Review fatigue in user access reviews weakens IAM governance

At a glance

What this is: Review fatigue is the point where user access reviews still close, but the underlying judgments stop being reliable.

Why it matters: It matters because IAM teams need reviews that remove risk, not just produce completion metrics, across human access, NHI governance, and broader lifecycle controls.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

👉 Read SecurEnds' analysis of review fatigue in user access reviews

Context

User access reviews are meant to validate whether access still makes sense, but in many programmes they have become high-volume approval exercises. Review fatigue appears when the same entitlements recur, the same managers are asked to sign off again, and the work becomes repetitive enough that judgment gives way to speed. For IAM teams, the problem is not only process load, but loss of signal across identity governance.

This is a governance failure with consequences beyond the review window. When reviewers approve without context, privilege creep continues, audit evidence becomes weaker, and the organisation confuses completion with control. The same pattern matters in NHI programmes and human IAM because lifecycle review only works when the reviewer can still distinguish risk from routine.

Key questions

Q: What breaks when user access reviews become routine approval exercises?

A: The review stops being a decision control and becomes a workload control. Reviewers approve faster, ask fewer questions, and rely on completion metrics instead of judgment. That allows privilege creep, stale access, and unresolved conflicts to persist even when campaigns close on time.

Q: Why do access reviews lose value when access rarely changes between cycles?

A: If the same entitlements appear every cycle, reviewers stop encountering new information. The process trains people to recognise the list rather than evaluate the risk, so approvals become mechanical. That is why recurring review without change is a weak governance model, not a stronger one.

Q: How can security teams tell whether review fatigue is setting in?

A: Look for near-universal approvals, low remediation, long campaign cycles, repeated IT clarifications, and complaints from managers who say they do not understand the access they are being asked to certify. Those signals show the programme has crossed from governance into volume management.

Q: Who should be accountable when an access review is completed but risky access remains?

A: Accountability sits with the identity governance owner, the business reviewer, and the control design that allowed high-volume certification to substitute for judgment. Frameworks such as the NIST Cybersecurity Framework and lifecycle governance models expect controls to reduce risk, not merely record activity.

Technical breakdown

Why certification overload turns UAR into box-ticking

Certification overload happens when review scope exceeds human attention. If a campaign presents hundreds or thousands of entitlements with little context, reviewers naturally optimise for closure instead of evaluation. The process still looks compliant, but the decision quality drops because the reviewer cannot distinguish changed access from unchanged access, or high-risk rights from routine permissions. This is where review fatigue becomes structural rather than behavioural. The control is no longer failing because people are careless. It is failing because the review design assumes unlimited human bandwidth.

Practical implication: narrow review scope before the campaign starts and remove low-value entitlements from the human queue.

How missing usage context weakens access review decisions

Access review decisions become unreliable when reviewers cannot see whether access was used, when it was last exercised, or whether its risk profile changed. In that setting, the safest choice feels like approval, not challenge. Usage data is not a nice-to-have reporting layer. It is the evidence that lets a reviewer distinguish stale entitlements from active ones. Without it, the certification is about trust in the process rather than trust in the access. That is why UAR programmes often appear healthy in dashboards while actual governance erodes.

Practical implication: attach usage and recency signals to every review item that can materially affect risk.

Why manual workflows amplify review fatigue

Email threads, spreadsheets, reminders, and follow-up questions create delay and context loss. Each manual step increases the chance that a reviewer will see stale data, defer a decision, or approve simply to move the queue along. Manual handling also pushes clarification work back to IT, which makes governance dependent on interpretation rather than policy. Over time, the workflow itself trains people to disengage because the process is noisy and slow. A UAR programme that depends on manual coordination is not scaling governance. It is scaling friction.

Practical implication: replace manual chase-and-track workflows with governed, system-driven review orchestration.

Threat narrative

Attacker objective: The objective is not to break the review itself, but to keep excessive or outdated access in place long enough to survive audit and expand blast radius.

1. Entry begins when broad review campaigns introduce too many recurring entitlements for managers to assess with full context, creating a decision bottleneck rather than a control point.
2. Escalation occurs when reviewers approve repeated access without checking usage or change history, allowing privilege creep and stale entitlements to persist across cycles.
3. Impact appears when audits or incidents reveal that access remained in place despite completed certifications, showing that the review process preserved evidence but not control.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Review fatigue is a governance failure, not a user behaviour problem. The core issue is that review design asks people to validate too much access with too little context, then treats speed as a success metric. That framing is wrong because the programme measures completion, not discernment. In identity governance terms, the control has drifted from certification to administrative throughput, and practitioners should treat that as a design defect, not a training issue.

