Automating user access reviews for least-privilege at enterprise scale

At a glance

What this is: This is a Delinea analysis of why user access reviews are breaking down at enterprise scale and how automation changes the control model for human and non-human access.

Why it matters: It matters to IAM and NHI practitioners because access certification is one of the few controls that can continuously validate least privilege across users, service accounts, APIs, and AI agents.

By the numbers:

• Across customer interviews, Fastpath reduced time spent on access reviews by up to 80%, with some customers reporting savings of 120 hours per quarter.
• Norwegian Cruise Line Holdings had 450 unique reviewers, 14,000 users, and approximately 300,000 lines of access across its in-scope SOX applications.

👉 Read Delinea's analysis of automating user access reviews for least privilege

Context

User access reviews, also called access certification campaigns, are the periodic control that checks whether access still matches job need. In practice, the control is now under strain because IAM environments include on-premise, hybrid, and cloud applications, plus NHI populations such as machine identities and AI agents.

The central governance problem is not whether access should be reviewed, but whether organisations can still do it accurately at scale. When review cycles depend on spreadsheets, email routing, and manual remediation, the process becomes slow enough that risky access can persist between cycles, which is a structural weakness for NHI governance as much as for human IAM.

The article's starting position is typical for large enterprises. Most organisations understand the control model, but the operational burden has grown faster than the review process itself.

Key questions

Q: How should organisations automate user access reviews without weakening control quality?

A: Organisations should automate data collection, reviewer routing, reminders, remediation, and evidence capture, but keep human decision-making at the approval stage. The key is to connect the campaign to the source system so denied access is actually removed and validated. Automation should reduce manual effort, not dilute accountability.

Q: When do user access reviews become too risky to run manually?

A: Manual reviews become too risky when the organisation has multiple systems, frequent role changes, or large volumes of human and non-human access. At that point, spreadsheet-based tracking creates delays, routing errors, and incomplete remediation, which undermines least privilege and auditability.

Q: What is the difference between access certification and provisioning?

A: Access certification checks whether existing access should remain in place, while provisioning grants or removes access in the source system. A strong program links the two so that review decisions trigger real entitlement changes and the result is validated for audit evidence.

Q: How can teams govern machine identities and AI agents in access reviews?

A: Teams should assign ownership, define review cadence, and include machine identities and AI agents in the same certification logic as human access, but with role-appropriate approvers. If a non-human identity can act on sensitive data, it needs a lifecycle owner and a removal path just like any other privileged account.

Technical breakdown

Why manual user access reviews break at scale

Manual UARs fail because they depend on moving access data across multiple systems, normalising inconsistent formats, and asking reviewers to interpret entitlements with limited context. That creates delay, routing errors, and incomplete remediation. The bigger the application estate, the more the control shifts from risk management to clerical work. For NHI governance, the same weakness appears when service accounts or AI agent permissions are hidden inside application-level exports instead of being tied to a lifecycle owner and a clear business purpose.

Practical implication: Treat any review process that depends on spreadsheets and email as a control with built-in drift.

How automated certification changes the control path

Automation shortens the control path by connecting directly to applications, assigning reviewers through ownership rules, tracking completion, and pushing rejected access into remediation workflows. That matters because the review is not complete when someone clicks remove. The access must change in the source system, and the organisation needs evidence that the change was validated. This is where access certification becomes part of a larger identity lifecycle model rather than a standalone audit event.

Practical implication: Require source-system validation and audit evidence for every denied entitlement.

Why reviewer context determines review quality

A reviewer cannot make a meaningful decision from a username and a role name alone. Effective certification needs identity context, access context, and application context, including department, manager, location, role ownership, and replacement access. Without that context, reviewers tend to approve by default or delay decisions. That risk is especially visible for NHI-related entitlements because machine identities and AI agents may not have a human manager to serve as an obvious reviewer, so ownership must be designed deliberately.

Practical implication: Build reviewer context into the workflow before you scale the campaign.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Automated access certification is now a lifecycle control, not a quarterly admin task. The article describes a familiar compliance process, but the real issue is lifecycle governance across a much larger identity estate. When access changes faster than review cycles, the organisation is no longer validating least privilege in practice. The practitioner conclusion is straightforward: access review must be integrated with provisioning, remediation, and ownership data.

