TL;DR: Manual user access reviews cannot keep pace with daily joiner, mover, and leaver events, privilege creep, and shadow applications, so identity governance is shifting toward event-driven continuous assurance, according to ConductorOne’s webinar with Treasure Data. The control problem is no longer proving a review happened, but continuously proving risk is being reduced.
At a glance
What this is: This is a ConductorOne analysis of why manual user access reviews are giving way to continuous identity assurance as access changes faster than periodic review cycles.
Why it matters: It matters because IAM, NHI, and autonomous identity programmes all fail when governance is retrospective instead of event-driven, leaving access drift and ownership gaps uncontained.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
👉 Read ConductorOne's analysis of the IGA maturity curve and continuous assurance
Context
Manual access reviews were built for a slower identity model, where entitlements changed predictably and governance could work from periodic snapshots. In modern SaaS-heavy environments, joiner, mover, and leaver activity, privilege creep, and shadow applications create a moving target that quarterly or annual reviews cannot reliably follow.
For identity teams, the practical question is no longer whether a review occurred, but whether the programme can continuously prove ownership, purpose, and risk reduction across the access lifecycle. That shift applies to human access governance, NHI oversight, and emerging autonomous identity use cases, where stale review cadences quickly become control theatre.
Key questions
Q: How should security teams move from access reviews to continuous assurance?
A: Start by linking identity events to policy decisions. Continuous assurance works when entitlement changes, ownership changes, and exception states automatically trigger evaluation, rather than waiting for a periodic recertification cycle. The goal is to reduce stale privilege as it appears, not to document that someone later approved it.
Q: Why do periodic access reviews fail in dynamic SaaS environments?
A: Periodic reviews fail because they assess yesterday’s entitlement snapshot while access is changing every day. In SaaS-heavy environments, joiners, movers, leavers, and shadow applications create drift between review cycles, so the control becomes retrospective and incomplete. That leaves unowned and excessive access in place far too long.
Q: What do teams get wrong about identity governance maturity?
A: Teams often confuse completed reviews with effective governance. A recertification can be fully signed off and still leave excessive, dormant, or misowned access unchanged. Maturity is better measured by whether the programme can continuously reduce access risk across the identity lifecycle.
Q: How do organisations know whether continuous assurance is working?
A: Look for shrinking review backlogs, fewer stale entitlements, faster exception handling, and a clearer inventory of ownership across applications. If access changes are still discovered only during audits, the programme is reporting on activity rather than controlling risk.
Technical breakdown
Why periodic user access reviews lose control fidelity
User access reviews, often called UARs or access recertifications, are retrospective governance checks. They sample entitlement state at a point in time, then ask managers or app owners to confirm whether access still looks reasonable. That model weakens when access changes daily, because the review answers yesterday’s question while the environment has already moved on. In SaaS-heavy estates, the delta between review cadence and actual identity activity becomes the control gap. The result is not just slower cleanup, but a degraded signal for ownership, privilege purpose, and exception handling.
Practical implication: replace review-only governance with event-driven entitlement monitoring and approval workflows tied to actual identity changes.
How continuous identity assurance changes the governance model
Continuous identity assurance means the programme evaluates identity state as changes occur, not only on a calendar schedule. It combines identity telemetry, automation, and policy logic so teams can detect risk signals such as privilege creep, dormant accounts, and unowned access before they persist. This is different from simply automating reviews. The mechanism shifts from periodic certification to ongoing assurance, where the question becomes whether access remains justified in real time. That creates a stronger basis for governance across humans and NHIs because the same operational pattern applies to both: prove the entitlement is still needed, not just that someone once approved it.
Practical implication: connect identity events to control decisions so stale access is flagged and remediated as soon as it appears.
Why visibility and automation are prerequisites for scale
Continuous assurance depends on seeing enough identity data to make a decision. Without application connectors, entitlement inventory, and normalized identity context, teams cannot know what exists, who owns it, or where risk is accumulating. Automation then turns that visibility into action by handling routine attestations, routing exceptions, and reducing manual evidence collection. The important architectural point is that automation does not replace governance, it supplies the operating capacity for governance to scale beyond a handful of critical systems. In practice, visibility without automation becomes reporting. Automation without visibility becomes blind process.
Practical implication: prioritize identity data aggregation before trying to automate recertification or access decisions at scale.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Manual access review is a backward control, not a security model. Quarterly and annual recertifications were designed for environments where identity state stayed stable long enough to be audited after the fact. That assumption no longer holds in SaaS-heavy estates with constant joiner, mover, and leaver activity. The implication is that governance teams must stop treating completion of a review as evidence of control effectiveness.
