Access reviews and identity context: is your governance keeping up?

TL;DR: RSA says its updated Governance & Lifecycle access review experience uses AI-derived insights, peer comparison, and clearer entitlement context to help reviewers focus on high-risk access and complete certifications with more confidence. The underlying issue is that access reviews fail when they become volume processing instead of governance decisions.

NHIMG editorial — what this means for NHI practitioners

Questions worth separating out

Q: How should security teams improve access reviews without adding more reviewer burden?

A: Focus on decision support rather than more manual checking.

Q: Why do access reviews often fail in mature identity programmes?

A: They fail when the process measures completion instead of decision quality.

Q: How can organisations tell whether access certification is actually working?

A: Look for revocations, scope reductions, exception documentation, and fewer repeat approvals of outlier access.

Practitioner guidance

• Add identity context to every certification item Include business role, entitlement purpose, peer baseline, and recent change history so reviewers are not judging raw lists in isolation.
• Triage reviews by risk before assigning reviewers Use risk scoring to push unusual, high-impact, or exception-based access to the top of the queue, instead of treating all certifications as equal.
• Use peer comparison to expose access drift Compare users holding similar roles or responsibilities so inherited privilege, role creep, and one-off exceptions are easier to challenge.

What's in the full announcement

RSA Security's full post covers the operational detail this post intentionally leaves for the source:

• Interactive product tour showing how reviewers move through the updated access review workflow
• Specific examples of how AI-derived insights surface high, medium, and low risk access items
• Demonstration of user comparison views that help validate entitlements against peer patterns
• Workflow details that show how review decisions are turned into action inside the product

👉 Read RSA Security's post on updated Governance & Lifecycle access reviews →

Access reviews and identity context: is your governance keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →