TL;DR: Most organisations struggle with access reviews because they cannot see all apps, decide what to scope first, or assign reviewers cleanly, according to Zluri. The real problem is not understanding why reviews matter, but building a review process that is complete enough to survive audit and remediation.
At a glance
What this is: This is a step-by-step guide to launching a first user access review, with visibility, scope, ownership, certification, and remediation as the core sequence.
Why it matters: It matters because access reviews sit at the centre of IAM, IGA, and PAM governance, and weak scoping or poor follow-through leaves both human and non-human access exposed.
👉 Read Zluri's guide to launching a first access review process
Context
Access reviews are a governance control, not a spreadsheet exercise. The challenge is that most organisations start with incomplete visibility, unclear ownership, and no agreed remediation path, which makes the first review campaign harder than the policy language suggests.
In IAM and IGA programmes, this is where human access governance intersects with NHI governance too. The same lifecycle pressure shows up when teams must decide who certifies access, how often reviews run, and what happens when access is no longer justified.
Key questions
Q: How should teams start an access review programme when they lack complete visibility?
A: Start with discovery, not certification. Build a master inventory from the IDP, finance data, and department input, then scope only the highest-risk apps first. If you cannot see the full app and entitlement population, any access review will be incomplete by design and weak for both security and audit purposes.
Q: Why do access reviews fail when ownership is unclear?
A: Access reviews fail when no one knows who has authority to judge a specific entitlement. Managers, app owners, and security teams each have different context, so the programme needs explicit assignment rules. Without that, reviewers either over-approve, under-review, or delay decisions while ownership is debated.
Q: How do organisations know whether an access review is actually working?
A: An access review is working only if denied access is removed, exceptions are tracked, and the evidence package is complete. Approval counts alone are not enough. The real signal is whether the control changed access outcomes and produced audit-ready proof of those changes.
Q: What is the difference between reviewing users and reviewing groups in access governance?
A: User review checks individual accounts one by one, while group review certifies the entitlement sets that actually grant access. Group review is usually more efficient when organisations assign access through SSO groups, but it still requires strong ownership and remediation. User review remains necessary for privilege-heavy exceptions.
Technical breakdown
Visibility and scope: why access reviews fail before they start
An access review only works if the organisation can build a credible inventory of users, apps, and entitlements. The article distinguishes between what an IDP sees, what finance records show, and what discovery tools uncover, which is the real governance problem: scope is usually larger than the system of record. That mismatch creates blind spots for shadow IT, embedded apps, and third-party access. Practical access review design starts with discovery quality, not certification workflows.
Practical implication: establish a defensible application inventory before assigning reviewers or setting review cadence.
Reviewer assignment and access certification ownership
The hard part of certification is not the approval button, but deciding who has the right context to approve or deny access. Manager certification works for standard user access, app owner certification works for sensitive systems, and security certification is better for privileged or external access. The article’s hybrid model reflects a common IGA reality: no single reviewer type can cover all risk classes. Governance fails when ownership is vague or overloaded.
Practical implication: map each access class to the reviewer with the best business and risk context.
Remediation and evidence: the part of access reviews that auditors test
A review that ends with approvals but no access removal is not a completed governance process. The final step has two jobs: enforce denials and preserve audit evidence. That means the workflow must connect decisions to actual deprovisioning, exception handling, and report generation. If remediation is left as an informal follow-up task, the review becomes documentation theatre rather than access control.
Practical implication: wire certification decisions directly into remediation tickets and evidence retention.
NHI Mgmt Group analysis
Access review failure is usually a visibility failure first, not a reviewer failure. The article shows that teams often cannot even enumerate the full app population they need to review, which means the control starts with an incomplete risk universe. That matters because certification quality is capped by inventory quality. For IAM and IGA leaders, the practitioner conclusion is simple: if discovery is partial, the review is partial.
