AI-guided access reviews change how access governance scales

At a glance

What this is: This is Opal Security’s product update on AI-guided access reviews, with a key finding that attention, not effort, is the real bottleneck in access certification at scale.

Why it matters: It matters because IAM, IGA, and PAM teams need review workflows that preserve decision quality across human, NHI, and agentic identities as entitlement volume grows.

By the numbers:

• Mercari governs more than 5,000 Okta entitlements through automated reviews on Opal, the kind of scale no quarterly cycle clears by hand.

👉 Read Opal Security's product update on AI-guided access reviews

Context

Access reviews are the control point where organisations prove who should still have access, but the process often collapses under volume. When reviewers are forced to certify too many grants at once, low-risk items and high-risk items receive the same attention, which turns governance into a formality instead of a decision.

For IAM and IGA programmes, the problem is not just review speed. It is whether the programme can preserve scrutiny, separation of duties, and audit evidence as access expands across employees, service accounts, and AI-driven workflows.

Key questions

Q: How should security teams use AI in access reviews without weakening governance?

A: Use AI to pre-process routine entitlements, surface the evidence behind each recommendation, and reserve human approval for elevated or ambiguous access. The review process should improve reviewer focus, not remove accountability. If the system cannot explain why a grant is low risk, it should not be auto-cleared.

Q: When does AI-assisted certification create more risk than it reduces?

A: It creates more risk when the organisation treats recommendations as approvals, or when reviewer trust replaces evidence. If the workflow lacks escalation rules, audit logging, and a clear human decision boundary, AI can speed up a broken process rather than improve it.

Q: What do IAM teams get wrong about access review automation?

A: They often optimise for campaign completion instead of decision quality. A fast review that certifies everything, including unclear access, is weaker than a slower review that reliably separates routine grants from genuinely risky ones. Automation should compress low-value work, not dilute scrutiny.

Q: How can organisations keep access certifications defensible for audits?

A: They need a complete history of who approved what, on what basis, and with which supporting signals. A defensible certification trail includes rationale, reassignment, exceptions, and policy context. Without that evidence, auditors can question whether the review was meaningful at all.

How it works in practice

Risk bucketing in access certification

AI-guided access reviews work by clustering grants into risk tiers using signals such as resource sensitivity, requester risk, and temporal context. The purpose is not to auto-approve everything, but to reduce cognitive load so reviewers can focus on the entitlements that matter most. This is closer to decision support than autonomous governance: the system prepares the campaign, exposes its reasoning, and leaves the final judgment with the reviewer where policy requires it.

Practical implication: separate low-risk bulk review handling from elevated access decisions instead of forcing one manual workflow for both.

Auditable reasoning and reviewer accountability

A review system is only defensible if every recommendation and approval can be traced back to the signals that drove it. In practice, that means the platform must log not just the decision, but also the rationale, reassignment, and supporting context. This matters because access reviews are often judged after the fact in audits, investigations, or breach reviews, when a clean decision history is more valuable than a fast campaign.

Practical implication: require immutable decision history and rationale capture for every certified grant.

Policy tuning for dynamic governance

Policy-driven access reviews need to reflect local risk tolerance, not a fixed vendor-defined threshold. Tuning confidence levels, guardrails, and escalation rules lets organisations decide where human sign-off is mandatory and where AI can prepare routine work. The architectural point is that access governance only scales when policy is explicit enough to be enforced consistently and reviewed later by compliance teams.

Practical implication: define escalation thresholds and review guardrails before letting AI assist certification at scale.

NHI Mgmt Group analysis

Attention is the scarce resource in access governance, not reviewer labour. The article’s core claim is that certification fails when humans are forced to inspect too many low-signal grants at once. That is not a UI problem, it is a governance capacity problem, and it explains why large campaigns degrade into rubber-stamp behaviour. Practitioners should treat reviewer overload as a control failure, not a productivity nuisance.

AI-guided access reviews only help if they preserve the accountability chain. If a recommendation cannot be tied to specific evidence, the review may be faster but it becomes harder to defend. Auditability, rationale logging, and reassignment history are therefore part of the control surface, not reporting extras. The practitioner takeaway is that speed is acceptable only when the evidentiary trail remains intact.

