Access reviews fail when visibility stops at the identity provider

At a glance

What this is: This is an analysis of why user access reviews often fail to find or remove risky access, with complete visibility identified as the key control gap.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes all break down when review processes certify incomplete identity and application inventories instead of actual access relationships.

By the numbers:

• Manual access reviews consume 149 person-days per quarterly cycle.

👉 Read Zluri's guide to security and compliance user access reviews

Context

User access review is the periodic process of checking whether people still need the access they have. In practice, most programmes rely on managers approving spreadsheets that only show part of the access picture, which makes the review look complete even when it is not.

The broader governance issue is visibility. When reviews only cover what sits inside the identity provider or SSO layer, teams miss direct app logins, shadow IT, contractor accounts, and other access paths that sit outside the review scope. That leaves IAM and IGA teams certifying an incomplete inventory rather than the real identity surface.

Key questions

Q: What breaks when user access reviews only cover the identity provider?

A: The review loses sight of direct app access, shadow IT, contractor accounts, and other entitlements that never flow through SSO. That means managers certify an incomplete population and assume governance coverage that does not exist. The result is false confidence, not real access control. For teams needing a reference model, the gap aligns closely with the visibility problems described in the Ultimate Guide to NHIs.

Q: Why do manual access reviews still leave risky access behind?

A: Manual reviews fail when reviewers lack context and are asked to make too many decisions too quickly. They see spreadsheets, not access history, business purpose, or entitlement source, so approval becomes the path of least resistance. The process creates paperwork and evidence, but not necessarily security improvement.

Q: How can security teams make access reviews more effective?

A: Start with complete discovery, then certify based on risk, role, and entitlement source instead of raw user counts. Use grouped reviews where the access model is clean, but keep high-risk applications under tighter scrutiny. The objective is not faster paperwork, it is accurate removal of unnecessary access.

Q: How should organisations prove access review effectiveness to auditors?

A: They should show the review scope, the evidence used to make decisions, the remediation trail, and the final revoke or approval outcome for each exception. Completion alone is weak evidence. Auditors want proof that the process found issues and that those issues were actually closed.

Technical breakdown

Why identity provider based reviews miss real access

Identity provider based access reviews depend on a partial control plane. They see only identities, applications, and entitlements that are connected to the directory or SSO layer. Anything provisioned directly inside an application, purchased outside IT, or accessed through shared credentials remains outside the review set. That is why managers can certify access confidently while orphaned accounts, stale contractors, and unsanctioned SaaS continue to hold privileges. The mechanism fails because the review system is not discovering the full relationship graph, only a subset of it.

Practical implication: build reviews on complete discovery, not only IdP exports.

Why manual certification creates false confidence

Manual certification collapses under volume and context loss. Reviewers are asked to approve or reject hundreds of entitlements without knowing whether access is new, dormant, inherited from a past role, or tied to a sensitive system. As a result, the default response becomes approval, forwarding, or silence. That turns access review into a throughput problem rather than a governance decision. The failure mode is not just slow execution. It is low-fidelity decision making at scale.

Practical implication: reduce decision load with grouped, risk-based certification and contextual evidence.

How complete discovery changes the review model

Complete discovery means tracking three things together: who exists, what exists, and who has access to what. In the article's model, that includes employee and contractor identities, sanctioned and shadow applications, and direct, group-based, or hidden access relationships. Once those three are connected, review scope becomes defensible and remediation becomes actionable. This is the architectural shift from certifying what is visible to governing what is actually present.

Practical implication: align access review scope to a full discovery model before automating certification.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access review failure is usually a visibility failure, not a reviewer failure. The article shows that managers can only certify what they are shown, and what they are shown is often a directory subset rather than the real access graph. That is why access reviews persist as compliance theatre even when teams work hard. The governance conclusion is simple: if the inventory is incomplete, the certification outcome is structurally unreliable.

Discovery gaps create a hidden identity surface that traditional IAM workflows cannot govern. The article's examples of stale ex-employees, contractors, and access outside SSO show how much of the access estate sits beyond review scope. This is exactly where the identity visibility gap becomes a named control failure. Practitioners should treat visibility as the prerequisite control, not a reporting enhancement.

