Continuous user access review is becoming identity governance

At a glance

What this is: This is an analysis of why user access review software is shifting from periodic compliance checks to continuous identity governance.

Why it matters: It matters because IAM teams now have to govern human and machine access across ERP, cloud, and ITSM systems with continuous evidence, not quarterly paperwork.

By the numbers:

• 75% of access-related audit findings stem from poor, om poor visibility and manual review processes.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

👉 Read SafePaaS's analysis of continuous user access review and identity governance

Context

User access review is the process of checking whether people and systems still have the access they need, and whether that access has become excessive, toxic, or stale. In most enterprises, that control is still treated as a quarterly audit task, even though ERP, cloud, and ITSM environments change continuously.

The governance gap is not the review itself but the operating model behind it. Manual spreadsheets, email approvals, and disconnected tools cannot keep pace with modern entitlement growth, which is why identity governance now has to function as a continuous control layer across human identities and non-human identities alike.

Key questions

Q: How should security teams move from quarterly access reviews to continuous governance?

A: Security teams should connect live entitlement data, policy checks, and remediation workflows so access is evaluated as conditions change. The goal is not faster spreadsheets, but an operating model where reviewers see current risk, exceptions are routed automatically, and excessive access is removed before the next audit cycle.

Q: Why do manual access reviews keep missing toxic access combinations?

A: Manual reviews miss toxic combinations because they rely on stale snapshots, human memory, and incomplete context across systems. When entitlements are distributed across ERP, cloud, and ITSM platforms, the reviewer often cannot see the full combination. Continuous policy evaluation is the only reliable way to catch those conflicts.

Q: What breaks when privileged access is not part of identity governance?

A: Governance breaks at the highest-risk tier because privileged accounts can create, hide, or amplify access problems that normal reviews do not surface. If privileged activity is not tied to the same certification and exception workflows, the organisation can pass audit while still holding dangerous standing privilege.

Q: Who is accountable when access review failures lead to audit findings or fraud?

A: Accountability sits with the control owner, the business approver, and the governance function that defined the review process. Regulators and auditors expect evidence that access controls are operating continuously, not just that a review happened. A documented process without live enforcement does not satisfy that expectation.

Technical breakdown

Continuous access review versus quarterly certification

Quarterly recertification assumes entitlement risk changes slowly enough for periodic sampling to be meaningful. In practice, user roles, privileged entitlements, and SoD conflicts can change between review cycles, especially across ERP and ITSM platforms where approvals, exceptions, and inherited access accumulate. Continuous access review shifts the control point from after-the-fact attestation to ongoing detection of entitlement drift, toxic combinations, and dormant access. The technical difference is not just cadence. It is the move from static evidence collection to event-driven governance, where policy evaluation and remediation happen against current state rather than stale snapshots.

Practical implication: replace spreadsheet-based certification with continuous entitlement evaluation tied to live system data.

Identity access provisioning and control automation

Identity access provisioning is the workflow that grants, changes, or removes access based on business need and policy. When that workflow is manual, the control plane fragments across HR tickets, email approvals, and application owners, which creates delay and inconsistent enforcement. Control automation reduces this by applying policy, approval routing, and evidence capture directly in the provisioning flow. That matters because provisioning is where privilege creep begins. If access is approved without policy context or later deprovisioning is missed, the organisation inherits long-lived exceptions that audit cannot easily unwind.

Practical implication: bind provisioning approvals to policy checks and deprovisioning triggers instead of relying on ad hoc human follow-through.

Privileged access management inside identity governance

Privileged access management is not a separate problem from governance. It is the highest-risk tier of it. Privileged accounts carry the greatest blast radius because they can alter configurations, create exceptions, and override normal workflow controls. A governance platform that integrates with PAM can surface dormant privileged accounts, trace elevated activity, and align exception handling with audit requirements. Without that linkage, privileged access often becomes the gap between what the policy says and what actually happens in production. The result is control drift that hides behind compliant-looking reports.

Practical implication: connect PAM telemetry to access review and exception workflows so privileged access is governed continuously, not only during audits.

Threat narrative

Attacker objective: The attacker aims to exploit stale or excessive entitlements to cause fraud, misuse privileged functions, or bypass segregation-of-duties controls.

1. Entry occurs when an over-provisioned user or dormant privileged account remains active in ERP, cloud, or ITSM environments after business need has changed.
2. Escalation follows when manual review processes miss toxic combinations, segregation-of-duties conflicts, or inherited access that should have been removed.
3. Impact appears as fraud, audit findings, or control failure, because the organisation discovers the issue after the access has already been used.
4. The attacker objective is to preserve excessive access long enough to exploit business systems before governance catches up.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Continuous review has become the real control boundary. Quarterly certification was designed for access states that change slowly enough to be sampled. That assumption fails when ERP, cloud, and ITSM entitlements move continuously and privileged access can be abused between review windows. The implication is that governance must be treated as a live control layer, not a periodic audit artifact.

