User access review automation at Zluri and what it means for IAM

At a glance

What this is: This is a practitioner-focused walkthrough of automated user access review, showing how Zluri structures certification, reviewer decisions, and remediation for business applications.

Why it matters: It matters because access reviews sit at the intersection of human IAM, NHI governance, and lifecycle controls, and weak certification processes leave standing access unchallenged.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Read Zluri's guide to automating user access reviews in Salesforce

Context

User access review is the governed process of checking who has access to what, why they have it, and whether that access is still justified. In this article, the operational focus is human IAM and IGA, but the same lifecycle discipline also matters for service accounts, tokens, and other non-human identities that can linger long after their purpose changes.

Manual certification workflows tend to break down because they depend on spreadsheets, email chasing, and reviewer memory. That creates blind spots around orphaned accounts, unused licenses, and privileged access that remains in place after the business need has passed, which is exactly where lifecycle control becomes a security control rather than an administrative task.

Key questions

Q: How should security teams run user access reviews without turning them into manual admin work?

A: Use a certification workflow that collects access data automatically, routes it to named reviewers, and connects each decision to a remediation action. That keeps the process governed, repeatable, and auditable while reducing the spreadsheet and email overhead that slows review cycles and creates missed revocations.

Q: Why do user access reviews often fail to improve security in practice?

A: They fail when teams stop at review evidence and never enforce the decision. If revocation, downgrade, or removal does not change the live entitlement, access can remain in place after the review ends. That leaves privilege creep intact and turns the programme into documentation rather than control.

Q: What signals show that access review is actually working?

A: Look for shrinking numbers of inactive, orphaned, and overprivileged accounts after each cycle, plus short time from decision to entitlement change. Strong programmes also show consistent reviewer comments, clear ownership, and fewer repeated exceptions for the same application or user population.

Q: Who should own access review decisions in an IAM programme?

A: Ownership should sit with the people closest to business use, such as app owners or department heads, while IAM or IGA teams govern the workflow and enforcement. That split keeps decisions grounded in context without losing central control over evidence, auditability, and remediation.

Technical breakdown

How user access review certification works

A certification campaign is a structured access decision workflow. It starts by collecting entitlement data from connected applications, then assigns reviewers, defines the population in scope, and presents context such as role, department, last access time, and license type. Reviewers approve, revoke, or modify access, and the platform can trigger downstream remediation when a decision is recorded. The key mechanism is the closed loop: access data, human decision, and enforcement are tied together so the review is not just an audit artifact.

Practical implication: tie every review decision to an enforced remediation path, not a spreadsheet or email follow-up.

Why reviewer context changes decision quality

Access reviews are only as useful as the signals shown to the reviewer. Inactive users, external users, orphaned accounts, and privileged users help reviewers separate obvious removals from ambiguous cases, while mandatory comments add accountability for revocations or changes. Multi-level review can also reduce single-point bias when access is sensitive or disputed. The technical point is that certification quality depends on the evidence surfaced at decision time, not on the number of reviewers alone.

Practical implication: standardise the evidence reviewers see so decisions are repeatable, explainable, and easier to audit.

Closed-loop remediation is the control, not the report

The report is the proof, but the control is the enforced action after approval or revocation. When a reviewer revokes access, the platform should remove the entitlement or downgrade the license without relying on manual follow-up. That matters because the main failure mode in access governance is not lack of intent, but drift between decision and enforcement. A certification process without execution remains a compliance exercise; with automation, it becomes an access control mechanism.

Practical implication: verify that approval, revocation, and modification decisions actually change application state.

NHI Mgmt Group analysis

Access review is lifecycle governance, not a reporting task. Zluri’s workflow shows why certification only has value when it changes access state, not when it produces an audit PDF. Access review exists to remove unjustified entitlements before they become privilege creep, and that applies equally to human accounts, service accounts, and delegated application access. The practitioner takeaway is simple: if the review does not alter live entitlements, it is administrative theatre.

Reviewer context is the difference between governance and guesswork. The article’s emphasis on last access time, account type, and role metadata reflects a core IGA principle: reviewers need decision-quality evidence, not raw access lists. In NIST CSF terms, the review process strengthens governance only when the decision path is documented, repeatable, and tied to enforcement. The practitioner conclusion is that access review design should optimise for informed decisions, not reviewer volume.

Closed-loop remediation exposes the real control gap in many programmes. Organisations often claim to run access reviews, but the actual weakness is the delay between certification and entitlement change. When revocation is automated, the gap closes; when it is manual, access can persist long enough to defeat the purpose of the review. The practitioner conclusion is that lifecycle enforcement is the control, while the review report is only evidence.

Access review for SaaS applications should be treated as a lifecycle signal for the wider identity programme. The same patterns that weaken human access governance also appear in NHI estates when access is granted once and never revisited. That is why the lifecycle lens belongs across IAM, IGA, and NHI governance together. The practitioner conclusion is to use certification outcomes to identify where entitlements, licenses, and privileges are accumulating without a current business owner.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• For lifecycle depth, see NHI Lifecycle Management Guide for the provisioning, rotation, and offboarding practices that keep access review outcomes enforceable.

What this signals

Access review is becoming a lifecycle quality signal, not just a compliance requirement. As entitlement sprawl grows across SaaS, the real question is whether teams can prove that review decisions actually change access state. The programmes that matter most will be the ones that connect certification to remediation, reporting, and ownership in one chain.

The same governance pattern shows up in NHI estates, where long-lived credentials and orphaned access often persist outside normal review cycles. That is why practitioners should connect IAM certification outcomes with the broader identity control model, including the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10.

For practitioners

• Tie certification decisions to enforced remediation Ensure revoke and modify decisions trigger actual entitlement change in the application, not a follow-up ticket or email task.
• Standardise reviewer evidence Show last access time, account type, role, department, and privilege indicators so reviewers can make consistent decisions.
• Use access reviews to find lifecycle drift Track which accounts repeatedly appear in certifications because they are inactive, orphaned, or overprivileged, then treat that as a governance backlog.
• Separate audit reporting from control execution Keep the PDF or export for auditors, but measure success by how quickly the underlying entitlements actually change after review decisions.

Key takeaways

• User access reviews only reduce risk when reviewer decisions are enforced against live entitlements, not just documented for audit.
• The operational value of certification depends on decision-quality evidence such as last access, role context, and privilege indicators.
• Lifecycle governance is the control plane behind access review, because stale access in SaaS and NHI environments behaves the same way once ownership fades.

Key terms

• User access review: A user access review is a formal check of who has access to an application or system and whether that access is still justified. It is an identity governance control that should end with removal, modification, or approval based on current business need, not historical entitlement.
• Certification campaign: A certification campaign is the structured workflow used to collect access entitlements, route them to reviewers, and record decisions. In practice, it is the operational layer of access review, where evidence, accountability, and remediation are tied together for audit and control.
• Closed-loop remediation: Closed-loop remediation means a review decision automatically triggers the corresponding access change. It prevents a common governance failure where teams record a revoke or modify decision but leave the underlying entitlement unchanged because the follow-through remains manual.
• Privilege creep: Privilege creep is the gradual accumulation of access rights that are no longer needed but remain assigned. It often appears when accounts are not re-certified, when ownership is unclear, or when entitlement changes are not enforced after review, leaving the access surface larger than the business requires.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: How We Do User Access Review at Zluri. Read the original.