Machine identities and AI agents expose the limits of human-centred review models. UARs were designed around people, but the article explicitly notes that machine identities, APIs, and AI agents now sit inside the same access surface. That means the governance model needs to distinguish between human approvers and NHI owners, then map each identity class to a review path that can actually reach remediation. The practitioner conclusion is that NHI governance has to be built into certification design, not added after the fact.

Identity blast radius is the right lens for deciding what gets reviewed first. Not every application or entitlement deserves the same cadence, and the article's risk-based review model points in that direction. Organisations should prioritise the systems where bad access can create the broadest operational, financial, or compliance impact. The practitioner conclusion is to use access reviews as a blast-radius reduction tool, not a uniform checklist.

Manual evidence collection is the hidden failure point in many UAR programs. Review completion is only one part of control effectiveness. If approvals, removals, and validation cannot be traced cleanly, the organisation still has an audit and assurance gap. The practitioner conclusion is to treat evidence generation as a core design requirement, especially where NHI sprawl makes ownership and accountability harder to prove.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, showing that one failure often signals recurring governance gaps.
• The 52 NHI Breaches Analysis helps teams study the failure modes behind repeated identity exposure and convert review findings into lifecycle controls.

What this signals

Identity blast radius: the practical test for access review programs is not how many certifications close, but how much exposure is actually removed before the next business cycle. With 57% of organisations lacking a complete inventory of their machine identities, certification programs that do not account for non-human access will miss part of the risk surface entirely.

That is why access review should be treated as a governance trigger for provisioning, ownership, and offboarding, not as an isolated compliance task. Teams that align the campaign with lifecycle management will have a better chance of shrinking standing access before it turns into repeat audit friction.

For teams building a broader programme, the next step is to pair certification with lifecycle guidance in Ultimate Guide to NHIs and map the same controls to zero-trust expectations in the NIST Cybersecurity Framework 2.0.

For practitioners

• Map UAR scope to business risk Classify applications by data sensitivity, fraud exposure, and regulatory impact, then set review cadence accordingly. High-risk systems should move to shorter intervals, while low-risk systems can stay on a longer cycle.
• Automate ownership and reviewer routing Use attributes such as department, manager, location, and role ownership to route certifications to the right decision-maker. This reduces misrouted reviews and keeps reviewer lists current as people move across teams.
• Validate removals in the source system Do not count a campaign as complete until rejected access is removed in the source application and the change is verified. Keep evidence of who approved, what was removed, when it was removed, and how validation was confirmed.
• Include NHI owners in certification design Assign clear owners for service accounts, APIs, and AI agent permissions so non-human access can be reviewed on the same governance schedule as human access. Where ownership is unclear, create a fallback approval path before the next campaign begins.

Key takeaways

• Manual access reviews do not scale cleanly across hybrid estates that include machine identities and AI agents.
• Automation improves speed, but the real control gain comes from validated remediation and clearer ownership.
• Access certification should be designed as part of identity lifecycle governance, not treated as a standalone audit ritual.

Key terms

• User Access Review: A user access review is a periodic check to confirm whether assigned access is still appropriate. It is a governance control that compares current entitlements against job need, then removes or revalidates anything that no longer fits the role or risk profile.
• Access Certification Campaign: An access certification campaign is the structured workflow used to collect reviewer decisions across applications and identities. It turns access review into a managed process with assignments, reminders, decisions, remediation, and audit evidence, which is essential when estates include both human and non-human identities.
• Identity Blast Radius: Identity blast radius is the amount of operational, financial, or data exposure created when an identity has more access than it should. The smaller the blast radius, the less damage a compromised account, service account, or AI agent can cause before controls intervene.
• Non-Human Identity Ownership: Non-human identity ownership is the assignment of accountability for service accounts, API keys, tokens, certificates, bots, and AI agents. Clear ownership is what makes review, rotation, and offboarding possible, because every credential needs a person or process responsible for its lifecycle.

Deepen your knowledge

Automating user access reviews is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to extend certification logic to machine identities and AI agents, the course helps ground that work in practical governance.

This post draws on content published by Delinea: Save time and reduce risk by automating User Access Reviews. Read the original.