UARs as a security control: what identity teams should change

At a glance

What this is: This is a practitioner analysis of how user access reviews can move from audit fulfilment to active security control, with emphasis on standing privilege, unused access, orphaned accounts, and service account governance.

Why it matters: It matters because the same review workflows used for human access can also expose weak governance patterns across NHI and lifecycle processes, giving IAM teams a way to reduce risk without waiting for the next audit cycle.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read ConductorOne's blog on using user access reviews for real security

Context

User access reviews are supposed to validate whether access still makes sense, but in many programmes they become a quarterly compliance ritual. When reviews are driven only by audit deadlines, teams miss the identity governance work that actually reduces exposure: pruning unused access, finding orphaned accounts, and forcing ownership questions that were never answered at provisioning.

That gap matters across human identity and NHI programmes because the same access review process often governs employees, contractors, and service accounts. If the review model cannot distinguish between active use, inherited access, and persistent machine credentials, it will certify risk instead of reducing it. Security value comes from using reviews as an ongoing control, not a paperwork checkpoint.

Key questions

Q: How should security teams use user access reviews to reduce risk, not just satisfy audits?

A: Security teams should scope user access reviews to likely risk, not only to fixed audit cycles. Focus on unused access, privileged production entitlements, orphaned accounts, and service accounts that persist without clear ownership. The review should end with removal or remediation actions, because a review that does not change access state only documents the problem.

Q: Why do user access reviews often miss the access that matters most?

A: They miss the access that matters most when the programme is built around calendar cadence instead of identity risk. Quarterly reviews can certify old entitlements, but they often overlook accounts that are unowned, rarely used, or inherited through indirect paths. High-risk access changes faster than the review schedule, so the control has to be more targeted.

Q: What breaks when service accounts are left out of access review programmes?

A: When service accounts are left out, the programme loses visibility into some of the most persistent and over-permissioned identities in the environment. That creates a blind spot for standing privilege, orphaned ownership, and unused credentials that can survive long after their original purpose ends. In practice, the review says the environment is controlled when it is not.

Q: Who should be accountable when a user access review finds unowned or excessive access?

A: Accountability should sit with the system or application owner first, then with the identity governance process that allowed the gap to persist. If the account is unowned, the organisation has an offboarding or provisioning problem as well as a review problem. The review should trigger remediation, not just a sign-off, because no one can responsibly certify unknown ownership.

Technical breakdown

Unused access filtering in user access reviews

Unused access filtering turns a UAR from a broad attestation exercise into a targeted control. Instead of asking reviewers to certify every entitlement, the review is scoped to accounts with no recent activity, which creates a stronger signal that access may no longer be needed. This works because access use is a practical proxy for necessity, especially in high-risk systems such as production environments or cloud platforms. The mechanism is simple, but the governance value is high: review fatigue falls and removal decisions become easier to defend.

Practical implication: filter UARs by last use or inactivity threshold so reviewers focus on entitlements that are most likely to be unnecessary.

Orphaned accounts and ownership gaps

Orphaned accounts are identities or application accounts that no longer map cleanly to a known owner in the directory or governance system. They are dangerous because accountability disappears before the account does, which means no one is clearly responsible for validating, certifying, or removing the access. In identity governance terms, the account has outlived the lifecycle process that should have closed it. Standard quarterly review cycles often miss these accounts because the problem is not usage alone, it is the absence of a responsible reviewer.

Practical implication: build a recurring review path for accounts with no known owner and treat missing ownership as a remediating event, not a reporting issue.

Policy-based access decisions with filters and automation

Policy filters let UARs enforce access rules rather than only document them. When a campaign is limited to direct grants, contractor access, or other policy exceptions, the review becomes a way to detect violations of intended access architecture. This is especially useful where entitlements should flow through groups, time windows, or approval logic rather than being assigned directly. The technical pattern is less about automation for its own sake and more about converting policy into an operational decision point that can revoke access when the pattern is wrong.

Practical implication: use UAR filters to target policy exceptions, then revoke access that bypasses the intended entitlement path.

Threat narrative

Attacker objective: The objective is to keep dormant or over-permissioned access available long enough to reach sensitive systems without triggering removal.

1. Entry occurs when unused or orphaned access remains active long after the business need has ended, giving an attacker or insider a live entitlement to exploit.
2. Escalation follows when persistent service or contractor access is not reviewed often enough, allowing standing privilege to remain in place and widen blast radius.
3. Impact lands when stale access is used to reach production systems or cloud resources without a timely ownership challenge or revocation cycle.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

UARs become real security controls only when they are scoped to risk, not calendar cadence. Quarterly certification cycles satisfy compliance, but they do not tell a reviewer which entitlements are unused, inherited, or high blast radius. The control becomes materially stronger when it is aimed at the access most likely to be stale or excessive. That is the difference between proving review activity and actually reducing identity exposure.

