TL;DR: ITGC audit checklists help organisations test access controls, evidence collection, interviews, inspections, and reporting before control gaps become compliance failures, according to Zluri. The deeper issue is that manual access governance breaks down when orphaned accounts, over-permissioned roles, and weak review cadence go unchallenged.
At a glance
What this is: This is an access-management ITGC audit checklist that argues structured reviews reduce control gaps, compliance risk, and manual audit friction.
Why it matters: It matters because the same access governance failures that weaken ITGC audits also undermine NHI, human IAM, and lifecycle controls across SaaS, cloud, and financial systems.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
👉 Read Zluri's ITGC access management audit checklist and automation guidance
Context
ITGC access management is the discipline of proving that the right identities have the right access, that evidence exists, and that exceptions are handled before they become audit findings. In practice, the weak point is rarely the checklist itself. It is the underlying identity governance model, especially where access is spread across SaaS, cloud, and manually maintained permissions.
Zluri frames the checklist as a way to simplify internal audit work, but the broader problem is that manual access review does not scale cleanly across human identities and non-human identities. Once orphaned accounts, inactive credentials, and over-permissive roles accumulate, audit preparation becomes a data reconciliation exercise rather than a control test.
Key questions
Q: What breaks when access reviews rely on stale entitlement data?
A: Access reviews become a documentation exercise instead of a control test when entitlement data is stale. Reviewers approve or reject a snapshot that no longer reflects who can actually reach systems, so orphaned accounts, inactive privileges, and unowned access escape detection. A live source of truth is the difference between governance and guesswork.
Q: Why do service accounts and privileged user accounts need the same governance discipline?
A: Both account types can reach critical systems and both can outlive the purpose they were created for. If the organisation tracks only human users, service accounts become invisible exceptions with standing access and unclear ownership. The same lifecycle logic, ownership model, and removal trigger should apply to both.
Q: What do security teams get wrong about automated access reviews?
A: They often treat automation as a faster version of the same manual process. The real value is broader population coverage, clearer exception handling, and less dependence on human memory. Automation only helps if the underlying identity data is accurate and if remediation follows review findings quickly.
Q: Who should be accountable when access governance gaps lead to audit failure?
A: Accountability should sit with the system or business owner who can prove why access exists and who is responsible for removing it. Audit teams validate evidence, but they do not own entitlement decisions. Without named ownership, access gaps persist across both human IAM and NHI programmes.
Technical breakdown
Why access review evidence fails when identity data is fragmented
Access review evidence depends on a reliable inventory of entitlements, owners, and system states. When those records live in spreadsheets, tickets, and disconnected admin consoles, auditors cannot easily verify whether a control is operating or merely documented. The technical problem is not evidence volume, but evidence integrity. If access lists are stale, if ownership is unclear, or if account status changes faster than review cycles, the audit trail stops reflecting real access conditions.
Practical implication: centralise entitlement records before the audit cycle begins so evidence matches live access state.
How orphaned accounts and standing privilege distort ITGC controls
Orphaned accounts create false confidence because they appear governed on paper while remaining active in systems. Standing privilege adds a second problem: access is always present, so the audit only measures whether a permission exists, not whether it should exist at a given moment. In NHI and human IAM programmes alike, this turns access management into a static approval record instead of a lifecycle control. Audit findings usually surface when the business cannot explain who owns the account or why access was never removed.
Practical implication: tie every privileged account to an owner, a business purpose, and a removal condition.
Why automated access certification matters more than manual sampling
Manual sampling can miss risky access because it reviews only a small part of the permission set and often depends on human memory. Automated certification shifts the control from one-time inspection to repeatable governance, where changes in role, inactivity, and exceptions are surfaced consistently. That does not eliminate auditor judgment, but it does improve the quality of the population being reviewed. For access-heavy environments, automation is less about speed than about reducing blind spots in the certification population.
Practical implication: automate recurring access certifications for high-risk systems and reserve manual review for exceptions.
Threat narrative
Attacker objective: The attacker or insider seeks to use weak access governance to reach restricted data or systems without detection.
- entry via excessive or outdated access rights that were never removed from user and service accounts.
- escalation through standing privilege, where the account can reach sensitive systems without a fresh approval gate.
- impact through data exposure, compliance failure, or unauthorized changes that the audit should have prevented earlier.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
ITGC access management is an identity governance problem before it is an audit problem. The checklist only works when the underlying entitlement data is current, owned, and traceable. If access records are fragmented across admins, spreadsheets, and ticket queues, the audit is documenting uncertainty rather than control. Practitioners should treat access management as the control plane, not the paperwork.
