User access reviews and privilege creep: are your controls keeping up?

TL;DR: Manual user access reviews struggle to keep pace with role changes, privileged access, and third-party accounts, leaving privilege creep and compliance gaps in cloud, on-prem, and hybrid environments, according to StrongDM. The core issue is that review cadences still assume access is stable long enough to be assessed cleanly, which no longer matches how modern identity estates behave.

NHIMG editorial — based on content published by StrongDM: Access User Access Review Checklist: Best Practices & Automation

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

Questions worth separating out

Q: What breaks when user access reviews are still manual in hybrid environments?

A: Manual reviews break when reviewers cannot reliably see all active entitlements across cloud, on-prem, and third-party systems.

Q: Why do access reviews matter for service accounts as much as for employees?

A: Service accounts often carry durable permissions that outlast the people or projects that created them.

Q: How do organisations know whether access review programmes are actually working?

A: A working access review programme produces timely removals, complete evidence, and fewer exceptions that persist across cycles.

Practitioner guidance

• Map review scope to effective access Inventory systems, applications, and data access across human users, service accounts, contractors, and privileged accounts so the review covers actual reach, not just directory records.
• Separate standard and privileged review cadences Review high-risk accounts quarterly or more often, and keep standard access on a different schedule so elevated permissions do not hide inside routine recertification cycles.
• Automate revocation from review decisions Connect approval outcomes to immediate permission updates, including removal of inherited access and temporary access expiry, so reviewers are not only documenting risk.

What's in the full article

StrongDM's full blog covers the operational detail this post intentionally leaves for the source:

• A step-by-step access review checklist for managers, security teams, and system owners
• Examples of quarterly and annual review cadences for privileged and standard accounts
• Automation patterns for alerts, approvals, and revocation workflows across cloud and on-prem systems
• Compliance documentation guidance for SOX, ISO 27001, HIPAA, and PCI DSS review evidence

👉 Read StrongDM's user access review checklist and automation guidance →

User access reviews and privilege creep: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →