TL;DR: Access review programmes often create a false sense of control when teams focus on completion rates, not whether the review mechanism actually prevents failure, according to Zluri’s access review hub. The real governance gap is the difference between process and control, especially when manual evidence, stalled remediation, and weak scoping let risky access persist.
NHIMG editorial — based on content published by Zluri: the Access Review Resource Hub
By the numbers:
- Most organizations discover 60-80 apps they didn't even know existed during this phase.
- 120 days annually equals $144,000 in IT costs doing manual work instead of building systems.
- The article notes that manual processes consume 596 hours annually and leave 18% of revocations unexecuted.
Questions worth separating out
Q: What breaks when access reviews are treated as a compliance exercise instead of a control?
A: The main failure is that teams can complete the review without changing access.
Q: Why do access reviews still fail even when completion rates are high?
A: High completion rates do not prove that the right identities, entitlements, or systems were reviewed.
Q: How can security teams know whether access reviews are actually working?
A: Look for evidence that reviews reduce standing access, close remediation tickets, and remove inherited or stale entitlements inside the target systems.
Practitioner guidance
- Separate process from control ownership Document which step creates evidence, which step makes a decision, and which step actually changes access.
- Rebuild discovery before expanding review scope Inventory applications, SSO groups, delegated admin paths, and shadow access paths before the next certification cycle.
- Enforce remediation verification Require proof that a revoked entitlement is no longer effective in the target system, not just evidence that someone marked it for removal.
What's in the full article
Zluri's full resource hub covers the operational detail this post intentionally leaves for the source:
- Step-by-step access review maturity guidance for teams moving from ad-hoc checks to scaled governance.
- Specific process templates for periodic, continuous, and risk-based access review programmes.
- Detailed implementation advice for access certification, recertification, and remediation workflows.
- Practical coverage of review delegation, reporting, and audit readiness across different programme stages.
👉 Read Zluri's access review resource hub for practical maturity guidance →
Access review controls: where process breaks down for IAM teams?
Explore further
Access review is only a control when it changes entitlement state. Completion metrics can look healthy while stale access, group inheritance, and unresolved exceptions continue to expose the environment. That is why review governance must be judged by revoked, corrected, or constrained access, not by the number of reviewers who clicked approve. Practitioners should treat attestation as evidence of action, not the action itself.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to the 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who should own remediation after an access review finds an issue?
A: Ownership should be explicit before the review starts. Security may coordinate, managers may attest, and app owners may approve, but someone must be accountable for executing the change and proving that it took effect. Without clear ownership, review findings become permanent exceptions.
👉 Read our full editorial: Access review controls fail when process replaces governance