AI-driven access recommendations expose the limits of certification

At a glance

What this is: This is a product blog on AI-driven access recommendations that argues certification should shift from broad review toward more targeted revocation decisions.

Why it matters: It matters because IAM teams need to reduce review fatigue without creating blind spots, especially where entitlement sprawl and overprovisioning make human certification unreliable.

👉 Read SailPoint's blog on AI-driven access recommendations and revocation

Context

Access certification becomes noisy when reviewers are asked to judge too many entitlements without enough context. In practice, that pushes managers toward approval fatigue, which weakens revocation decisions and allows unnecessary access to persist in the identity programme.

The article’s core issue is not whether reviews exist, but whether they produce defensible decisions. For IAM, IGA, and access governance teams, the question is how to use identity context to improve review quality without turning certification into another rubber-stamp exercise.

Key questions

Q: How should security teams use AI in access certification without losing accountability?

A: Use AI to reduce review noise, not to replace the reviewer. The best pattern is to surface likely approvals, likely revocations, and outlier entitlements, then require a named human to make the final call. That keeps certification auditable while improving decision quality and reducing rubber-stamping.

Q: Why do access reviews often fail to remove the right entitlements?

A: They fail when reviewers are given too many items with too little context. Without role, peer-group, or business-use signals, managers tend to approve broadly to avoid accidentally revoking needed access. That produces clean campaign metrics but weak governance outcomes.

Q: Should organisations exclude birthright access from certification campaigns?

A: Yes, when birthright access is well-defined and consistently provisioned. Including standard access in certification queues hides the real governance work, which is deciding whether discretionary or privileged access is still justified. Exclusion improves signal, but only if the baseline entitlement model is trustworthy.

Q: How do you know if access recommendations are improving governance?

A: Look for higher-quality revocation decisions, fewer blanket approvals, and less reviewer fatigue over time. If campaigns finish faster but almost nothing is removed, the programme is only optimising administration. Real value appears when recommendations change outcomes on unnecessary access.

Technical breakdown

How peer-group analysis changes certification decisions

Peer-group analysis compares an identity to others with similar attributes such as role, department, and location. Instead of forcing reviewers to inspect every entitlement as if it were isolated, the recommendation engine uses pattern matching to suggest whether access looks normal or out of place. That does not replace governance judgement, but it changes the review input from raw entitlement lists to decision-support context. The main technical value is reduction of noise, which makes revocation candidates easier to spot during certification campaigns.

Practical implication: use recommendation logic to prioritise outlier entitlements, not to eliminate human accountability.

Why birthright access exclusion matters in access reviews

Birthright access is the baseline access users need to function in standard business processes, such as collaboration or core productivity tools. When those items are mixed into certification queues, reviewers spend time approving access that should already be expected, which dilutes attention from higher-risk entitlements. Excluding birthright access is therefore an information-design decision, not just a workflow shortcut. It narrows the governance surface so certification can focus on access that is actually discretionary, sensitive, or privilege-bearing.

Practical implication: separate expected baseline access from discretionary access before reviews begin.

AI-assisted revocation versus blanket approval

The operational shift in this model is from broad certification toward selective revocation. That matters because access review programmes fail most often when managers lack confidence to remove permissions, especially across large and unfamiliar entitlement sets. AI-driven recommendations try to make revocation safer by surfacing likely candidates for removal and lowering the perceived cost of being wrong. The governance risk is overtrusting the model, but the benefit is real when the organisation uses recommendations to reduce review burden and improve decision quality.

Practical implication: measure whether recommendations increase revocation precision, not just campaign completion speed.

NHI Mgmt Group analysis

Certification fatigue is the real control problem, not the existence of access reviews. The article shows that managers often approve everything when they lack context, which turns periodic review into ceremonial compliance. That is a governance failure because the control exists on paper but does not reliably remove unnecessary access. The practical conclusion is that review design must be judged by revocation quality, not by campaign volume.

Access recommendations are most useful when they narrow, rather than replace, human judgement. Peer-group analysis can help reviewers identify outliers, but it cannot determine business need on its own. In governance terms, the value comes from reducing low-signal work so humans can focus on exceptions, sensitive access, and privilege-bearing entitlements. Practitioners should treat AI support as a triage layer, not a delegated decision-maker.