Manual access review scales labour before it scales assurance. Zluri's reported 149 person-days per quarterly cycle shows why spreadsheet-driven certification becomes operational drag long before it becomes risk reduction. That labour profile is incompatible with continuous governance, especially when the business keeps adding apps faster than review capacity grows. The implication is that teams must stop measuring review activity and start measuring coverage.

Group-based certification is only useful when the underlying access model is already clean. The article correctly notes that group reviews can be faster, but they do not solve taxonomy drift, inconsistent application of roles, or hidden direct entitlements. This is where IAM and NHI governance intersect: the same programme that misses orphaned service accounts can also miss orphaned user entitlements. Practitioners should validate structure before optimising speed.

Complete access governance now depends on cross-domain discovery, not just identity administration. The review process described in the article reaches into applications, contracts, and usage patterns, which is a broader governance model than classic IGA alone. That is the right direction for modern programmes, because access risk increasingly lives at the edge of identity, application procurement, and lifecycle offboarding. The implication is that access reviews should be run as a discovery discipline, not a clerical one.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• From our research: Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• For teams moving from certification theatre to ground truth, NHI Lifecycle Management Guide is the next resource to align discovery, rotation, and offboarding.

What this signals

Identity visibility now sits at the centre of access governance maturity. A programme can have reviewers, workflows, and audit trails and still miss the real risk if it cannot see every identity, application, and entitlement relationship. That is why NHI and human access governance are converging on the same problem: incomplete discovery produces incomplete control.

The practical signal for IAM teams is that review frequency matters less than review scope. If direct entitlements, shadow applications, and out-of-band access paths are not in the review population, quarterly certification simply re-validates an incomplete model. That should push teams toward broader discovery coverage and tighter lifecycle integration across human and machine access.

Access reviews and NHI governance are now part of the same operational pattern. Organisations that tolerate hidden service accounts or stale secrets often tolerate hidden user access for the same reason, which is weak lifecycle visibility. The control lesson is to treat discovery, certification, and revocation as one chain, not separate programmes.

For practitioners

• Map the full access graph before the next certification cycle Inventory identities, applications, and direct entitlement paths outside the directory and SSO layer so reviews cover the full review population, not just visible users.
• Separate high-risk systems from broad quarterly review pools Run tighter certification for finance, admin, and customer-data systems, then apply broader group-based reviews only where role taxonomy is reliable.
• Require contextual evidence in reviewer workflows Show entitlement age, last use, source of provision, and role context so managers are not approving access blind from a flat spreadsheet export.
• Track remediation, not just completion rates Measure how many violations are actually revoked, how many remain after the review, and how long it takes to close them so certification proves control effectiveness.

Key takeaways

• User access reviews fail most often because teams certify incomplete visibility, not because managers are unwilling to review access.
• The scale problem is real: Zluri reports 149 person-days per quarterly cycle, which explains why manual certification struggles to produce timely remediation.
• The control that changes outcomes is complete discovery across identities, applications, and access paths before certification begins.

Key terms

• User Access Review: A user access review is a periodic check that verifies whether people still need the permissions they already have. In mature programmes, it should be evidence-driven and scope-complete, covering current role, entitlement source, and access age rather than relying on a manager's memory or a flat spreadsheet export.
• Discovery Triad: The Discovery Triad is a practical model for establishing access ground truth by identifying who exists, what exists, and who has access to what. It shifts governance from directory-only visibility to complete access mapping, which is necessary when applications and identities live outside traditional SSO coverage.
• Privilege Creep: Privilege creep is the gradual accumulation of permissions after job changes, project work, or temporary exceptions that were never removed. It is especially dangerous when access review programmes do not have full visibility into the original grant path or the current business need for the entitlement.
• Entitlement Review: An entitlement review is the act of validating specific permissions, group memberships, or app-level access rather than checking identity status alone. The useful version connects the entitlement to business purpose, risk level, and recertification outcome so the organisation can revoke what no longer belongs.

Deepen your knowledge

Access review scope, lifecycle coverage, and entitlement governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to move from spreadsheet certification to ground-truth governance, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance User Access Reviews: 101 Introductory Guide. Read the original.