ISO 27001 user access review gaps expose audit and governance risk

At a glance

What this is: This is an analysis of ISO 27001 user access review practice, and its key finding is that compliance failures usually come from weak evidence, stale entitlements, and delayed deprovisioning rather than the absence of a written policy.

Why it matters: It matters because the same governance weaknesses that undermine human access reviews also inform how teams should think about entitlement hygiene for service accounts and other non-human identities.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Read SecurEnds' guide to ISO 27001 user access review controls

Context

ISO 27001 user access review is the control discipline of confirming that access still matches business need. The article argues that most audit gaps appear when permissions drift after joiners, movers, and leavers, or when teams cannot prove that review decisions were recorded.

That problem is not limited to human users. The same pattern shows up in service accounts, API keys, and other non-human identities when ownership is unclear and removal is delayed, which is why access review should be treated as a governance system rather than a spreadsheet exercise.

Key questions

Q: How should organisations run ISO 27001 user access reviews without creating audit noise?

A: Use a consistent review cadence, assign a named owner for each application, and require documented decisions for every entitlement. Focus first on privileged accounts, leavers, and accounts with no clear business owner. The goal is not more paperwork. The goal is a review trail that proves access was assessed, challenged, and removed where appropriate.

Q: Why do user access reviews fail even when a policy exists?

A: They fail when the organisation cannot prove the review happened or cannot act on the outcome quickly. Missing timestamps, missing approval records, and delayed deprovisioning are common failure modes. A policy is only a promise. Auditors look for evidence that the promise was executed and that excessive access was actually removed.

Q: What signals show that access review is not working in practice?

A: High numbers of orphaned accounts, repeated exceptions, stale privileged access, and review cycles that end without removals are strong warning signs. If teams can show completed meetings but cannot show entitlement changes, governance is weak. The control is working only when the review results in measurable reduction of unnecessary access.

Q: Who should be accountable for user access review outcomes under ISO 27001?

A: Accountability should sit with the business owner, application owner, or delegated manager who can justify whether access is still needed. Security can coordinate and evidence the process, but it should not own every decision. If ownership is diffuse, review outcomes become easy to ignore and hard to enforce.

Technical breakdown

Access review evidence and audit traceability

An ISO 27001 access review succeeds only when the organisation can show who reviewed access, when they reviewed it, what changed, and why. The article’s core point is that auditors do not accept policy statements in place of evidence. A completed review without timestamps, approvals, and revocation records is operationally weak even if the intent was correct. This makes traceability the real control surface, not the review meeting itself. In practice, evidence quality determines whether access governance is defensible during certification or merely performative.

Practical implication: centralise review logs, decisions, and exceptions so every entitlement change can be proven after the fact.

Joiner mover leaver drift in user access review

Joiner mover leaver drift happens when access stays attached to a person after their role changes. In the article, this is the root cause behind stale permissions and delayed removal, especially where teams change quickly. ISO 27001 treats this as a governance failure because access should track current duties, not historical convenience. The same lifecycle problem affects privileged accounts and shared administrative access when ownership is informal. If offboarding and role changes are not tightly linked to review workflows, privilege creep becomes the default state.

Practical implication: connect HR, IAM, and application ownership data so movers and leavers trigger immediate review and removal workflows.

Privileged access review under ISO 27001

Privileged accounts need separate review because the risk profile is different from ordinary user access. The article correctly highlights that admin rights require specific scrutiny under ISO 27001 control A.9.2.3, not a blanket approval process. Privileged access is where review failure causes the greatest blast radius, since unused elevated rights often survive role changes, project exits, and system migrations. The governance lesson is simple: high-risk access needs explicit owners, documented justification, and tighter evidence standards than standard entitlements.

Practical implication: separate privileged access attestation from routine user review and require named business justification for elevated rights.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access review programs fail when evidence is treated as a by-product instead of the control itself. The article is right that auditors care about completed reviews, recorded decisions, and removal of unnecessary rights. Without that trail, organisations cannot prove governance, which turns access review into an assertion rather than a control. Practitioners should treat traceability as the primary audit object, not the worksheet.

