User access reviews are becoming a relic in modern identity

At a glance

What this is: This is a blog post arguing that user access reviews no longer govern modern identity risk effectively because access now changes faster than periodic review cycles can track.

Why it matters: It matters because IAM teams must move governance from entitlement snapshots to real-time control across human, NHI, and autonomous identity programmes.

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read ConductorOne's analysis of why user access reviews are fading

Context

User access reviews were designed for a world where identities changed slowly, privilege was mostly human, and entitlement snapshots were good enough to prove control. That model breaks when access is short-lived, delegated to systems, and exercised by identities that do not wait for a review cadence.

The governance problem is not that reviews are badly executed. The problem is that modern identity risk is action-based and contextual, while UARs are retrospective and entitlement-based. For teams managing NHI and agentic workloads alongside human users, that mismatch now sits at the centre of identity governance design.

Key questions

Q: What breaks when user access reviews are the main identity control?

A: User access reviews break when access changes faster than the review cadence. They can confirm a historical state, but they cannot prevent ephemeral access, delegated machine actions, or short-lived privilege escalation from being used before the review happens. In modern environments, that makes UARs a validation artifact, not a control mechanism.

Q: Why do non-human identities make periodic access reviews less effective?

A: Non-human identities complicate periodic reviews because service accounts, bots, and AI-driven workloads can act continuously and at machine speed. Their access often exists only briefly or changes contextually, so a monthly or quarterly review cannot reliably capture the real risk. Governance has to move closer to runtime enforcement and behavioural evidence.

Q: How should security teams govern access in dynamic cloud and SaaS environments?

A: Security teams should govern access with just-in-time access, policy-based approval, automatic expiry, and event-level logging. The goal is to decide at the moment of access, not after the fact, and to ensure risky permissions cannot persist long enough to require cleanup at review time.

Q: How do auditors evaluate identity governance when reviews are no longer central?

A: Auditors should look for proof that access was granted only when needed, expired automatically, and required appropriate approval for high-risk actions. Event logs, policy-as-code, and time-bound records usually provide stronger evidence than spreadsheet-based recertification alone. The key is demonstrating that control happens before risk materialises.

Technical breakdown

Why entitlement reviews miss action-based risk

User access reviews assume that the main question is who has access, then whether that access should remain. That works only when privilege is stable long enough to inspect. In cloud, SaaS, and NHI-heavy environments, the real control point is the action itself: what was requested, under what context, for how long, and with what downstream effect. A static entitlement list cannot represent ephemeral access, delegated permissions, or machine-to-machine use patterns. Reviews therefore record state after the fact, but they do not govern the decision that created the state.

Practical implication: move review evidence toward action logs, time-bound grants, and policy decisions at request time rather than relying on entitlement attestations.

How contextual identity governance changes the control plane

Contextual governance means access is decided against role, workload, data sensitivity, and current risk instead of a fixed approval cycle. In practice, this shifts identity governance from periodic confirmation to continuous enforcement. Just-in-time access, policy-as-code, event-level logging, and automatic expiry become the mechanisms that keep risk from persisting. Reviews still have a place, but they validate whether policy is working. They are no longer the mechanism that keeps access safe in the first place.

Practical implication: anchor identity governance on continuous policy enforcement and use reviews only to test exceptions, drift, and control effectiveness.

Why AI agents and bots make review cadence obsolete

AI agents and bots can take action without logging in like a person, which means access may be granted, used, and discarded within a single operational window. That behaviour compresses the observation window below the cadence of monthly or quarterly review. Even where permissions look identical on paper, the risk differs sharply if an identity can act repeatedly, chain decisions, or trigger downstream actions autonomously. For these actors, governance has to inspect runtime behaviour and delegation paths, not only assigned entitlements.

Practical implication: treat non-human action paths as runtime governance problems and require telemetry that captures behaviour, not just access ownership.

Threat narrative

Attacker objective: The objective is to complete risky actions through access that outlives governance visibility, then leave only retrospective evidence for the review cycle.