Ownership ambiguity is the real control gap in first-time access reviews. Manager, app owner, and security review models each solve a different slice of the problem, but the article makes clear that first-time programmes fail when no one is explicitly accountable for each slice. This is not just workflow design, it is governance assignment. The practitioner conclusion is that access certification must be mapped to decision authority, not organisational convenience.
Remediation without evidence turns access reviews into compliance theatre. The article correctly treats the last step as proof, not paperwork. If denied access is not removed and the decision trail is not preserved, the organisation has not closed the governance loop. The practitioner conclusion is that review programmes should be measured by completed removals and retained evidence, not by the number of approvals captured.
Group-based certification is the named concept that many mid-market IAM teams miss. Reviewing SSO groups instead of individual users can collapse thousands of decisions into a manageable certification set when access is provisioned centrally. That does not remove governance responsibility, but it changes the operating model from labour-heavy inspection to entitlement-level control. The practitioner conclusion is that review design should follow how access is actually granted, not how legacy tools prefer to display it.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
- For broader lifecycle context, see NHI Lifecycle Management Guide for how review, rotation, and offboarding fit into governance.
What this signals
Access review maturity now needs to be treated as a cross-identity governance capability. Organisations that can certify human access but cannot reliably govern machine access are carrying the same control weakness into different identity types. The practical signal for IAM teams is that inventory quality, ownership, and evidence retention should be designed once and applied across the full identity lifecycle.
With 72% of organisations reporting or suspecting an NHI breach in our research, review programmes that ignore machine and service identities will miss a large part of the actual access surface. That is why the operating model should converge around entitlement inventory, certification ownership, and proof of remediation, not separate processes for every identity class.
Entitlement-level governance: as access becomes more group-based and more automated, teams need to review the control point where access is granted, not just the account that consumes it. That is the point where policy, provisioning, and evidence all meet.
For practitioners
- Build the app inventory before launching certification Correlate IDP data, finance records, and department-owned app lists so the first review scope reflects actual usage, not just the system of record.
- Assign review authority by access class Route standard employee access to managers, privileged access to app owners or security, and third-party access to the team that can validate business need.
- Use group-level certification where access is grouped If SSO groups drive entitlement, review those groups first and reserve user-level review for privileged or exception access.
- Tie denials to removal and evidence capture Make sure every denied entitlement generates a tracked remediation action and that the final report includes the full decision trail for audit purposes.
Key takeaways
- The article shows that access review success depends on visibility, ownership, and remediation quality, not on the certification button itself.
- The strongest evidence of control failure is when organisations can approve access but cannot prove that denied access was actually removed.
- Teams should align review design to the way access is really granted, then connect every decision to a tracked remediation and evidence trail.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Access review governance depends on knowing who can access what. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification of access decisions and entitlement scope. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | The review process intersects with lifecycle and entitlement governance for non-human access. |
Tie certification outcomes to ongoing verification and remove access that no longer fits need-to-know.
Key terms
- Access Review: A structured certification process that asks an approved reviewer to confirm whether a user or group still needs an entitlement. In practice, it is only effective when the organisation can see the full scope of access, route decisions to the right owner, and remove access that is no longer justified.
- Certification Ownership: The assignment of decision authority for reviewing access, usually to managers, app owners, or security teams depending on risk. It matters because access decisions need the person with the right business or technical context, not just the easiest reviewer to reach.
- Entitlement Inventory: The authoritative list of apps, users, groups, and permissions that define who can access what. In identity governance, it is the starting point for review, remediation, and audit evidence because any missing entitlement leaves a blind spot in the control.
- Remediation Trail: The documented path from an access denial or policy violation to the actual removal or change of access. It links a governance decision to an operational outcome, which is what auditors and security teams need to verify that the review changed risk rather than just reporting on it.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- Week-by-week launch sequence for the first access review, including the 3 to 8 week rollout paths
- Concrete examples of how to choose between manual, basic automation, and platform-led certification workflows
- The article's practical review criteria for prioritising high-risk applications, users, and SSO groups
- Detailed remediation and documentation steps for closing out denials and preparing audit evidence
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM, identity lifecycle, or secrets management programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-03-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org