Notifications
Clear all
Topic starter
22/06/2026 10:10 am
TL;DR: Non-human and agent identities already outnumber people, and the roughly 100-hour access review cycle cannot keep up, making governance at machine scale a practical problem rather than a future one, according to Opal Security. Manual review models now fail because accountability still matters, but human pacing no longer fits the identity estate.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- The roughly 100-hour review cycle can't keep up.
Questions worth separating out
Q: How should security teams scale access reviews as non-human identities multiply?
A: They should move from blanket certification campaigns to risk-based review orchestration.
Q: Why do access reviews break down when identity estates become machine-scale?
A: They break down because the review cycle assumes reviewers can inspect access before it changes materially.
Q: What do security teams get wrong about AI-assisted governance?
A: They often treat AI assistance as a substitute for control design.
Practitioner guidance
- Prioritise review scope by access risk Group low-risk grants into bulk certification paths and reserve manual attention for privileged, sensitive, or unusual access patterns.
- Centralise the access graph before adding automation Make sure entitlements, relationships, and decision history are unified enough for an agent to reason over them correctly.
- Keep human approval on every certification Use AI to draft recommendations, group similar grants, and surface evidence, but retain a named reviewer for the final certification decision.
What's in the full announcement
Opal Security's full product post covers the operational detail this post intentionally leaves for the source:
- How Paladin groups low-risk access grants and surfaces the supporting evidence for each certification decision
- The workflow details behind targeted reviews, including query-based scope definition and automatic reviewer assignment
- How AI-assisted remediation and OpalScript fit into policy enforcement without removing human sign-off
- The product's full breakdown of automated reminders, progress tracking, and decision history for audit readiness
👉 Read Opal Security's product post on AI-guided access reviews →
AI-guided access reviews: can human-scale governance keep up?
Explore further
22/06/2026 10:57 am
Human-paced review cycles are now a structural mismatch for machine-scale identity estates. Access certification was designed for environments where reviewers could inspect grants one campaign at a time and where the volume of non-human access remained manageable. That assumption fails when agent and workload identities outnumber human users and the decision queue expands faster than human operators can clear it. The implication is that access review itself has become a scaling constraint in identity governance.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, which shows how often lifecycle governance still trails operational reality.
A question worth separating out:
Q: How can organisations use AI without weakening audit accountability?
A: Keep AI in the recommendation layer and keep certification authority with a human signer. Record the evidence used, the rationale for each decision, and any remediation steps in a complete audit trail. That gives the programme speed without turning governance into an opaque approval flow.
👉 Read our full editorial: AI-guided access reviews expose the limits of human-scale IAM
