TL;DR: Access reviews only appear complete when they cover the systems already integrated into governance workflows; unintegrated apps, shadow IT, external identity environments, and local access remain invisible and unreviewed according to OpenIAM. The result is not mismanaged access but unmanaged access, so visibility, not review volume, becomes the decisive control boundary.
NHIMG editorial — based on content published by OpenIAM: Access Reviews Without System Coverage Create Governance Blind Spots
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: What breaks when access reviews do not cover every system with permissions?
A: Governance becomes selective rather than complete.
Q: When should organisations expand access review scope instead of increasing review volume?
A: Always, when the goal is assurance rather than activity.
Q: What do security teams get wrong about successful access certification?
A: They often confuse campaign completion with control coverage.
Practitioner guidance
- Rebuild certification scope from the ground up Map every application, directory, SaaS platform, and external identity source that can grant access, then compare that inventory to the systems currently included in access reviews.
- Separate visible review completion from actual coverage Track two metrics side by side: the percentage of reviewed entitlements and the percentage of identity-bearing systems covered by governance workflows.
- Pull privileged and local accounts into a dedicated scope Create a separate inventory for administrative accounts, service accounts, and local access paths, then require them to appear in certification or compensating control workflows.
What's in the full article
OpenIAM's full article covers the operational detail this post intentionally leaves for the source:
- A breakdown of why certification campaigns appear complete even when only a subset of applications is connected to governance.
- Specific examples of the system types most often excluded from access review workflows, including shadow IT, legacy platforms, and external identity environments.
- The article's own explanation of how coverage gaps translate into unmanaged access rather than merely imperfect reporting.
- A direct comparison between review volume and review scope, showing why more activity does not close visibility gaps.
👉 Read OpenIAM's analysis of access review coverage gaps and governance blind spots →
Access review blind spots: are your governance scopes complete?
Explore further
Coverage blindness is the real governance failure, not review execution. OpenIAM's core point is that access reviews can only certify what has been integrated into scope, which means organisations often mistake process completion for actual control coverage. That is a structural limitation of governance architecture, not a minor operational miss. The implication is that identity governance must be judged on field of view before it is judged on review quality.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when access exists outside identity governance coverage?
A: Accountability sits with the organisation that defined the scope, not with the reviewers who completed it. Governance teams, IAM owners, and system owners must jointly ensure that identity-bearing systems are included or explicitly risk-accepted. Standards such as the NIST Cybersecurity Framework 2.0 support that shared governance responsibility.
👉 Read our full editorial: Access review coverage gaps create blind spots in identity governance