Access request management: what IAM teams need to fix first

TL;DR: Access request management is meant to ensure only authorised users receive the right permissions, but the article shows how unmanaged requests still drive overprivilege, weak auditability, and leakage risk across enterprise systems, according to Zluri. The governance issue is no longer request handling itself, but whether access decisions are tied to lifecycle, least privilege, and enforceable review.

NHIMG editorial — based on content published by Zluri: Access Management Access Request Management, an ultimate guide

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

Questions worth separating out

Q: How should security teams govern access requests for both users and service accounts?

A: Security teams should use the same governance model for both, but apply it to the correct actor type.

Q: Why do access request workflows so often create overprivilege?

A: They create overprivilege when approval logic focuses on convenience instead of actual entitlement scope.

Q: What breaks when access reviews are not connected to entitlement data?

A: Reviews become ceremonial.

Practitioner guidance

• Map requests to roles and owners Require every access request to resolve to a named business owner, a clear role definition, and a documented justification before provisioning.
• Enforce segregation of duties at approval time Block requests that would combine conflicting permissions in the same identity, even when the request appears operationally convenient.
• Track revocation latency as a control metric Measure the time between role change, offboarding, or contract end and actual permission removal.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• How the vendor structures access request workflows across apps, approvals, and admin routing.
• What its platform says about request tracking, changelogs, and approval transparency for IT teams.
• How HR system integration is used to keep access aligned with role changes.
• Which product capabilities Zluri associates with access request handling, app sharing, and SaaS stack optimisation.

👉 Read Zluri's guide to access request management and least privilege →

Access request management: what IAM teams need to fix first?

Explore further

View Full Forum →  |  NHI Foundation Course →