Notifications
Clear all
Topic starter
07/06/2026 7:57 pm
TL;DR: Access reviews often degrade into rubber stamping because reviewers face too many entitlements, too little context, and too much disruption risk, according to Twine Security. Agentic UARs only improve governance when they raise decision quality, preserve accountability, and keep actions inside explicit permission boundaries.
NHIMG editorial — based on content published by Twine Security: Access reviews are broken, and agentic UARs change the calculus
Questions worth separating out
Q: How should security teams use AI in access reviews without losing control?
A: Use AI to collect evidence, rank risk, and draft recommendations, but keep final approval with a human for high-impact access.
Q: Why do access reviews so often become rubber stamping?
A: Rubber stamping happens when reviewers face too many items, too little context, and too much fear that removing access will break work.
Q: What should organisations measure to know whether access reviews are working?
A: Measure revoke and downgrade rates where evidence supports action, the completeness of evidence attached to each item, and whether audit packages can be reproduced later.
Practitioner guidance
- Rebuild review criteria around decision quality Track revoke, downgrade, and time-bound outcomes alongside completion rates so the programme measures whether reviewers are making better decisions, not simply faster ones.
- Require evidence provenance for every entitlement Force each review item to show why access exists, what it enables, how recently it was used, and which source systems produced the evidence before the reviewer sees it.
- Set hard permission boundaries for agentic workflows Allow the system to assemble evidence and recommend actions, but restrict execution to safe, policy-approved steps such as ticket creation or confirmation requests.
What's in the full article
Twine Security's full blog covers the operational detail this post intentionally leaves for the source:
- The four signal upgrades in more implementation depth, including evidence completeness, usage enrichment, prioritisation, and rationale generation.
- The guardrail questions executives should ask before allowing agentic review workflows to touch privileged or sensitive entitlements.
- Practical evaluation criteria for audit outputs, rollback handling, and exception management in real certification programmes.
- How the approach fits into existing IAM and IGA workflows without turning access reviews into another opaque automation layer.
👉 Read Twine Security's analysis of why access reviews become rubber stamping →
Access reviews and agentic UARs: is your review process keeping up?
Explore further
07/06/2026 9:42 pm
Rubber stamping is a control-design failure, not reviewer laziness: Access review programmes collapse when they ask humans to make high-volume entitlement decisions with poor evidence and high disruption risk. That structure predictably drives blanket approval, even in well-intentioned teams. The implication is that attestation quality has to be treated as a control property, not a training issue.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- 59% of infrastructure leaders cite "confidently wrong" AI configuration as their top fear, underscoring how easily automated decisioning can produce certainty without sound control.
A question worth separating out:
Q: Who should retain responsibility when AI assists access certification?
A: Human reviewers should retain responsibility for high-risk access decisions, especially privileged or sensitive entitlements. AI can recommend, enrich, and prioritise, but it should not erase accountability. The organisation must be able to show which person approved each material change and why.
👉 Read our full editorial: Access reviews are broken: what agentic UARs change for IAM