Certification overload is the named failure mode this article exposes. Certification overload describes a state where the entitlement population, cadence, and review scope exceed human decision capacity. The result is predictable: repetitive approvals, low remediation, and weak separation between risky and routine access. Practitioners should recognise this as a lifecycle control that no longer scales with enterprise identity sprawl.

Access review programmes fail when they presume stable reviewer attention across repeated cycles. That assumption was designed for smaller, slower identity estates. It fails when the same access appears over and over, because the reviewer stops encountering decision novelty. The implication is that governance must be rethought around signal density, not simply around more frequent recertification.

NHI governance and human IAM are converging on the same problem: too much entitlement, too little certainty. The NHI world has long suffered from limited visibility, standing privilege, and lifecycle gaps, while human IAM now shows similar symptoms in UAR programmes. That convergence matters because the control problem is no longer identity type specific. Practitioners should align review design across human accounts, service identities, and emerging autonomous actors.

Audit readiness is not evidence of control effectiveness. A completed certification campaign can still leave privilege creep intact, because auditors often see closure artifacts before they see decision quality. This creates a false comfort loop in which the organisation proves activity but not risk reduction. Practitioners should stop equating completed reviews with governed access.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them. That lifecycle weakness shows how quickly identity controls lose value when governance is left to manual effort.
• For the broader control model, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding should be tied to change events rather than fixed calendars.

What this signals

Certification overload is becoming the common language across human and machine identity governance. Once organisations manage more identities than reviewers can reasonably evaluate, the programme shifts from validation to triage. With 97% of NHIs carrying excessive privileges according to the Ultimate Guide to NHIs, the same risk logic now applies to human access reviews that rely on volume instead of signal.

Review programmes need to behave like lifecycle controls, not calendar events. That means tying reviews to role changes, access changes, and risk changes rather than to a fixed campaign cadence. The broader lesson is that human IAM and NHI governance are converging on the same requirement: systems must present only the items that still deserve a human decision.

Review fatigue is also a preview of what happens when autonomous actors enter governance workflows. If 70% of organisations already grant AI systems more access than they would give a human employee performing the exact same job, per the 2026 Infrastructure Identity Survey, then overloaded access review models will struggle even more when those actors begin acting at runtime.

For practitioners

• Reduce review scope before the campaign starts Exclude unchanged low-risk access from manual review and reserve human attention for privileged, sensitive, or recently changed entitlements. Use entitlement history and usage signals to pre-clear routine items so reviewers are not asked to re-approve the same access each cycle.
• Attach usage and recency context to every certification item Surface last use, change history, owner, and business criticality in the review screen so the decision is evidence-based. If reviewers need to leave the workflow to find context, the control is already too weak to scale.
• Measure remediation, not just completion Track how many entitlements are removed, downgraded, or re-scoped after each campaign, and compare that against the number of approvals. If the remediation rate stays flat while completion stays high, the programme is producing paperwork rather than governance.
• Automate recurring low-risk approvals with policy guardrails Use governed automation for access that has not changed, is within policy, and is below a defined risk threshold. That reduces certification overload and frees reviewers for exceptions that actually require judgment.

Key takeaways

• Review fatigue turns access certification into a throughput exercise, which means completed campaigns can still leave risky access untouched.
• The scale signal is clear: repeated low-context approvals erode governance faster than audit metrics reveal it.
• The practical fix is not more reviews, but better-scoped reviews that surface usage, change history, and remediation outcomes.

Key terms

• Review Fatigue: Review fatigue is the point at which repeated access certification becomes too repetitive for reviewers to make careful decisions. The programme still appears active, but attention drops, context disappears, and approval becomes the default outcome instead of a risk-based judgment.
• Certification Overload: Certification overload is the condition where a review campaign includes more entitlements, more repetition, or more low-value items than reviewers can assess well. It is a design problem, not a motivation problem, and it usually shows up as high approval rates with little remediation.
• User Access Review: A user access review is a governance process where someone confirms whether a person should still hold specific permissions. Done well, it validates current business need and removes stale access. Done poorly, it becomes a compliance routine that records activity without changing risk.
• Privilege Creep: Privilege creep is the gradual accumulation of access beyond what current duties require. In review-heavy environments, it grows when repeated certifications approve existing permissions without challenging whether they still match the user’s role or the system’s risk level.

Deepen your knowledge

Review fatigue in user access reviews is covered in the NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is already dealing with overload, the lifecycle and governance lessons translate directly.

This post draws on content published by SecurEnds: review fatigue in user access reviews and how it weakens IAM governance. Read the original.