SOX user access reviews expose the limits of manual IAM

At a glance

What this is: This is an analysis of how SOX user access reviews support compliance, audit evidence, and access control for publicly traded companies.

Why it matters: It matters because IAM, IGA, PAM, and lifecycle teams need access reviews that are defensible, repeatable, and tied to actual revocation and audit trails across human and non-human access.

By the numbers:

• Zluri says its automated reviews cut down manual work by 70%.
• Zluri says its automated review process is 10 times faster.
• Zluri says it provides over 300 direct integrations with SaaS tools.

👉 Read Zluri's analysis of SOX user access reviews for public companies

Context

SOX user access reviews are a governance control, not just an audit checkbox. For publicly traded companies, the point is to verify that the right people have the right access, that changes are documented, and that financial reporting systems are not exposed to unmanaged privilege.

The pressure on IAM teams is practical: manual review cycles miss exceptions, stale access persists, and evidence quality often falls apart when auditors ask how decisions were made. In a SOX setting, access review quality is part of control design, not a back-office routine.

Key questions

Q: How should companies run SOX access reviews without drowning in manual work?

A: Use a defined review cadence, named business owners, and automated entitlement collection so reviewers see only the access they need to validate. The review should produce an approval or removal decision for every item, with remediation tracked to closure. If findings do not change access state, the review is not doing control work.

Q: Why do access reviews matter for SOX compliance beyond audit paperwork?

A: They prove that access to financially relevant systems is authorised, reviewed, and corrected when it is not. That evidence supports internal control assertions and helps reduce the chance that stale access, excessive privilege, or undocumented changes undermine reporting integrity. Compliance is the outcome, but the control is about accountable access governance.

Q: What do organisations get wrong about access certification?

A: The most common mistake is treating completion as success. A certification that does not lead to revocation, exception handling, or ownership correction only records that someone looked at access, not that the access was brought back into policy. The real control is the change in entitlement state.

Q: Who should own SOX access review decisions?

A: Ownership should sit with the business or system owner who understands whether access still matches role need and risk. Security and IAM teams should orchestrate the workflow, but they should not become the final authority on business entitlement decisions unless they are the accountable owner as well.

Technical breakdown

Why SOX access reviews depend on evidence quality

A SOX access review only works when the organisation can prove who reviewed what, when the decision was made, and whether follow-up remediation actually happened. The technical burden is not simply collecting entitlements. It is preserving a defensible audit trail across applications, approvers, exceptions, and revocations. Without that chain of evidence, a review becomes informational rather than control-grade, even if the checklist was completed. This is why automation helps only when it records approvals, removals, and exceptions in a way auditors can inspect.

Practical implication: preserve review evidence and remediation logs as part of the control, not as after-the-fact reporting.

How access review automation changes review scope

Automation changes the scale and consistency of access certification by pulling entitlement data from connected systems, normalising it, and routing it to reviewers with less manual handling. That matters in SaaS-heavy environments where access is distributed across many applications and exceptions accumulate quickly. But automation does not solve governance by itself. If the organisation has weak role definitions, poor owner assignments, or no revocation workflow, the review process simply moves faster through the same underlying mess.

Practical implication: use automation to expand coverage, but pair it with clear ownership and revocation paths.

Why access reviews are a lifecycle control, not a one-time event

Access reviews sit inside the broader identity lifecycle, which includes provisioning, changes, recertification, and offboarding. In other words, the review is not the control outcome, it is the checkpoint that tests whether lifecycle governance is still accurate. That is especially important for privilege creep, stale entitlements, and changes in business role. If a company only reviews access to satisfy the calendar, it risks treating lifecycle drift as compliance work rather than operational risk.

Practical implication: connect every review cycle to joiner-mover-leaver processes and enforce removal when access no longer matches business need.

Threat narrative

Attacker objective: The objective is to exploit weak access governance to create audit failure, expose sensitive systems, or misstate the effectiveness of controls.

1. Entry occurs when excessive or poorly governed access reaches systems that affect financial reporting or sensitive corporate data.
2. Escalation follows when stale permissions, weak internal access policies, or unreviewed entitlements remain in place long enough to be abused or misrepresented.
3. Impact is realised through audit failure, legal exposure, or data compromise that undermines SOX controls and executive accountability.

Breaches seen in the wild

• Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SOX access review is an evidence discipline, not a spreadsheet exercise. The control only matters when organisations can demonstrate review completeness, decision quality, and remediation closure. Zluri's article correctly points to access certification as a compliance mechanism, but the deeper issue is that SOX evidence fails when review artefacts are fragmented across systems. Practitioners should treat the audit trail as part of the control boundary.