Orphaned access is a lifecycle failure, not a review failure. When an account no longer maps to a known owner, the problem started at provisioning or offboarding, not at the audit stage. User access reviews can expose that gap, but they cannot fix a broken ownership model after the fact. The practitioner takeaway is that lifecycle governance must be treated as the upstream control that makes UARs meaningful in the first place.

Service accounts should be governed as persistent non-human identities, not as edge cases. Service accounts are often over-permissioned, under-owned, and reviewed less rigorously than human access, which is exactly why they become a governance blind spot. This is a classic NHI problem, and it aligns directly with the visibility and rotation deficits documented in NHIMG research. Teams that fold service accounts into the same review discipline as human access are closing a structural gap, not adding bureaucracy.

Policy exceptions are where UARs earn their security value. Reviews that only reconfirm normal access patterns do little to change risk. The highest-value campaigns are the ones that isolate direct grants, production access, contractor entitlements, and other cases where policy intent and actual assignment can diverge. That is where UARs move from evidence collection to control enforcement.

Access review programmes expose whether IAM is managing identity state or merely collecting attestations. The deeper issue is not the review form itself but whether the programme can actually remove access when ownership, use, or policy no longer justify it. Strong programmes treat UAR output as an operational trigger. Weak programmes produce clean reports and leave the risk in place.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• Another finding from Ultimate Guide to NHIs, Lifecycle Processes for Managing NHIs shows that only 20% have formal processes for offboarding and revoking API keys.
• That visibility gap makes 52 NHI Breaches Analysis a useful next resource for understanding how unowned access turns into real incidents.

What this signals

UAR modernisation is becoming a lifecycle governance problem, not just a review problem. When teams start using access reviews to remove unused access and expose orphaned accounts, they are compensating for upstream gaps in provisioning and offboarding. The programme signal is clear: certification quality will increasingly depend on how well the IAM stack tracks ownership, use, and revocation, not on how quickly the review queue closes.

Service account oversight is now a board-relevant control signal. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, and that number explains why UARs remain underused as an NHI control. If your review process still treats service accounts as edge cases, you are likely missing a large share of persistent privilege exposure. For teams that want a deeper lifecycle lens, the NHI Lifecycle Management Guide is the right companion resource.

Access review programmes should be measured by removals, not completions. The next maturity step is to track how often reviews actually change access state, especially for contractors, production access, and direct grants. In practice, that means building a governance loop that connects review outputs to revocation, ownership resolution, and policy enforcement.

For practitioners

• Target reviews on unused access Run monthly UAR campaigns for accounts with no recent activity in high-risk systems such as AWS or production environments, then revoke access that reviewers cannot justify as necessary. This reduces standing privilege without waiting for the quarterly cycle.
• Create a dedicated orphaned-account review path Separate accounts with no known owner from standard certification campaigns and require a named remediation owner before the review closes. Treat unknown ownership as a lifecycle defect that must be resolved, not a checkbox outcome.
• Fold service accounts into recurring certification Assign explicit ownership for service accounts and review them on a frequent cadence, with special attention to accounts that are persistent and over-permissioned. This makes non-human identity governance visible in the same process used for people.
• Use access filters to enforce policy Scope UARs to direct grants, contractor access, or production access where policy intent is most likely to drift from actual assignment. Use the review output to remove entitlements that bypass the intended access path.
• Tie review outcomes to offboarding and revocation Make each UAR campaign a trigger for revocation workflows when an account is unused, unowned, or outside policy. That turns the review into an operational control rather than a report for audit storage.

Key takeaways

• User access reviews only reduce risk when they target stale access, not when they merely satisfy audit cadence.
• Orphaned accounts and unmanaged service accounts are lifecycle failures that UARs can expose but not fix on their own.
• The most useful review programmes close access gaps by revoking, reassigning, or policy-enforcing entitlements after certification.

Key terms

• User Access Review: A user access review is a governance process for checking whether an identity still needs its assigned access. In practice, it should validate ownership, necessity, and privilege level, then trigger removal or remediation when the access no longer matches the business need.
• Orphaned Account: An orphaned account is an identity or application account that no longer maps cleanly to a known owner or lifecycle record. These accounts are risky because accountability disappears before access does, making review, certification, and offboarding far harder to enforce.
• Standing Privilege: Standing privilege is access that remains continuously available instead of being issued only when needed. For human and non-human identities alike, it expands the attack surface because unused permissions persist long enough to be exploited, misused, or forgotten.
• Inherited Access: Inherited access is permission granted indirectly through a group, role, or team membership rather than through a direct assignment. It matters in governance because reviewers can miss it if they only inspect direct grants, leaving policy violations hidden inside otherwise valid access paths.

Deepen your knowledge

User access reviews, lifecycle governance, and service account oversight are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to turn certification into active risk reduction, this is the right starting point.

This post draws on content published by ConductorOne: Beyond Checking the Box: How to Use UARs for Real Security. Read the original.