Implicit trust in quarterly certification was built for a slower identity environment. That assumption weakens when access expands across employees, service accounts, and AI-mediated workflows, because review cycles cannot keep pace with entitlement growth. The implication is that identity programmes need to rethink which grants deserve human attention and which can be pre-processed without weakening governance.

Access review design is becoming a cross-domain identity problem, not just an IGA feature. The same governance pattern now has to deal with human approvals, machine identities, and increasingly autonomous systems that may generate or consume privileges differently. That means review policy, review cadence, and evidence standards should be designed once, then applied consistently across identity classes. Practitioners should stop treating certification as a purely human-identity control.

Named concept: review attention debt. When access campaigns exceed the reviewer’s ability to assess each grant carefully, organisations accumulate a hidden governance debt that is paid later in audit exceptions, missed risks, or over-certification. The practical implication is that programmes should measure not only completion rate, but whether review attention is being spent where the risk actually sits.

From our research:

• Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• The next step is to align access review evidence with lifecycle controls, which is explored in NHI Lifecycle Management Guide.

What this signals

Review attention debt: access certification programmes now need to measure where human scrutiny is being consumed, not just whether campaigns are being completed. When review volume outruns reviewer attention, audit-ready evidence becomes the real control objective, especially in environments that span human accounts, service accounts, and AI-driven workflows.

Opal’s model reflects a broader governance trend: teams are moving toward policy-shaped automation that prepares decisions without erasing human accountability. For IAM leaders, the signal is to design review boundaries deliberately and to align them with framework expectations in OWASP Non-Human Identity Top 10 and Ultimate Guide to NHIs , Key Challenges and Risks.

As entitlement sprawl grows, especially where machine identities and service accounts are in scope, the programme question shifts from speed to defensibility. If your access reviews cannot show why a grant was cleared, the process may be efficient but it is not yet governable at scale.

For practitioners

• Separate low-risk and elevated access workflows Use AI to pre-sort routine grants, but keep elevated or ambiguous entitlements on a human approval path. The operating rule should be that reviewer attention is reserved for grants with real exposure, not spread evenly across every item in the campaign.
• Require rationale logging for every certified grant Capture the signals used, the reviewer’s decision, any delegation, and the final policy basis in a complete history. That evidence needs to survive audit and incident review without reconstruction from email or spreadsheets.
• Tune confidence thresholds to policy, not convenience Set explicit escalation thresholds for when AI can recommend, when it can pre-clear, and when a person must decide. Keep those thresholds aligned to local risk tolerance and review them alongside policy changes, not only after incidents.
• Measure review quality, not just completion rate Track overturn rates, exception density, and the share of grants that required manual escalation. If campaigns finish quickly but the risky items are still being waved through, the programme is optimising the wrong outcome.

Key takeaways

• AI-guided access reviews are trying to solve reviewer overload, but the real governance issue is preserving decision quality under scale.
• Auditability is part of the control, because a fast review without rationale, escalation history, and evidence is hard to defend.
• IAM teams should treat policy tuning, escalation thresholds, and attention allocation as first-class design choices, not implementation details.

Key terms

• Access Certification: Access certification is the formal review of who still needs access and whether that access should remain. In practice, it is a governance control that must produce a defensible decision history, because auditors and incident responders care about why access was kept, not just that the campaign closed.
• Review Attention Debt: Review attention debt is the hidden risk created when access campaigns ask humans to certify more items than they can inspect carefully. The result is diluted scrutiny, especially where routine grants drown out the grants that could actually cause harm. It is a governance capacity problem, not a staffing problem.
• Entitlement Scope: Entitlement scope is the set of access grants, roles, and relationships included in a review campaign or policy decision. Clear scope reduces noise and helps reviewers focus on the grants with real exposure. Poorly defined scope turns certification into a box-checking exercise.
• Audit Trail: An audit trail is the recorded history of decisions, recommendations, reassignment, and policy context that shows how access was handled. For identity governance, it is not enough to know a grant was approved. The organisation must be able to show the evidence and rationale behind that approval.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Opal Security: AI-Guided Access Reviews, Now in Opal. Read the original.