Excluding birthright access is a useful way to restore signal to certification workflows. When expected baseline entitlements are mixed with discretionary access, review quality drops because the queue becomes too large and too routine. The article points to a broader identity governance lesson: every access review should be curated around decision value, not entitlement count. Practitioners should separate routine access from revocation-worthy access before certification starts.

Decision-quality governance: the meaningful metric is whether access reviews change outcomes, not whether they are completed on schedule. That is where many programmes misread success. A campaign that finishes quickly but removes little unnecessary access is not a strong control. The better test is whether recommendations improve reviewer confidence, reduce rubber-stamping, and increase defensible revocation decisions across the entitlement set.

AI-assisted certification fits the direction of modern IAM, but only if it preserves accountable review. Identity programmes are moving toward more contextual and risk-informed decisions, and this article reflects that shift. The discipline is to use AI to reduce friction without allowing it to become an unexamined authority. Practitioners should align AI-assisted reviews with access governance standards and audit expectations, then verify the human decision remains visible and accountable.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• That behaviour gap shows why identity governance needs better signals, as explored in Ultimate Guide to NHIs.

What this signals

Access review programmes are moving toward decision support, not just administrative completion. The governance signal here is that entitlement reviews need better context to stay useful as environments grow noisier. Organisations that already struggle with review fatigue should treat recommendation systems as a way to improve signal density, then validate that reviewers are actually removing unnecessary access.

Review curation is becoming a first-class control design choice. If birthright access and discretionary access stay mixed together, certification will keep producing superficial compliance. Teams should align review design with role expectations, high-risk entitlements, and audit evidence, then connect those decisions back to Top 10 NHI Issues where machine and service identities create similar governance noise.

With 43% of security professionals concerned about AI systems learning and reproducing sensitive information patterns from codebases, per The State of Secrets in AppSec, the broader message is that AI assistance only helps when the underlying identity data is clean enough to trust. That is why recommendation engines should be evaluated as part of the full access-governance stack, not as standalone automation.

For practitioners

• Separate baseline access from discretionary access Remove birthright items such as standard collaboration and productivity entitlements from certification queues before reviews begin, so managers evaluate only access that can genuinely be revoked.
• Use recommendations to prioritise exceptions Tune review workflows so AI suggestions highlight outlier access, unusual entitlement patterns, and high-risk permissions instead of pushing every entitlement through the same path.
• Measure revocation quality, not campaign speed Track how many inappropriate entitlements are removed, how often reviewers override recommendations, and whether post-review access aligns better with role and department norms.
• Preserve human accountability for final decisions Ensure every recommended approval or revocation remains attributable to a reviewer, with an audit trail that shows why the decision was accepted or rejected.

Key takeaways

• The article argues that access certification fails when managers lack context and default to blanket approval.
• The practical value of AI recommendations is not speed alone, but better revocation decisions on discretionary access.
• Programmes should separate birthright access from review-worthy entitlements and keep human accountability intact.

Key terms

• Access Certification: Access certification is the recurring process of asking an owner or manager to confirm whether an identity still needs its assigned access. It is a governance control, not a technical enforcement mechanism, and its quality depends on the reviewer having enough context to make revocation decisions confidently.
• Birthright Access: Birthright access is the baseline set of entitlements an identity receives automatically because of its role or employment status. It should be expected, low-risk, and easy to identify, otherwise it pollutes review queues and distracts reviewers from discretionary or privileged access that actually needs judgement.
• Revocation Decision Support: Revocation decision support is the use of contextual signals such as peer groups, role, department, and location to help reviewers decide what access should be removed. It does not replace governance responsibility, but it can reduce noise and improve the quality of access review outcomes when used carefully.
• Certification Fatigue: Certification fatigue is the tendency for reviewers to approve large access review lists without proper analysis because the workload is repetitive, time-consuming, or too poorly contextualised. It is a control failure mode that turns a governance process into a compliance ritual with weak remediation value.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: AI-driven Access Recommendations - Less Certification. More Revocation. Read the original.