Notifications
Clear all
Topic starter
22/06/2026 10:10 am
TL;DR: AI-guided access reviews reduce reviewer overload by using AI to surface low-risk grants, explain its reasoning, and keep high-risk decisions with a human signer, according to Opal Security. The governance shift is not automation alone but preserving auditability while challenging the assumption that human review scales cleanly past a certain point.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- Mercari governs more than 5,000 Okta entitlements through automated reviews on Opal, the kind of scale no quarterly cycle clears by hand.
Questions worth separating out
Q: How should security teams use AI in access reviews without weakening governance?
A: Use AI to pre-process routine entitlements, surface the evidence behind each recommendation, and reserve human approval for elevated or ambiguous access.
Q: When does AI-assisted certification create more risk than it reduces?
A: It creates more risk when the organisation treats recommendations as approvals, or when reviewer trust replaces evidence.
Q: What do IAM teams get wrong about access review automation?
A: They often optimise for campaign completion instead of decision quality.
Practitioner guidance
- Separate low-risk and elevated access workflows Use AI to pre-sort routine grants, but keep elevated or ambiguous entitlements on a human approval path.
- Require rationale logging for every certified grant Capture the signals used, the reviewer’s decision, any delegation, and the final policy basis in a complete history.
- Tune confidence thresholds to policy, not convenience Set explicit escalation thresholds for when AI can recommend, when it can pre-clear, and when a person must decide.
What's in the full announcement
Opal Security's full product post covers the operational detail this post intentionally leaves for the source:
- The campaign-building workflow for natural-language scoping and reviewer assignment.
- The policy tuning controls that determine when Paladin can pre-clear routine grants and when human approval is mandatory.
- The audit trail and decision-history mechanics that support compliance review after certification.
- The examples of how customers are using the access agent in real environments at scale.
👉 Read Opal Security's product update on AI-guided access reviews →
AI-guided access reviews: what changes for IAM teams?
Explore further
22/06/2026 10:57 am
Attention is the scarce resource in access governance, not reviewer labour. The article’s core claim is that certification fails when humans are forced to inspect too many low-signal grants at once. That is not a UI problem, it is a governance capacity problem, and it explains why large campaigns degrade into rubber-stamp behaviour. Practitioners should treat reviewer overload as a control failure, not a productivity nuisance.
A few things that frame the scale:
- Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How can organisations keep access certifications defensible for audits?
A: They need a complete history of who approved what, on what basis, and with which supporting signals. A defensible certification trail includes rationale, reassignment, exceptions, and policy context. Without that evidence, auditors can question whether the review was meaningful at all.
👉 Read our full editorial: AI-guided access reviews change how access governance scales
