TL;DR: Access request management is meant to ensure only authorised users receive the right permissions, but the article shows how unmanaged requests still drive overprivilege, weak auditability, and leakage risk across enterprise systems, according to Zluri. The governance issue is no longer request handling itself, but whether access decisions are tied to lifecycle, least privilege, and enforceable review.
NHIMG editorial — based on content published by Zluri: Access Management Access Request Management, an ultimate guide
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should security teams govern access requests for both users and service accounts?
A: Security teams should use the same governance model for both, but apply it to the correct actor type.
Q: Why do access request workflows so often create overprivilege?
A: They create overprivilege when approval logic focuses on convenience instead of actual entitlement scope.
Q: What breaks when access reviews are not connected to entitlement data?
A: Reviews become ceremonial.
Practitioner guidance
- Map requests to roles and owners Require every access request to resolve to a named business owner, a clear role definition, and a documented justification before provisioning.
- Enforce segregation of duties at approval time Block requests that would combine conflicting permissions in the same identity, even when the request appears operationally convenient.
- Track revocation latency as a control metric Measure the time between role change, offboarding, or contract end and actual permission removal.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- How the vendor structures access request workflows across apps, approvals, and admin routing.
- What its platform says about request tracking, changelogs, and approval transparency for IT teams.
- How HR system integration is used to keep access aligned with role changes.
- Which product capabilities Zluri associates with access request handling, app sharing, and SaaS stack optimisation.
👉 Read Zluri's guide to access request management and least privilege →
Access request management: what IAM teams need to fix first?
Explore further
Access request management is no longer a service desk concern; it is entitlement governance. The article correctly frames requests as a security control, but the deeper issue is that approval workflows often define access faster than governance can review it. That means request handling must be treated as part of the broader identity control plane, not as a fulfilment queue. Practitioners should read every access request as a statement about who can justify privilege.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How do organisations reduce the risk of stale access after offboarding?
A: They need an automated revocation path that is tied to the same identity record used for approval. Access should be removed when employment, contract, or service conditions end, and the organisation should verify that removal across all linked applications, secrets, and delegated accounts before closing the record.
👉 Read our full editorial: Access request management is now a governance problem, not a ticketing one