Access review failure is usually a visibility problem before it is a policy problem. Nearly 75% of access-related audit findings stem from poor visibility and manual review processes, which means the organisation often does not know what it is certifying. That is a structural weakness in the governance model, not a documentation issue. Practitioners should read this as a warning that evidence quality determines control quality.

Privilege, SoD, and provisioning belong in one governance model. The article’s strongest argument is that user access review software cannot be effective if it is isolated from provisioning logic and privileged access monitoring. A control that certifies access after it has already been over-granted is incomplete by design. The practical conclusion is that identity governance should unify entitlement review, exception handling, and privileged oversight in the same operating model.

Identity governance is now a resilience function, not a back-office compliance task. Boards and regulators are asking whether controls operate effectively all the time, not whether they were documented once a quarter. That shifts identity governance from audit support to business-risk containment. Practitioners should treat continuous assurance as part of operational resilience planning, especially where finance, ERP, and regulated workflows intersect.

Continuous assurance is the named concept that replaces manual attestation. The old model depended on humans reviewing snapshots of access and signing off on them later. That approach breaks when entitlement risk is dynamic, privileged access is inherited, and machine identities are part of the same control surface. The implication is that identity governance programmes must be designed around continuous assurance, not periodic proof collection.

From our research:

• Nearly 75% of access-related audit findings stem from poor visibility and manual review processes, according to Top 10 NHI Issues.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to the 2024 ESG Report: Managing Non-Human Identities.
• For the broader control picture, the Ultimate Guide to NHIs , Key Challenges and Risks explains why visibility gaps and over-privilege keep recurring across machine and service identities.

What this signals

Continuous assurance is becoming the operating expectation for identity programmes. When access can change faster than quarterly review cycles, the control objective shifts from attestation to live assurance. Teams that still rely on static exports will continue to discover risk only after it has already affected finance, operations, or audit outcomes.

More identities now sit inside the same governance boundary. As human users, machine identities, and privileged workflows converge, a single review process has to reflect real entitlement state across all three. That makes identity governance a system design problem, not an audit calendar problem.

With 72% of organisations reporting or suspecting NHI breach experience, per the 2024 ESG Report: Managing Non-Human Identities, governance teams should expect the same visibility and lifecycle weaknesses to surface in machine access reviews if they do not unify control data.

For practitioners

• Replace quarterly attestation with live entitlement review Tie certification to current access data from ERP, cloud, and ITSM systems so reviewers see active entitlements, not stale exports. Prioritise high-risk roles, dormant accounts, and exceptions that have crossed review cycles.
• Unify provisioning checks with SoD policy enforcement Evaluate access requests against segregation-of-duties rules before approval is granted, and block conflicting entitlements from being created in the first place. Keep the policy logic in the provisioning workflow, not in a separate audit spreadsheet.
• Connect PAM telemetry to governance workflows Feed privileged account activity, dormant elevation, and exception status into the same review process used for standard entitlements. That lets reviewers see whether elevated access is still justified before the next audit cycle.
• Measure governance by remediation speed, not just completion rate Track how quickly excessive access is removed after detection, how many exceptions recur, and how many stale entitlements survive across cycles. Those metrics show whether access governance is truly continuous.

Key takeaways

• Quarterly access reviews are too slow for environments where entitlements, privilege, and exceptions change continuously.
• Poor visibility and manual review processes are already behind most access-related audit findings, which makes evidence quality a control issue.
• The practical answer is continuous governance that ties provisioning, SoD enforcement, and privileged oversight into one operating model.

Key terms

• Continuous Assurance: Continuous assurance is a governance model that checks access state as it changes, rather than waiting for a quarterly review. It combines live entitlement data, policy evaluation, and remediation so risk is identified and handled before audit season or incident response uncovers it.
• Segregation of Duties: Segregation of duties is the control principle that prevents one identity from holding conflicting permissions that could enable fraud or unauthorized change. In identity governance, it is enforced by comparing requested or existing entitlements against rule sets before access is approved or recertified.
• Privilege Creep: Privilege creep is the gradual accumulation of access that is no longer justified by business need. It often begins with temporary exceptions, inherited roles, or incomplete deprovisioning, and it becomes a control problem when reviews do not remove the excess entitlement quickly enough.
• Policy-Driven Provisioning: Policy-driven provisioning is the practice of granting and removing access through rules that reflect business policy, not manual judgment alone. It reduces inconsistency by embedding approval logic, entitlement checks, and evidence capture directly into the access request and revocation workflow.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SafePaaS: continuous user access review and identity governance. Read the original.