User access reviews are failing the scale test in IAM governance

At a glance

What this is: This is an analysis of why user access reviews often pass compliance checks while still failing to control risk, with Zluri arguing that visibility, grouping, remediation, AI triage, and lifecycle automation are what make reviews effective.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes all depend on the same governance mechanics, and review processes that cannot scale across people, apps, and machine identities will keep producing audit evidence without reducing exposure.

By the numbers:

• Your IT team spent 149 person-days on your last review cycle, according to Zluri.
• You discovered 600 access violations, the same types you found last quarter, and the quarter before that, according to Zluri.
• You are probably reviewing only 40-60% of your actual application landscape, according to Zluri.

👉 Read Zluri's analysis of user access review best practices and automation

Context

User access review is the governance process used to confirm that people, roles, and application entitlements still match business need. In practice, the process often becomes a compliance exercise that records decisions after risk has already accumulated, especially when visibility is limited to the identity provider.

The problem is broader than human IAM. The same review model is often stretched across SaaS sprawl, contractor access, privileged roles, and non-human identities such as service accounts and API-driven access, where stale access and weak offboarding can persist outside the review cycle.

When access reviews are too manual, too narrow, or too periodic, they produce a false sense of control. The article's central claim is that effective governance depends on visibility, grouping, closed-loop execution, and lifecycle automation rather than spreadsheets alone.

Key questions

Q: How should security teams make access reviews cover the real application estate?

A: They should not rely on the identity provider alone. A review scope that only sees SSO-connected apps will miss shadow IT, personal purchases, browser-only SaaS, and other unmanaged access paths. The practical move is to combine IdP data with finance, endpoint, browser, and CASB discovery so the review list reflects the true attack surface.

Q: Why do access reviews still leave risk behind even when auditors sign off?

A: Because completion is not the same as enforcement. If review decisions take days or weeks to reach execution, the risky access remains active after the control has supposedly finished. Organisations should measure time from decision to revocation, not just whether the review spreadsheet was completed on schedule.

Q: What do teams get wrong about group-based access reviews?

A: They treat group review as a shortcut rather than a governance redesign. Group-based review only works when group membership reflects real job functions and access policies, otherwise bad structure gets multiplied faster. Teams should review the underlying group model before trusting the efficiency gains.

Q: How do access reviews fit with lifecycle governance for non-human identities?

A: They should validate lifecycle automation, not replace it. Service accounts, API keys, and application tokens need ownership, expiry, and offboarding triggers just like human access needs joiner-mover-leaver controls. The review process should confirm that machine identities were created, rotated, and retired according to policy.

Technical breakdown

Why access reviews fail when visibility is limited to SSO and the IdP

Most review programmes only see the applications connected to the identity provider, which means they miss unsanctioned SaaS, personal-credit-card purchases, and app access hidden outside central tooling. That creates a structural blind spot: the review looks complete even when a large share of the application estate is unmanaged. The mechanism is simple, but the failure is serious because governance decisions are made against partial data. Practical implication: expand discovery beyond the IdP so review scope matches the real application landscape.

Practical implication: expand discovery beyond the IdP so review scope matches the real application landscape.

How group-based access reviews reduce the entitlement explosion

Group-based review changes the unit of governance from individual user-app pairs to group assignments and memberships. Instead of revalidating the same entitlement pattern hundreds or thousands of times, teams validate the controlling group once and then confirm membership accuracy. That reduces repetitive work while preserving policy control, provided the group model reflects real job functions rather than catch-all access. Practical implication: review role and group design first, because bad grouping scales bad access just as efficiently as good grouping scales control.

Practical implication: review role and group design first, because bad grouping scales bad access just as efficiently as good grouping scales control.

Why closed-loop remediation matters more than review completion

A completed review is not a secured environment if the resulting revocations sit in a ticket queue for weeks. Closed-loop remediation means the decision is executed automatically, validated, and confirmed back to the reviewer without a human handoff chain that can stall or drift. This is where governance becomes operational control rather than administrative recordkeeping. Practical implication: connect review decisions to enforceable workflow execution so revocation is measured in minutes, not in backlog time.

Practical implication: connect review decisions to enforceable workflow execution so revocation is measured in minutes, not in backlog time.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access reviews are failing because the control is being asked to govern an incomplete identity surface. If the review scope stops at the IdP, it will undercount shadow IT, non-SSO SaaS, contractor tools, and other unmanaged application access. That is not a process defect at the margins, it is a governance boundary problem. Practitioners should treat visibility as the precondition for any meaningful recertification outcome.