Standing access creates the audit blind spot that ITGC checklists are meant to expose. Access that remains in place by default is hard to challenge because reviewers are asked to validate an existing state instead of a time-bound decision. That pattern weakens both human IAM and NHI governance, especially where service accounts, API keys, and contractors remain active after their purpose changes. Practitioners should recognise standing access as a lifecycle failure, not a review failure.
Orphaned access is a governance debt that manual audit work keeps rediscovering. Once the organisation cannot explain ownership, purpose, or expiry for an account, the checklist becomes a detective tool instead of a preventative control. The same pattern appears in NHI programmes when API keys and service accounts outlive the system or team that created them. Practitioners should treat orphaned access as evidence that lifecycle governance has already failed.
Automated certification changes the evidence model, not just the workflow. The value is not fewer spreadsheets, but a cleaner population of access decisions that can be reviewed, challenged, and remediated before the audit closes. That matters across IAM, IGA, and NHI programmes because the control only becomes auditable when review inputs reflect real entitlement state. Practitioners should build governance around continuously refreshed access data, not periodic reconciliation.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- Use the NHI Lifecycle Management Guide to turn access review findings into removal, rotation, and ownership actions.
What this signals
Lifecycle discipline will matter more than audit elegance. Teams that can inventory, review, and remove access continuously will spend less time reconstructing evidence after the fact. That shift is especially important where human and non-human identities share the same systems, because the weakest lifecycle process becomes the common failure point.
The most useful signal here is whether access review output actually changes permissions, not whether the report looks complete. If exceptions recur, owners are missing, or revocation lags behind approval, the programme is producing compliance theatre. For guidance on the lifecycle side of that problem, start with the NHI Lifecycle Management Guide.
Identity blast radius: the practical measure is how far a stale or over-permissioned account can move before it is removed. The more systems that rely on manual reconciliation, the larger that blast radius becomes, and the harder it is to prove control effectiveness in a single audit cycle.
For practitioners
- Reconcile every privileged account to a named owner Require a business owner, system owner, and removal trigger for every privileged human and non-human account before the audit window opens.
- Replace spreadsheet-led reviews with a live entitlement source Pull access review inputs from the system of record, then validate that inactive accounts, orphaned accounts, and exceptions are visible in one place.
- Separate standing access from time-bound exceptions Track permanent entitlements separately from temporary approvals so reviewers can see which permissions were intended to persist and which were not.
- Document evidence for both access and revocation Keep screenshots, logs, and approvals that show not only who has access, but also when access was removed or denied after review.
Key takeaways
- ITGC access management fails when entitlement data is stale, fragmented, or impossible to map back to ownership.
- The scale of the risk is structural, not incidental, because excessive privilege and missing offboarding create recurring audit blind spots.
- The control that changes outcomes is not another checklist alone, but a live governance model that ties access, ownership, review, and revocation together.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access rights and authorization are central to ITGC access management. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Rotation and lifecycle gaps commonly surface in audit evidence for non-human accounts. |
| NIST Zero Trust (SP 800-207) | AC-3 | Zero trust requires explicit, continuously evaluated access rather than static privilege. |
Use NHI-03 to validate that credentials and service accounts are rotated and offboarded on schedule.
Key terms
- IT General Controls: IT general controls are the baseline controls that govern access, change, operations, and evidence across core systems. In practice, they prove that identity, system, and data handling processes are repeatable enough to support compliance and reliable business operations.
- Access Certification: Access certification is the formal review of whether an identity should keep its current permissions. It relies on accurate entitlement data, clear ownership, and timely remediation so the review result changes real access rather than just documenting a decision.
- Orphaned Account: An orphaned account is an identity that still exists in a system after its owner, purpose, or lifecycle context is gone. These accounts are dangerous because they can retain access without accountability, making them difficult to challenge during audits and easier to miss in reviews.
- Standing Privilege: Standing privilege is access that remains continuously available instead of being granted only when needed. It increases audit risk because reviewers must justify why access is permanent, not merely whether it was ever approved, and it expands the window for misuse if the account is compromised.
Deepen your knowledge
NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or operational governance, it is worth exploring.
This post draws on content published by Zluri: Access Management ITGC Audit Checklist: Simplify Your Internal Audit Process. Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
