Access reviews need context, not just faster certification workflows

At a glance

What this is: RSA's updated Governance & Lifecycle access review experience adds AI-derived risk cues, peer comparison, and clearer access context to help reviewers decide faster.

Why it matters: For IAM, IGA, and PAM teams, this matters because access reviews are only effective when reviewers can make defensible decisions about who should still have access, across human, NHI, and autonomous identity programmes.

👉 Read RSA Security's post on updated Governance & Lifecycle access reviews

Context

Access reviews are supposed to validate whether access remains appropriate, but in practice they often degrade into list-processing exercises. When entitlement volume grows faster than review context, certifications stop being a control and start becoming an administrative chore, which weakens governance across human identities, service accounts, and other non-human access paths.

That gap matters because review quality depends on decision confidence, not just completion rate. If reviewers cannot explain why access exists, or compare an entitlement against peer patterns, organisations lose the evidence trail needed to prove that governance is active rather than ceremonial.

Key questions

Q: How should security teams improve access reviews without adding more reviewer burden?

A: Focus on decision support rather than more manual checking. Enrich each item with identity context, peer comparisons, and risk cues so reviewers can spend time on outliers instead of scanning every entitlement equally. The goal is fewer low-value decisions and more defensible approvals or removals.

Q: Why do access reviews often fail in mature identity programmes?

A: They fail when the process measures completion instead of decision quality. If reviewers lack enough context to justify approvals or removals, certifications become ceremonial and privilege drift continues. Mature programmes need evidence that reviews changed access, not just that they were submitted.

Q: How can organisations tell whether access certification is actually working?

A: Look for revocations, scope reductions, exception documentation, and fewer repeat approvals of outlier access. If the same risky access keeps passing through unchanged, the review process is producing activity, not governance. Effective certification leaves a visible trail of decisions, not just sign-offs.

Q: Who should own access review decisions in an IGA programme?

A: Business owners should remain accountable for the decision, while identity teams provide the evidence and workflow needed to make that decision defensible. Governance works best when approvers understand the access context and the identity team ensures the review process is consistent, auditable, and timely.

How it works in practice

Why static access review lists break governance

Traditional access reviews present entitlements as flat records, but governance decisions are contextual. A reviewer needs to know who the identity belongs to, what the entitlement is used for, whether it aligns with role expectations, and whether the access is unusual compared with peers. When those signals are missing, the reviewer is forced to guess. That turns certification into a checkbox exercise and creates false confidence in approval outcomes. In IGA terms, the failure is not review volume alone. It is the absence of decision context at the moment a human is asked to certify access.

Practical implication: enrich review objects with identity, entitlement, and peer context before asking for certification.

How AI-derived guidance changes reviewer decisions

AI-derived guidance in access reviews is best understood as decision support, not automation. It can rank entitlements by risk, cluster similar access patterns, and surface anomalies that would be hard to spot manually. The value is that reviewers spend less time scanning obvious low-risk items and more time questioning outliers. The control still depends on human judgment, but the workflow becomes more targeted. That matters in large environments where review fatigue creates systematic approval bias. The real architectural shift is from mass exposure to prioritized scrutiny.

Practical implication: use risk scoring to triage review queues, but keep final approval authority with governance owners.

Why comparing users helps expose entitlement drift

Comparing one user with another gives reviewers a fast way to identify access that no longer fits the expected pattern. In practice, peer comparison helps expose privilege drift, inherited access, and exceptions that have become normalized over time. This is especially useful where role design is messy or where access has accumulated across job changes. A certification control becomes materially stronger when the reviewer can ask not only whether the entitlement is present, but whether it is consistent with similar identities. That is a simple mechanism, but it closes one of the most common blind spots in governance workflows.

Practical implication: add peer comparison to access reviews where role definitions are weak or exceptions are common.

NHI Mgmt Group analysis

Access review fatigue is a governance failure, not a usability issue. When reviewers are forced to process long entitlement lists without enough context, certification becomes a ritual instead of a control. The problem is not that people are slow, it is that the workflow is asking humans to make high-confidence decisions with low-quality signals. The implication is that governance teams must stop treating review completion as evidence of control effectiveness.

Decision quality matters more than review volume. Access reviews only reduce risk when reviewers can see why access exists, compare it against peer patterns, and quickly isolate outliers. That is the difference between administrative throughput and governance enforcement. This is where identity governance, PAM oversight, and entitlement analytics intersect. Practitioners should measure whether reviews produce defensible decisions, not just whether they finish on time.

Context is the missing control plane in many IGA programmes. Static certification lists assume reviewers already know enough about the identity, the entitlement, and the business justification. In reality, most programmes rely on people to reconstruct that context manually. That assumption breaks down as application sprawl and entitlement churn increase. The implication is that programmes built around list review alone are structurally under-instrumented.

Identity governance is moving toward decision augmentation, not decision replacement. The strongest access review models will combine human accountability with machine-assisted prioritisation and comparison. That does not remove the need for approvers. It reduces the likelihood that approvers will miss the few access items that actually matter. Practitioners should expect access review design to shift toward guided decisioning across human and non-human identities.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap is why practitioners should read NHI Lifecycle Management Guide alongside access review design, because entitlement governance and lifecycle control are converging.

What this signals

Context-rich certification is becoming the new baseline for identity governance. If reviewers cannot see why access exists, review programmes will keep producing approvals that look compliant but do not reduce risk. The practical shift is toward guided decisioning, where peer comparison, risk cues, and entitlement purpose are embedded directly into the review workflow.

The broader signal is that IGA teams will be judged less on review volume and more on whether reviews remove unnecessary access. That changes programme metrics, operational priorities, and the way business owners are expected to participate in governance.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps according to The State of Non-Human Identity Security, access review programmes that ignore connected identities will keep missing part of the governance surface.

For practitioners

• Add identity context to every certification item Include business role, entitlement purpose, peer baseline, and recent change history so reviewers are not judging raw lists in isolation.
• Triage reviews by risk before assigning reviewers Use risk scoring to push unusual, high-impact, or exception-based access to the top of the queue, instead of treating all certifications as equal.
• Use peer comparison to expose access drift Compare users holding similar roles or responsibilities so inherited privilege, role creep, and one-off exceptions are easier to challenge.
• Measure governance quality, not just completion rates Track how many certifications result in revocation, adjustment, or documented exception handling, because approvals alone do not prove control effectiveness.

Key takeaways

• Access reviews fail when they become list processing instead of context-aware governance decisions.
• The main improvement in this updated workflow is not speed alone, but better prioritisation of risky access and easier identification of outliers.
• Practitioners should measure whether certifications change access, because sign-offs without revocation or adjustment do not prove control effectiveness.

Key terms

• Access Review: An access review is a governance process where an approver checks whether an identity should still have a given entitlement. In practice, it only works when the reviewer has enough business and technical context to make a defensible decision, not just approve a list of accounts.
• Certification: Certification is the formal act of approving or revoking access during an access review cycle. It is only meaningful when the decision changes the entitlement state or documents a valid exception, otherwise it becomes a record of activity rather than a control outcome.
• Peer Comparison: Peer comparison is the act of evaluating an identity's access against similar users, roles, or responsibilities. It helps reviewers spot exceptions, role creep, and inherited privilege that would be easy to miss in a flat entitlement list.
• Entitlement Context: Entitlement context is the supporting information that explains why access exists, who uses it, and whether it matches expected patterns. It turns review from a guessing exercise into a governance decision with evidence behind it.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.

This post draws on content published by RSA Security: Updated RSA Governance & Lifecycle Access Reviews Accelerate Action, Reduce Effort. Read the original.