TL;DR: Access reviews, stale access, and AI-assisted role mining can all be automated across the company, with audit evidence, SoD checks, and reviewer workflows captured in one place, according to Lumos. The governance lesson is that continuous identity oversight now depends on review automation, not periodic cleanup.
At a glance
What this is: Lumos describes an internal identity governance model that automates access reviews, strengthens audit evidence, and uses an AI identity agent for role mining and access insight.
Why it matters: It matters because IAM teams across NHI, autonomous, and human identity programmes are being pushed toward continuous governance, tighter privilege control, and faster audit response.
👉 Read Lumos' blog post on how it uses its platform for identity governance
Context
Access reviews are still treated as a periodic control in many identity programmes, even though access changes continuously and review evidence often lives across tickets, spreadsheets, and email. That creates delay, weak traceability, and inconsistent decisions across human, machine, and AI-driven workflows.
The article is primarily about identity governance in a human IAM context, but it also touches the boundary where AI starts to assist with decision-making. For practitioners, the key question is not whether governance can be automated, but which parts of the access lifecycle still depend on manual review and where that introduces risk.
Key questions
Q: How should teams modernise access reviews without losing audit evidence?
A: Teams should centralise review execution in a governed workflow that records due dates, reviewer decisions, comments, and resulting access changes. The goal is not just speed. It is to make evidence automatic so audit prep no longer depends on manual reconstruction across tickets and spreadsheets.
Q: Why do manual access reviews create governance risk in IAM programmes?
A: Manual reviews create risk because they rely on human coordination across multiple systems, which increases delay, inconsistency, and missed remediation. When review outcomes are not tied directly to access changes, the control becomes administrative rather than preventive, and stale access can persist after the review cycle ends.
Q: What do security teams get wrong about AI in identity governance?
A: They often assume AI can take over governance decisions, when its real value is analysis and prioritisation. AI can surface patterns, outliers, and risky access faster than people, but ownership, approval, and business context still have to remain with the governance team.
Q: How can organisations tell whether access governance is actually working?
A: Look for evidence that reviews are completed on time, decisions are captured in one system, stale access is removed promptly, and audit proof is ready without manual effort. If the programme can only prove control after a scramble, it is not operating continuously.
Technical breakdown
Automated access reviews and reviewer workflows
Access reviews work best when entitlements, ownership, due dates, and review outcomes are handled in one system rather than spread across tickets and emails. Automation changes the control from a periodic administrative task into a governed workflow with reminders, escalation, comments, and an audit trail. That matters because the risk is usually not the review itself, but the failure to complete it consistently, document it clearly, or act on the result. When review decisions are tied to actual access changes, the control becomes operational instead of ceremonial.
Practical implication: centralise review execution so completion status, reviewer decisions, and entitlement changes are all visible in one place.
Role mining, RBAC, and ABAC refinement
Role mining is the process of analysing access patterns to identify recurring entitlement groups, outliers, and permissions that do not fit expected job functions. In mature programmes, that insight feeds both RBAC and ABAC tuning, because static roles alone rarely explain real business access patterns. AI-assisted analysis can speed up this work by surfacing common clusters and exceptions, but the governance value comes from translating those findings into cleaner policy boundaries. The main failure mode is letting access growth outpace role design, which creates privilege creep and poorly defined access exceptions.
Practical implication: use role mining results to tighten role definitions and remove entitlements that no longer match business need.
Decision automation in identity governance
The article describes Albus as moving beyond task automation into decision support, which is where identity governance starts to change materially. Decision automation does not remove governance responsibility, but it can prioritise high-risk apps, flag unused licences, and identify out-of-scope access faster than manual review. That shifts the control plane from after-the-fact reporting to ongoing optimisation. The key architectural distinction is that AI is being used to inform governance decisions, not to replace accountability for them. That makes oversight design more important, not less.
Practical implication: define which identity decisions AI may recommend, which must remain human-approved, and how those recommendations are validated.
NHI Mgmt Group analysis
Manual review processes fail first at consistency, not intent. The article shows a common governance pattern: teams know access reviews matter, but they execute them through spreadsheets, tickets, and follow-up email. That model breaks because the control depends on human coordination across multiple systems, not on a stable governance workflow. The implication is that review programmes should be judged on execution reliability, not just policy completeness.
AI-assisted governance changes the shape of identity operations, but not the accountability model. When an AI identity agent highlights stale access, unused licences, or role outliers, the speed of governance improves materially. But the control owner still has to decide what the signal means, who approves the change, and whether the recommendation reflects business context. Practitioners should treat AI as an analysis layer on top of governance, not as the governance authority itself.
