governance teams need outcome measures tied to hidden authority reduction. The conclusion is simple: count reduced capability, not completed attestations, as the real control signal.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- For a broader control lens, the Ultimate Guide to NHIs , Key Challenges and Risks explains why visibility gaps and over-privilege persist even when access processes appear mature.
What this signals
Effective authority is becoming the real control boundary. Access review programmes that still optimise for clean entitlements will keep under-reporting privilege concentration, especially where service identities and delegated access can create control paths no approver sees. The governance gap is not more campaigns, but better modelling of who or what can actually act.
Because access, secrets, and workload relationships are increasingly entangled, review teams should expect higher false-confidence rates from permission-only recertification. The programme signal to watch is whether review outcomes reduce cross-system execution paths, not whether they simply close on schedule.
With 43% of security professionals already concerned about AI systems learning and reproducing sensitive information patterns from codebases, per The State of Secrets in AppSec, the same visibility problem is now crossing from access governance into AI-adjacent identity risk.
For practitioners
- Map effective authority paths before recertification Trace how direct entitlements, nested roles, delegated permissions, and service identities combine into end-to-end capability. Use those paths as the review unit instead of the raw role list, so approvers can see what the identity can actually do across systems.
- Separate human review from machine authority analysis Do not run service accounts and automation through the same review logic used for employee access. Build a distinct analysis for non-human identities that checks retained privileges, cross-system reach, and whether the identity still has a valid operational purpose.
- Add point-in-time authority evidence to every approval Capture what the identity could execute at the moment of review, including escalation routes and transitive access. That gives auditors a defensible record and prevents reviewers from relying on an entitlement snapshot that hides real capability.
- Prioritise identities with concentrated control across systems Flag accounts that can initiate, approve, and reconcile actions in the same business flow, even if each entitlement looks ordinary on its own. Those identities create the highest hidden-risk profile and should be reviewed first.
Key takeaways
- Access reviews fail when they validate permissions instead of effective authority.
- Hidden privilege usually emerges from inherited, delegated, and cross-system relationships, not from a single obvious entitlement.
- Identity governance gets stronger when reviewers can see capability paths, point-in-time authority, and concentrated control across systems.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Authority visibility gaps often hide non-human identity over-privilege and stale access. |
| NIST CSF 2.0 | PR.AA-01 | The article is about verifying whether access decisions reflect actual authority. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central because excessive effective authority can persist behind valid permissions. |
| NIST Zero Trust (SP 800-207) | The post aligns with continuous verification of actual access paths across systems. |
Map service accounts and automation to NHI-01 and review their effective authority, not just assigned entitlements.
Key terms
- Effective Authority: Effective authority is the control an identity can actually exercise after all inheritance, delegation, and cross-system relationships are applied. It can be broader than the permissions listed in a single console, which is why local reviews often understate risk. Security teams need to measure effective authority, not only assigned access.
- Access Review: A formal process for confirming whether access is still needed and justified. In IAM programs, the review becomes an evidence-bearing control when decisions are recorded, scoped correctly, and traceable to the right reviewer, application owner, or auditor.
- Authority concentration: The accumulation of excessive effective power into one identity or pathway. Concentration matters because it increases blast radius, creates escalation routes and makes it easier for one account, credential or delegated relationship to affect multiple systems at once.
- Cross-System Relationship: A cross-system relationship is a link between identities or permissions in different platforms that changes what an identity can do. These relationships are often invisible in isolated entitlement reviews, yet they are a common source of escalation and hidden control.
What's in the full article
Gathid's full article covers the operational detail this post intentionally leaves for the source:
- How access review workflows represent inheritance, delegated permissions, and cross-system authority in real environments.
- Examples of why permission-only recertification produces approval decisions that look compliant but miss practical control paths.
- A deeper explanation of why effective authority is a better review unit than role membership for IAM and IGA teams.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org