Continuous assurance is the right operating pattern for identity governance at scale. The market is moving from checkbox compliance toward state-aware decisioning because access risk is now created and changed continuously. That shift matters across human identity, NHI, and delegated workflow models, where ownership and entitlement purpose can drift without a formal event. Practitioners should treat event-driven assurance as the baseline governance pattern, not an advanced feature.
Identity visibility is the real maturity bottleneck. If teams cannot inventory who or what owns access, assurance remains partial no matter how strong the policy language is. This is especially true for NHIs, where service accounts and API keys often sit outside the view of conventional access review processes. Mature governance begins with discoverable identity state, then adds decision automation around it.
Birthright access needs to shrink before review quality can improve. The more standing access a programme grants, the more work it pushes into remediation later. Thin birthright access, JIT elevation, and exception-based governance reduce the amount of stale privilege that accumulates between review cycles. Practitioners should treat entitlement minimisation as a prerequisite for credible assurance, not a separate clean-up project.
Continuous assurance will increasingly define identity maturity benchmarks. The field is moving away from asking whether a review happened and toward asking whether risk is measurably reduced over time. That is a governance shift, not just a tooling shift, and it affects audit evidence, operational ownership, and cross-functional accountability. Teams that cannot answer those questions will struggle to demonstrate mature identity control.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- If you are mapping the same visibility problem across identities, start with Ultimate Guide to NHIs , Key Challenges and Risks for the control gaps that make assurance difficult.
What this signals
Continuous assurance becomes the baseline when identity state changes faster than review cycles. As SaaS estates, NHI inventories, and delegated workflows expand, teams need control logic that reacts to identity events rather than relying on scheduled attestations. The practical shift is toward evidence that an entitlement is still justified now, not merely that it was approved before.
Identity visibility is still the limiting factor behind most mature-looking programmes. When teams cannot reliably inventory accounts, ownership, and privilege purpose, automation only accelerates incomplete governance. The operational priority is to close the visibility gap first, then use policy and workflow to turn that visibility into action.
Birthright access is the pressure point that will define the next maturity curve. The less standing privilege a programme carries, the easier it becomes to make assurance continuous instead of periodic. For readers building governance roadmaps, that means entitlement reduction and evidence automation should be planned together, not treated as separate workstreams.
For practitioners
- Move from calendar-based reviews to event-driven assurance Tie entitlement changes, role changes, and access exceptions to workflow triggers so review decisions happen when identity state changes, not only at quarter-end.
- Build a complete identity inventory before automating recertification Normalize application, owner, and entitlement data across SaaS platforms so managers and control owners can evaluate real access rather than incomplete reports.
- Reduce standing access that accumulates between reviews Use JIT elevation and narrower birthright access for high-risk systems so fewer risky entitlements survive long enough to become review backlog.
- Separate governance evidence from governance outcomes Track whether risk was actually reduced, not just whether a manager clicked approve, and use that distinction in audit and board reporting.
Key takeaways
- Manual user access reviews are increasingly misaligned with identity environments where access changes daily and risk emerges continuously.
- Only 5.7% of organisations have full visibility into their service accounts, showing how hard it remains to govern identity state at scale.
- Teams that want credible assurance need event-driven monitoring, tighter standing access, and better identity inventory before they automate more reviews.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-05 | Continuous assurance depends on knowing what access exists and whether it is still justified. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero trust requires ongoing access evaluation, which aligns with continuous identity assurance. |
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI visibility and lifecycle governance are central when service accounts escape review coverage. |
Apply NHI-03 to inventory non-human identities and connect review workflows to actual lifecycle events.
Key terms
- User Access Review: A user access review is a scheduled governance check that asks whether existing access still looks appropriate. In practice, it is a retrospective control, so its value depends on how stable identity state is between review cycles and how complete the underlying inventory is.
- Continuous Identity Assurance: Continuous identity assurance is an operating model that evaluates access and ownership as identity events happen, rather than only at fixed intervals. It combines telemetry, policy, and automation so governance can respond to current risk instead of documenting past approval.
- Birthright Access: Birthright access is the default set of permissions granted when an identity is created or onboarded. When it is too broad, it creates standing privilege that accumulates between reviews, making later remediation harder and reducing the usefulness of periodic recertification.
- Privilege Creep: Privilege creep is the gradual accumulation of access that outlives its original business need. It happens when mover events, temporary exceptions, and role changes are not fully cleaned up, leaving identities with more access than their current function requires.
Deepen your knowledge
Identity lifecycle governance and continuous assurance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising access governance across humans and non-human identities, it is worth exploring.
This post draws on content published by ConductorOne: The IGA Maturity Curve: Shifting from Reviews to Assurance. Read the original.
Published by the NHIMG editorial team on 2026-02-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