Role mining becomes more valuable when access patterns are treated as living evidence. The article’s strongest signal is that role definitions improve when they are continuously refined from actual usage rather than tribal knowledge. That aligns with NIST-CSF and NIST-style governance discipline, where identity controls are maintained as part of an ongoing operating model. The practitioner takeaway is that access models decay unless they are routinely re-derived from reality.
Audit readiness is an outcome of process design, not an end-of-year activity. A centralised review trail with timestamps, decisions, and remediation records changes the evidentiary burden for compliance teams. That reduces friction during SOX and SOC 2 review cycles because the proof is already in the control system. Organisations that still assemble audit evidence at the last minute are paying for a control design problem, not just an operational inconvenience.
Identity governance is moving toward continuous visibility across human and AI-assisted decisions. The article is a good example of how human IAM, IGA workflow, and AI-supported analysis are converging around the same operational question: who has access, why, and for how long. The field is heading toward governance systems that can explain access in real time rather than reconstruct it later. Practitioners should prepare for identity programmes that are evaluated on continuous assurance, not periodic review output.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- That confidence gap sits alongside another finding from The 2024 ESG Report: Managing Non-Human Identities, where 72% of organisations said they have experienced or suspect a breach of non-human identities.
- For practitioners, the forward pivot is to treat lifecycle controls as a governance system, not an audit chore, and to anchor that operating model in the NHI Lifecycle Management Guide.
What this signals
Access review maturity is becoming a proxy for broader identity programme maturity. As organisations move from ticket-based reviews to governed workflows, the real differentiator is not automation volume but whether decisions, remediations, and evidence all live in the same control surface. Teams that still chase proof after the fact will continue to absorb avoidable audit and operational drag.
Review automation is strongest when paired with lifecycle discipline. If stale access, role drift, and unused entitlements are not fed back into provisioning and offboarding rules, the review process becomes a detection layer without enforcement depth. The practical next step is to connect review outcomes to lifecycle actions, not just reporting.
With 1.5 out of 10 organisations highly confident in securing NHIs, the governance baseline is already fragile for machine identities, and the same control discipline is increasingly expected of human access programmes too. That is why the operating model must converge around lifecycle visibility, not separate process silos.
For practitioners
- Replace review sprawl with a single governed workflow Move access reviews out of spreadsheets and ticket queues into one system that captures due dates, reviewer comments, decisions, and resulting entitlement changes.
- Use review outcomes to remove stale access quickly Treat every review as a remediation trigger for unused entitlements, out-of-scope roles, and access that no longer matches the user's function.
- Define how AI can support governance decisions Set boundaries for AI-assisted identity analysis so the system can flag anomalies and prioritise work without becoming the approver of record.
- Build audit evidence into the operating model Ensure timestamps, policy logic, reviewer notes, and exportable decision records are preserved automatically so compliance teams do not reconstruct proof later.
Key takeaways
- Manual access reviews fail because they are fragmented and inconsistent, not because the control idea is wrong.
- AI can improve identity governance by surfacing patterns and priorities, but accountability still has to stay with the governance owner.
- The strongest programmes turn review outcomes into lifecycle remediation and audit evidence into a built-in control, not a last-minute task.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access governance and least privilege are central to the article's review model. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential and access lifecycle hygiene underpins the article's governance posture. |
| NIST SP 800-63 | The article touches on identity assurance and review evidence for access decisions. |
Treat review findings as lifecycle defects and close them through revocation or reclassification.
Key terms
- User Access Review: A user access review is a formal check of who has access to which systems and whether that access is still justified. In mature programmes, it is not just a compliance exercise. It is a governance control that should lead to removal, reduction, or reclassification of unnecessary access.
- Role Mining: Role mining is the analysis of actual entitlement patterns to discover common access groups, outliers, and role candidates. It helps organisations move from ad hoc permissions toward cleaner RBAC or ABAC design, especially when access has grown faster than governance processes can keep up.
- Segregation of Duties: Segregation of duties is a control that prevents one identity from holding combinations of access that enable misuse, fraud, or unsafe self-approval. It matters because governance is not only about how much access exists, but whether access combinations create conflicts that should be flagged and removed.
- Birthright Access: Birthright access is the baseline set of entitlements granted automatically when a user joins or changes role. It should reflect minimal job need, not convenience or legacy practice. If birthright access grows unchecked, it becomes an efficient way to spread privilege at scale.
What's in the full article
Lumos' full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step access review workflow design across multiple applications and reviewer groups
- How Lumos captures comments, decisions, timestamps, and exportable audit evidence inside the platform
- Examples of how AI-driven analysis flags unused licences, stale access, and role outliers for remediation
- The internal governance logic used to distinguish birthright access from requestable access
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-10-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org