Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Access reviews and identity context: is your governance keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: RSA says its updated Governance & Lifecycle access review experience uses AI-derived insights, peer comparison, and clearer entitlement context to help reviewers focus on high-risk access and complete certifications with more confidence. The underlying issue is that access reviews fail when they become volume processing instead of governance decisions.

NHIMG editorial — what this means for NHI practitioners

Questions worth separating out

Q: How should security teams improve access reviews without adding more reviewer burden?

A: Focus on decision support rather than more manual checking.

Q: Why do access reviews often fail in mature identity programmes?

A: They fail when the process measures completion instead of decision quality.

Q: How can organisations tell whether access certification is actually working?

A: Look for revocations, scope reductions, exception documentation, and fewer repeat approvals of outlier access.

Practitioner guidance

  • Add identity context to every certification item Include business role, entitlement purpose, peer baseline, and recent change history so reviewers are not judging raw lists in isolation.
  • Triage reviews by risk before assigning reviewers Use risk scoring to push unusual, high-impact, or exception-based access to the top of the queue, instead of treating all certifications as equal.
  • Use peer comparison to expose access drift Compare users holding similar roles or responsibilities so inherited privilege, role creep, and one-off exceptions are easier to challenge.

What's in the full announcement

RSA Security's full post covers the operational detail this post intentionally leaves for the source:

  • Interactive product tour showing how reviewers move through the updated access review workflow
  • Specific examples of how AI-derived insights surface high, medium, and low risk access items
  • Demonstration of user comparison views that help validate entitlements against peer patterns
  • Workflow details that show how review decisions are turned into action inside the product

👉 Read RSA Security's post on updated Governance & Lifecycle access reviews →

Access reviews and identity context: is your governance keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Access review fatigue is a governance failure, not a usability issue. When reviewers are forced to process long entitlement lists without enough context, certification becomes a ritual instead of a control. The problem is not that people are slow, it is that the workflow is asking humans to make high-confidence decisions with low-quality signals. The implication is that governance teams must stop treating review completion as evidence of control effectiveness.

A few things that frame the scale:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who should own access review decisions in an IGA programme?

A: Business owners should remain accountable for the decision, while identity teams provide the evidence and workflow needed to make that decision defensible. Governance works best when approvers understand the access context and the identity team ensures the review process is consistent, auditable, and timely.

👉 Read our full editorial: Access reviews need context, not just faster certification workflows



   
ReplyQuote
Share: