Click fatigue is weakening access reviews across identity programmes

At a glance

What this is: This is an analysis of why user access reviews become click fatigue and how dynamic access controls, JIT access, AI prioritisation, and automation change the review model.

Why it matters: It matters because overloaded review processes can weaken IAM decisions, delay remediation, and leave NHI-style entitlement sprawl unchallenged across access governance.

👉 Read Lumos's analysis of click fatigue in user access reviews

Context

User access reviews are supposed to verify that each identity still has the right level of access, but in practice they often become repetitive approval exercises that few teams can sustain well. As entitlement counts rise and audit demands expand, access governance shifts from a control activity into a throughput problem, which is exactly where review quality starts to fall.

For IAM teams, the problem is not that reviews are unnecessary, but that the model is too manual for modern environments. NHI governance faces a similar pattern when service accounts, tokens, and automated workflows accumulate faster than the organisation can review them, and that makes the access review bottleneck a useful warning sign for broader identity programmes.

Key questions

Q: How should security teams reduce user access review fatigue without weakening control?

A: Security teams should reduce review fatigue by shrinking the number of items that require human judgment. The best pattern is to move routine access into policy-driven controls, reserve manual review for exceptions, and automate revocation and evidence capture. That preserves auditability while improving the quality of each decision.

Q: When does just-in-time access help more than traditional access review processes?

A: Just-in-time access helps most when organisations have too much standing privilege and too many repetitive certifications. It works by making access temporary and task-scoped, which lowers review volume and reduces exposure time. It is less useful if revocation is unreliable or if the organisation cannot operationally enforce the expiry.

Q: What is the difference between dynamic RBAC and manual user access reviews?

A: Dynamic RBAC governs access through policies that can be enforced continuously, while manual user access reviews ask humans to revalidate each entitlement after it already exists. The first reduces review load by automating repeatable decisions. The second is still necessary for exceptions, but it should not be the primary governance model.

Q: Why do access review programmes become less effective as environments grow?

A: Access review programmes become less effective because entitlement volume grows faster than reviewer context. As systems multiply, reviewers see more items, but they do not get proportionally more time or better data. That leads to delayed decisions, inconsistent approvals, and weaker evidence, which is why governance must shift upstream.

Technical breakdown

Why manual access reviews become control failures

User access reviews depend on reviewers having current context about the identity, the application, the entitlement, and the business need. When those inputs are gathered by hand across HRIS, app owners, and IT teams, the process loses timeliness and consistency. The result is not just delay. Reviewers begin to approve by habit because they cannot evaluate each item deeply enough. In identity governance terms, the control still exists, but its assurance value erodes as volume grows. That same pattern appears in NHI programmes when static reviews are asked to govern dynamic workloads or service accounts.

Practical implication: Practitioners should redesign review populations so manual approval is reserved for the small set of entitlements that truly need human judgment.

How dynamic RBAC and ABAC reduce review burden

Dynamic RBAC and ABAC move the decision point upstream by making access policy-driven rather than person-by-person. RBAC assigns access through roles, while ABAC uses attributes and policy conditions to decide access at runtime. When these policies are maintained continuously, many routine entitlements can be auto-certified because the governing rule, not the reviewer, is the source of truth. That does not remove oversight, but it reduces the number of exceptions and one-off decisions that clog certification campaigns. For NHI programmes, the same logic applies to service accounts and agent identities whose access should be policy-scoped rather than permanently inherited.

Practical implication: Teams should convert repeatable access decisions into policies that can be enforced and revalidated automatically.

Why JIT access changes the review equation

Just-in-time access reduces standing privilege by issuing access only when a task requires it and revoking it after use. That creates smaller review populations because fewer entitlements remain active long enough to require repetitive certification. JIT also improves evidence quality because grants and revokes are time-bound and easier to trace than persistent access. In practice, JIT does not eliminate governance work. It changes the governance problem from ongoing entitlement review to controlled exception handling, which is a better fit for high-risk access and a closer match to Zero Standing Privilege.

Practical implication: Use JIT to narrow persistent access first, then apply access reviews to the smaller set of standing entitlements that remain.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Click fatigue is a governance failure, not a user experience problem. When reviewers are forced to process hundreds or thousands of low-context entitlements, the control becomes ceremonial. That weakens audit evidence, but more importantly it weakens decision quality, which is the real purpose of access certification. The practical conclusion is that access review design must be treated as a security architecture issue, not an administrative chore.

