User access reviews are becoming the new identity perimeter

At a glance

What this is: This is an analysis of why user access reviews have become central to the identity perimeter and how they help keep access aligned to role and risk.

Why it matters: It matters because IAM, IGA and PAM teams need review processes that can keep up with dispersed work, changing roles and stale permissions across human and machine access.

By the numbers:

• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%).

👉 Read Zluri's analysis of user access reviews and the identity perimeter

Context

The identity perimeter is the idea that access control should follow the identity, not the network edge. In practice, that means user access reviews become the point where provisioning, role drift and entitlement sprawl are checked against current business need.

Zluri’s article argues that this model is now more important than classic perimeter security because users, contractors and partners access SaaS systems from anywhere. That framing is directly relevant to IAM and IGA teams because review quality determines whether least privilege is real or only documented.

Regular access reviews also expose a broader governance issue: permissions often outlive the job, the project or the relationship that justified them. In mature programmes, the review cycle is not administrative housekeeping, it is the control that keeps identity governance synchronized with operational reality.

Key questions

Q: How should security teams structure user access reviews in SaaS-heavy environments?

A: Start with the applications and identities where access drift creates the most risk, then require reviewers to confirm current business need, owner and role alignment. In SaaS-heavy environments, reviews work best when they are tied to remediation, not just certification records. Otherwise, teams produce audit evidence without actually reducing privilege creep.

Q: Why do user access reviews matter if MFA and contextual access controls are already in place?

A: MFA and contextual controls reduce the chance of risky entry, but they do not correct access that was granted months ago and is no longer justified. Reviews matter because authorisation drift is a separate problem from authentication. Without certification, users can remain over-privileged even in strong sign-in environments.

Q: What breaks when access reviews are manual in large identity estates?

A: Manual reviews break at scale because reviewer attention, entitlement records and remediation steps become inconsistent across applications. That creates a gap between what is approved and what remains active. The result is stale access, uneven enforcement and weak auditability, especially where SaaS sprawl fragments ownership.

Q: Who should be accountable when access reviews fail to remove excessive privileges?

A: Accountability should sit with the entitlement owner and the business manager who approved the access, not only with the IAM team. Governance fails when ownership is unclear or when reviewers can approve access without being able to trigger removal. Clear remediation authority is what turns certification into control.

Technical breakdown

Why user access reviews sit inside the identity perimeter

The identity perimeter replaces network location with identity state as the basis for trust decisions. User access reviews are the governance checkpoint in that model: they validate whether a user, contractor or partner still needs the privileges already granted to them. Without that checkpoint, authentication may still be strong while authorisation silently expands beyond need. In cloud and SaaS environments, this matters because access is often distributed across multiple applications, each with its own entitlement model. Practical implication: treat access review as an ongoing authorisation control, not a periodic compliance task.

Practical implication: make access review the control that tests whether current privilege still matches current business need.

How contextual access control and certification reinforce least privilege

Contextual access control adjusts access decisions using signals such as location, device posture and time of request. Access certification is different: it checks whether access already granted still belongs to the user. Together, they close two different gaps. Contextual controls reduce risky entry, while certifications catch privilege accumulation after the fact. In dispersed work environments, that combination matters because users often shift roles, devices and workflows faster than manual governance cycles can track. Practical implication: align certification frequency with role volatility and application sensitivity.

Practical implication: use contextual controls for entry and certification for entitlement drift, then tune review cadence to risk.

Why automated review workflows matter for SaaS sprawl

IGA platforms centralize identity data so reviewers can see entitlements across many applications instead of one directory at a time. Automation helps by scheduling certifications, routing them to owners and recording decisions for audit. The technical value is not speed alone. It is consistency across a fragmented estate where manual review breaks down under scale. If review logic is poorly defined, automation just reproduces bad governance faster. Practical implication: standardize entitlement sources, reviewer ownership and remediation actions before automating review cycles.

Practical implication: automate only after entitlement sources, reviewer ownership and remediation actions are clearly defined.

Threat narrative

Attacker objective: The objective is to exploit access that still exists on paper but no longer matches business need, so the actor can reach sensitive systems with minimal resistance.