1. Entry occurs when an identity is granted temporary, delegated, or machine-mediated access that is valid before any review cycle can observe it.
2. Credential access or abuse happens when the granted access is used repeatedly through automation, making the entitlement appear normal while actions accumulate.
3. Impact follows when the organisation relies on a later review as proof of control, but the risky action has already completed and downstream effects are already in motion.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access reviews are now a validation layer, not a control plane. That shift matters because periodic attestation was built for static entitlement models, not for environments where access is granted just in time and used briefly. Once identity behaviour becomes continuous and contextual, the governance centre of gravity moves to runtime control and policy enforcement. Practitioners should stop treating review completion as proof of security and start treating it as evidence that controls need validation.

Identity risk has moved from entitlement ownership to action control. A review can tell you who appears to have access, but it cannot tell you whether the right action was permitted at the right moment under the right conditions. That is a structural mismatch for cloud, SaaS, and NHI-heavy estates. The implication is that governance programmes must measure permitted action, not just assigned permission.

Reviews designed for human users do not scale to delegated machine behaviour. Service accounts, bots, and AI agents can act faster than any recertification cadence, which means the lifecycle assumption behind UARs has already collapsed. The question is no longer whether the identity still exists in the system of record. The question is whether the organisation has built identity controls that can govern behaviour before the action completes.

Ephemeral credential trust debt: This post exposes the governance debt created when temporary access is granted faster than it can be meaningfully reviewed. The problem is not poor execution of UARs. The problem is that the operating model still assumes access survives long enough to be validated later. Practitioners should recognise this as a control-model mismatch, not a review-quality issue.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage.
• For lifecycle context, the NHI Lifecycle Management Guide shows why provisioning, rotation, and offboarding now need to operate faster than review cadences.

What this signals

Standing review cycles are becoming a weak signal in environments where identity behaviour is now continuous. The programme shift is toward runtime policy, event-level evidence, and delegated-access monitoring, especially where non-human identities outnumber humans and operate at machine speed. Teams that still rely on periodic attestation will struggle to explain what changed between review windows.

The practical signal is that identity governance must start differentiating human user assurance from non-human runtime assurance. That includes binding access to context, shortening privilege duration, and aligning review activity with evidence collection rather than with control ownership. For a baseline view of the problem space, teams should revisit the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10.

For practitioners

• Shift governance from attestation to enforcement Use policy-as-code, JIT access, and automatic expiry so access decisions happen at request time and risky states do not persist until the next review.
• Measure action-level evidence instead of entitlement snapshots Capture event-level logs, approval outcomes, and time-bound access records for human users, service accounts, and agents so governance can prove what happened, not just who was listed.
• Reclassify non-human identities by behaviour Inventory service accounts, bots, and AI agents separately from human users, then define which actions require continuous controls rather than periodic recertification.
• Use reviews to test controls, not substitute for them Keep access reviews as a validation mechanism for exceptions, policy drift, and audit evidence, but remove the expectation that they prevent exposure on their own.

Key takeaways

• User access reviews are no longer sufficient as the primary identity control because modern access is dynamic, contextual, and often machine-driven.
• The scale of the problem is already visible in NHI breach data, which shows that compromised non-human identities remain central to identity security incidents.
• Practitioners should move governance to runtime enforcement, using reviews only as validation for controls that already prevent risky access from persisting.

Key terms

• User Access Review: A user access review is a periodic check of who has access to what and whether that access should continue. It is a governance control, not an enforcement control, so it works best when identities are stable and access changes slowly. In dynamic environments, it must be paired with runtime policy.
• Action-Based Identity Risk: Action-based identity risk is the exposure created by what an identity can do, not just what permissions it holds on paper. It focuses on runtime behaviour, delegation, approvals, and downstream impact. This matters most when service accounts and agents can act faster than human review cycles can observe.
• Just-In-Time Access: Just-in-time access is a pattern that grants credentials or permissions only when needed and removes them automatically after use. It reduces standing privilege and shortens exposure windows. For non-human identities and agents, the operational value comes from limiting how long risky access can exist at all.
• Event-Level Logging: Event-level logging records the actual actions taken by an identity, not just the fact that access existed. It provides evidence for investigations, audits, and policy validation. For modern identity governance, this is often more useful than entitlement snapshots because it shows behaviour in context.

Deepen your knowledge

User access reviews, runtime governance, and non-human identity controls are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme still depends on periodic attestation, this course is a practical next step.

This post draws on content published by ConductorOne: Why User Access Reviews Are Becoming a Relic of the Past. Read the original.