Closed-loop remediation is the difference between governance evidence and actual risk reduction. Manual review workflows create a wide delay between decision and enforcement, which means the control can report success while the entitlement remains active. The gap is especially visible when the same violations recur quarter after quarter. Practitioners need to judge the process by executed change, not by completed forms.

Role-based and group-based review models are the only scalable answer to entitlement explosion. A human-by-human review model forces teams to re-validate the same entitlement logic over and over, which turns access governance into spreadsheet labor. Group governance collapses that repetition into a smaller set of policy decisions. Practitioners should redesign entitlement architecture so review effort follows governance structure, not user count.

Lifecycle automation should be treated as upstream prevention, not an optional efficiency layer. If offboarding, role change, and contractor expiration are not tied to automatic access changes, the review cycle becomes a cleanup loop for the same recurring failures. The recurring pattern is a classic lifecycle gap, not a review problem alone. Practitioners should align JML, offboarding, and access review so reviews validate prevention instead of compensating for its absence.

Access review programmes that ignore non-human identities will miss the next major class of stale access. Service accounts, API keys, and application tokens do not behave like employee access, but they still require governance, ownership, and lifecycle discipline. If review processes remain human-centric, machine access becomes the path of least scrutiny. Practitioners should extend review logic to non-human identity governance before sprawl becomes normalised.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• That investment signal should push teams to compare review automation with Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs so governance connects to offboarding and rotation, not just attestation.

What this signals

Access review programmes are moving toward continuous governance because periodic attestation cannot keep up with application sprawl. The practical signal for teams is that review scope, evidence, and remediation must now be treated as one operating system rather than three disconnected workflows. This is where the NIST Cybersecurity Framework 2.0 becomes useful, because govern, identify, and protect only work when discovery and execution stay linked.

Review governance is now a lifecycle problem, not a checklist problem. If your offboarding, role-change, and contractor expiry workflows do not remove access automatically, your review cycle will keep rediscovering the same violations. That is why the Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs matters even in a human-access article: lifecycle discipline is what prevents recertification from becoming repetitive clean-up.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, the next review blind spot is not just employee entitlements but delegated access chains. Teams should prepare to govern who approved the connection, who owns it now, and how it will be revoked when the business relationship changes.

For practitioners

• Expand discovery beyond the identity provider Compare the applications visible in your IdP with finance, browser, endpoint, and CASB data so reviews cover the full application estate rather than only SSO-managed apps.
• Shift recurring reviews to group and role governance Validate application groups, permission sets, and role mappings first, then use membership checks to confirm that users are in the right access buckets.
• Automate revocation from review decisions Connect review outcomes to API-driven execution and proof of completion so revocation does not depend on ticket queues or manual follow-up.
• Tie offboarding and role changes to access removal Use HR-driven lifecycle triggers to remove access when employees leave, contractors expire, or job changes make old entitlements unnecessary.
• Bring non-human identities into the same governance model Track ownership, expiry, and review cadence for service accounts, tokens, and application credentials so machine access does not sit outside the recertification process.

Key takeaways

• Access reviews can satisfy compliance requirements while still leaving large portions of the application estate outside governance scope.
• The strongest evidence of broken review design is recurring violations and long remediation delays, not whether the audit packet was filed on time.
• Teams that want real risk reduction need discovery, group governance, lifecycle automation, and executable remediation tied together.

Key terms

• Access Review: An access review is a periodic governance check that confirms users, roles, or accounts still need the permissions they hold. In mature programmes, it is not a spreadsheet exercise but a control that validates ownership, scope, and revocation against business need.
• Closed-loop Remediation: Closed-loop remediation is the process of turning a review decision into an executed access change, then proving the change was applied. It removes the handoff gap between approval and enforcement, which is where many access governance programmes lose effectiveness.
• Shadow IT: Shadow IT is software or services used without formal approval or central visibility. In access governance, it matters because untracked applications create unreviewed entitlements, hidden accounts, and unmanaged offboarding risk that the identity provider will not show on its own.
• Non-Human Identity: A non-human identity is a machine- or software-based identity such as a service account, token, API key, certificate, or workload credential. These identities need ownership, lifecycle controls, and review discipline because they can outlive the human process that created them.

Deepen your knowledge

User access review optimisation is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is still proving compliance more effectively than it is reducing risk, that course gives you the lifecycle context to close the gap.

This post draws on content published by Zluri: Security & Compliance User Access Review Best Practices. Read the original.