Identity programmes need to move from review-heavy to policy-heavy governance. Dynamic RBAC, ABAC, and JIT reduce the amount of human judgement required at certification time because they encode more of the decision upstream. That is the correct direction for mature IAM and NHI governance: fewer standing permissions, more conditional access, and less dependence on seasonal review campaigns. Practitioners should measure success by how much access can be governed before the review cycle begins.

Ephemeral access creates a smaller attack surface, but only if revocation is dependable. JIT access is useful because it limits dwell time and improves traceability, yet it shifts pressure onto orchestration and remediation workflows. If revokes do not propagate across cloud, SaaS, and on-prem systems, the organisation still carries hidden privilege. The conclusion is straightforward: access governance must be both time-bound and operationally enforced.

Access review fatigue should trigger a broader NHI governance reset. The same structural problem appears when teams try to manually govern service accounts, API keys, and automated identities at scale. The field is moving toward policy enforcement, automation, and exception-based review because the old model cannot keep pace with modern identity volume. Practitioners should treat UAR overload as a signal that their identity operating model is behind the environment.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% of organisations have formal processes for offboarding and revoking API keys, which is why standing privilege persists far longer than teams expect.
• The NHI Lifecycle Management Guide is the right next resource when teams need to turn review findings into repeatable revocation and rotation workflows.

What this signals

Access review fatigue is often a symptom of excess standing privilege, not merely poor workflow design. If 97% of NHIs carry excessive privileges, as shown in our Ultimate Guide to NHIs, then the governance problem is structural: the environment is creating more decisions than manual review can safely absorb. Teams should use that signal to prioritise privilege reduction before they add more certification effort.

Zero Trust only works when review campaigns are matched by reliable entitlement enforcement. The NIST Cybersecurity Framework 2.0 and related access control practices become more relevant when policy decisions are automated and consistently applied. Practitioners should expect higher assurance from fewer standing grants, not from larger review spreadsheets.

For practitioners

• Reduce standing privilege before the next certification cycle Inventory recurring entitlements that almost never require permanent access and convert them to role-scoped or time-bound access where possible. Focus first on sensitive applications where a standing grant creates audit noise and unnecessary remediation work.
• Use policy-driven access for repeatable decisions Replace one-off approval logic with dynamic RBAC and ABAC rules for common access patterns. Keep exception handling manual, but let policy handle the majority of routine grants, renewals, and auto-certifications.
• Instrument JIT access with revocation evidence Track grant, use, and revoke events in a single workflow so reviewers can prove that access was temporary and properly removed. This is especially important when evidence must satisfy auditors across multiple control frameworks.
• Automate remediation across every connected system Ensure a rejected review actually removes access in SaaS, cloud, and on-prem environments, then capture proof in ticketing and GRC tools. Review outcomes that do not trigger enforcement are only documentation, not control.

Key takeaways

• Manual user access reviews fail when entitlement volume outpaces reviewer context and enforcement capacity.
• Dynamic RBAC, ABAC, and JIT access reduce certification noise by moving more decisions upstream into policy.
• UAR overload is a signal to redesign access governance, not to ask reviewers to work harder.

Key terms

• User Access Review: A user access review is a periodic check that confirms each identity still needs the permissions it currently holds. In mature programmes, it is not just a compliance exercise. It is a control for reducing excess access, verifying ownership, and forcing removal of permissions that no longer match business need.
• Just-In-Time Access: Just-in-time access is a pattern where access is granted only for a limited period and only for a specific task. It reduces standing privilege and shortens exposure windows. In identity governance, it works best when grant, use, and revoke events are automated and auditable across all connected systems.
• Dynamic Rbac: Dynamic RBAC is a policy-driven form of role-based access control that adjusts entitlements as users, systems, and business conditions change. Instead of relying on static role assignments, it uses current rules and context to govern access more efficiently and reduce repeated manual certification work.
• Standing Privilege: Standing privilege is access that remains active even when no immediate task requires it. It creates unnecessary exposure because the permission is always available, which increases the chance of misuse or compromise. Reducing standing privilege is one of the most effective ways to lower access review volume and attack surface.

Deepen your knowledge

Access review automation, dynamic access controls, and just-in-time access are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to reduce certification fatigue while improving governance, it is worth exploring.

This post draws on content published by Lumos: Click Fatigue is Killing Access Reviews, Here’s What to Do About It. Read the original.