Joiner mover leaver drift is the structural flaw behind most access review gaps. The article shows that permissions linger when roles change and offboarding is slow, which creates privilege creep across the identity lifecycle. That pattern is familiar in human IAM, but it also explains why NHI governance breaks when ownership and revocation are weak. Practitioners should read access review as lifecycle enforcement, not periodic cleanup.

Non-human identity governance and human access governance are converging around the same accountability problem. The article’s emphasis on approvals, logs, and timely removal maps directly onto service account and API key oversight. Only 20% of organisations have formal offboarding and revocation processes for API keys, according to our Ultimate Guide to NHIs, which shows how far the machine identity side still trails basic human review discipline. Practitioners should stop treating NHI and human review as separate governance silos.

Least privilege is only meaningful when review can keep pace with role change. The article assumes access can be periodically corrected, but that assumption fails as environments scale and permissions spread across SaaS, cloud, and legacy systems. The result is not just policy drift but an expanding gap between what access should be and what remains active. Practitioners should treat review cadence and entitlement volatility as one control problem.

Automatic evidence collection changes certification readiness, but it does not fix broken governance. The article positions automation as a way to keep records, timestamps, and decisions available for auditors. That is useful, but the real test is whether the underlying review logic still identifies stale access and orphaned accounts correctly. Practitioners should use automation to harden proof, then validate that the review itself is still removing risk.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how often entitlement review starts from incomplete inventory.
• For a deeper control model, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding discipline.

What this signals

Access review and lifecycle governance are converging: teams that can evidence human access reviews still often lack the same discipline for service accounts and API keys. The practical shift is to manage review, ownership, and removal as one lifecycle problem across people and machine identities, not as separate programmes. That matters because the gap between policy and proof is widening fastest where identity is non-human.

The next maturity step is less about scheduling more reviews and more about reducing entitlement volatility. If access changes faster than the organisation can attest to it, the review process becomes reactive paperwork. That is where inventory quality, ownership mapping, and automated revocation begin to matter more than the calendar.

For practitioners

• Separate privileged access from routine user access review Run privileged entitlements through a distinct attestation workflow with named approvers, documented justification, and tighter evidence retention than standard user reviews.
• Link access review to joiner mover leaver events Trigger review and removal actions when employees change departments, change managers, or exit, so stale permissions do not survive beyond the current role.
• Centralise evidence for audit traceability Store reviewer identity, timestamps, approval outcomes, revocations, and exceptions in one system so auditors can verify that the review actually happened.
• Review orphaned and inactive accounts on a fixed cadence Compare active account lists against HR and application ownership data to identify access that no longer maps to a current business purpose.

Key takeaways

• ISO 27001 access review fails most often when organisations cannot prove who reviewed access, what changed, and why.
• Stale permissions and delayed offboarding are the recurring governance gaps behind most audit findings and privilege creep.
• Treat access review as lifecycle enforcement across human and non-human identities, with evidence and removal built into the workflow.

Key terms

• User Access Review: A user access review is a periodic check that confirms each person still needs the permissions they have been granted. In ISO 27001 terms, it is evidence that access is current, approved, and limited to business need. The control only works when decisions are recorded and acted on.
• Privileged Access: Privileged access is elevated permission that allows a user or administrator to perform high-impact actions such as changing configurations, managing identities, or reading sensitive data. Because the blast radius is larger, privileged access requires separate review, stronger justification, and tighter audit evidence than ordinary access.
• Joiner Mover Leaver Drift: Joiner mover leaver drift is the gap that appears when access does not keep up with role changes or offboarding. It is a lifecycle failure, not a paperwork issue. The longer access stays attached to an out-of-date role, the more likely it is to become unnecessary, excessive, or exploitable.
• Audit Traceability: Audit traceability is the ability to show what was reviewed, by whom, when, and what outcome followed. In identity governance, it is the difference between saying access was managed and proving it. Without traceability, even a well-run review can fail inspection because the evidence chain is incomplete.

Deepen your knowledge

ISO 27001 user access review, privilege governance, and lifecycle enforcement are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are tightening review processes across human and machine identities, it is a practical place to start.

This post draws on content published by SecurEnds: ISO 27001 user access review guidance and audit gaps. Read the original.