Manual access review creates governance drift faster than most compliance teams admit. When applications, owners, and exceptions multiply, human review cycles start optimising for completion rather than accuracy. That is a lifecycle problem, not a tooling problem, and it is why recertification must be tied to role validity and offboarding discipline. The implication is that review quality degrades as access sprawl grows unless governance is continuously enforced.

Access reviews expose whether IGA is operational or ceremonial. If reviewers cannot act on findings, revoke access promptly, or trace decisions back to accountable owners, the programme is performing compliance theatre. The most important question is whether the review produces a change in entitlement state. Practitioners should measure the gap between certification completion and actual revocation as the real control failure.

SOX is forcing identity teams to connect human access governance with non-human access governance. Public companies rarely run separate control philosophies for employees, service accounts, and SaaS administration, yet audit expectations increasingly punish that separation. The same recertification logic that checks human entitlements must also validate service and privileged access pathways where financial systems are touched. Practitioners should align human IAM, IGA, and NHI governance under one evidence model.

Access review latency: the control breaks when approvals, removals, and evidence collection happen too slowly to reflect current entitlement state. SOX assumes access decisions can be certified against a stable snapshot of reality. That assumption fails when organisations defer revocation, reuse stale review lists, or leave exceptions open across multiple cycles. The implication is that practitioners must rethink what counts as current access state before they can claim compliance.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• For lifecycle control context, review the NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding support audit-grade governance.

What this signals

Access review maturity is becoming a proxy for broader identity governance maturity. When public companies cannot show clean certification evidence, the problem usually reaches beyond SOX and into role design, access ownership, and offboarding discipline. Teams that still treat certification as a quarterly activity will find that audit pressure increasingly exposes lifecycle gaps rather than isolated control misses.

The next governance breakpoint is the handoff between review completion and actual entitlement removal. If your programme cannot prove that denied access was revoked, your control is slower than the risk it is meant to reduce. For a broader lifecycle lens, use the NHI Lifecycle Management Guide and align it with NIST Cybersecurity Framework 2.0.

Review scope will keep expanding from human users into privileged and service identities. Public-company controls that ignore non-human access will increasingly look incomplete to auditors because the systems under review are operational, not just employee-facing. That is where the OWASP Non-Human Identity Top 10 becomes relevant: the same evidence discipline has to apply to machine and service access as well.

For practitioners

• Tighten reviewer ownership and accountability Assign each application and privilege domain to a named owner who can approve, reject, and remediate findings without passing decisions across teams. Reviewers need clear decision rights and a defined escalation path when access cannot be validated.
• Require revocation closure before review completion Do not close a certification cycle until denied or out-of-policy access has been removed and the removal is evidenced in the system of record. This prevents access reviews from becoming paper controls.
• Separate access evidence from entitlement exports Keep the review artifact, the approval decision, and the remediation record together so auditors can reconstruct the control without chasing screenshots or email threads. Evidence integrity matters as much as the decision itself.
• Extend SOX review scope to privileged and service access Include administrative accounts, service accounts, and other non-human access paths that can affect financial systems or reporting workflows. If those identities are outside the recertification process, the control is incomplete.

Key takeaways

• SOX access reviews fail when they produce evidence without remediation, because compliance depends on actual entitlement change, not checklist completion.
• The scale problem is real: Zluri reports 70% less manual work and 10 times faster certification when access reviews are automated.
• Public companies should treat access certification as part of lifecycle governance, extending review coverage to privileged and non-human access that can affect reporting.

Key terms

• Access certification: Access certification is the process of reviewing who has access to systems and deciding whether that access should remain in place. In practice, it is a control check on entitlement validity, requiring clear ownership, traceable decisions, and evidence that removals or exceptions were handled correctly.
• Recertification: Recertification is the repeated revalidation of access over time, rather than a one-time approval. It matters because roles, systems, and risk change, so access that was valid last quarter may be inappropriate today. In mature programmes, recertification is tied to lifecycle events and remediation closure.
• Access review evidence: Access review evidence is the record that proves a review actually happened and resulted in a decision. It includes approvals, rejections, exceptions, timestamps, owners, and remediation actions. Without this evidence, an organisation may be able to say it reviewed access, but not prove control effectiveness.
• Privilege creep: Privilege creep is the gradual accumulation of access that is no longer required but still remains active. It often happens when jobs change, projects end, or temporary permissions are never removed. Over time, it weakens least privilege and increases both audit and operational risk.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance SOX User Access Reviews for Publicly Traded Companies. Read the original.