1. Entry begins when a user, contractor or partner receives access through cloud or remote-work workflows that bypass the old network perimeter.
2. Escalation occurs when stale entitlements, over-privileged accounts or dormant access remain active because no one revalidates them against current need.
3. Impact follows when attackers or insiders use excessive access to reach sensitive SaaS data, move laterally across apps or evade detection until review time.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity perimeter governance fails when access review is treated as a calendar event rather than a control. The article is right to frame identity as the new perimeter, but that perimeter only exists if entitlement state is continuously tested against business need. Once reviews become ceremonial, least privilege becomes an assumption, not an operating condition. The implication is that IGA maturity should be judged by entitlement accuracy, not certification completion rates.

Access review is the control that reveals privilege creep, not just the process that documents it. User roles change, projects end and SaaS access accumulates faster than manual oversight can reliably track. That makes review quality a central governance signal for IAM, IGA and PAM teams. The practical conclusion is that organisations should measure how many entitlements survive review without clear justification.

Identity drift: a user can remain authenticated while their authorisation profile quietly diverges from current job need. This is the failure mode the article points toward. The perimeter is no longer breached at the network edge, it erodes through stale access, dormant accounts and poorly governed role changes. Practitioners should treat identity drift as an operational risk, not a hygiene issue.

Automation improves coverage, but it does not fix bad entitlement design. If applications expose inconsistent roles, reviewers inherit ambiguity and remediation becomes uneven. That is why the governance problem sits upstream of tooling. The implication is that access reviews must be paired with entitlement rationalisation and ownership clarity before scale is introduced.

Human access review discipline now has to coexist with non-human and autonomous access governance. The same lifecycle logic that governs employees also applies to service accounts, tokens and AI-driven access paths, but the review evidence differs. As AI systems and machine identities take on more access, programmes that still optimise only for human certification will miss the larger identity surface.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
• That confidence gap is why teams should also review NHI Lifecycle Management Guide for provisioning, rotation and offboarding discipline that complements access certification.

What this signals

Identity drift will become a board-level governance issue as more of the enterprise runs through SaaS, remote access and delegated identity. Review programmes that only prove compliance will not be enough; teams will need evidence that entitlements are still justified, still owned and still removable.

The next maturity step is to connect access review outcomes to entitlement rationalisation and lifecycle control across both human and non-human identities. That means tighter ownership models, clearer remediation authority and better visibility into who or what still holds access after the original need has passed.

As AI systems and machine identities gain broader access, human-centric certification alone will no longer describe the full identity perimeter. Practitioners should align review design with OWASP Non-Human Identity Top 10 and NIST Cybersecurity Framework 2.0 so governance spans every actor type that can hold privilege.

For practitioners

• Rebuild access review around entitlement justification Require reviewers to validate current business need, not just confirm that an account exists. Make the decision record include role, application and owner so certifications can be audited as governance evidence rather than admin output.
• Prioritise high-risk applications and roles first Start with SaaS systems, privileged users, contractors and dormant accounts where stale access creates the highest exposure. Use risk-based sequencing so review effort is spent where privilege creep is most likely to matter.
• Separate entry controls from post-grant review Use contextual controls such as device and location checks at sign-in, then use certifications to catch access that became excessive after provisioning. Treat the two as complementary controls, not substitutes.
• Standardise remediation paths before automating reviews Define who can revoke access, what happens when no reviewer responds and how exceptions are escalated. Automation only works when the organisation already knows how to turn a review decision into an entitlement change.

Key takeaways

• User access reviews are now a core identity perimeter control because they test whether granted access still matches current business need.
• The main governance risk is identity drift, where authentication stays intact but authorisation quietly expands beyond least privilege.
• Automating certifications only improves security when entitlement ownership, remediation authority and review criteria are already well defined.

Key terms

• Identity Perimeter: An identity perimeter is a security model that treats identity and access state as the main boundary to protect, rather than the traditional network edge. It assumes users, partners and contractors may connect from anywhere, so authorisation must be continuously checked against current context and business need.
• User Access Review: A user access review is a governance process where assigned privileges are checked against current role, responsibility and business purpose. In practice, it is how IAM and IGA teams confirm that access still belongs to the person holding it and that excess permissions are removed or remediated.
• Identity Drift: Identity drift is the slow divergence between the access a user was originally granted and the access they still hold over time. It appears when roles change, projects end or permissions accumulate, leaving authentication intact while authorisation moves away from least privilege.
• Access Certification: Access certification is the formal approval or rejection of existing entitlements by a reviewer with business or technical ownership. It is distinct from granting access at onboarding because it evaluates whether privileges should remain active, making it a core control for ongoing access governance.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance Identity as the New Perimeter: Role of User Access Reviews. Read the original.