TL;DR: Access reviews, stale access, and AI-assisted role mining can all be automated across the company, with audit evidence, SoD checks, and reviewer workflows captured in one place, according to Lumos. The governance lesson is that continuous identity oversight now depends on review automation, not periodic cleanup.
NHIMG editorial — based on content published by Lumos: How Lumos Uses Lumos to Reduce Organizational Risk via Effective Governance
Questions worth separating out
Q: How should teams modernise access reviews without losing audit evidence?
A: Teams should centralise review execution in a governed workflow that records due dates, reviewer decisions, comments, and resulting access changes.
Q: Why do manual access reviews create governance risk in IAM programmes?
A: Manual reviews create risk because they rely on human coordination across multiple systems, which increases delay, inconsistency, and missed remediation.
Q: What do security teams get wrong about AI in identity governance?
A: They often assume AI can take over governance decisions, when its real value is analysis and prioritisation.
Practitioner guidance
- Replace review sprawl with a single governed workflow Move access reviews out of spreadsheets and ticket queues into one system that captures due dates, reviewer comments, decisions, and resulting entitlement changes.
- Use review outcomes to remove stale access quickly Treat every review as a remediation trigger for unused entitlements, out-of-scope roles, and access that no longer matches the user's function.
- Define how AI can support governance decisions Set boundaries for AI-assisted identity analysis so the system can flag anomalies and prioritise work without becoming the approver of record.
What's in the full article
Lumos' full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step access review workflow design across multiple applications and reviewer groups
- How Lumos captures comments, decisions, timestamps, and exportable audit evidence inside the platform
- Examples of how AI-driven analysis flags unused licences, stale access, and role outliers for remediation
- The internal governance logic used to distinguish birthright access from requestable access
👉 Read Lumos' blog post on how it uses its platform for identity governance →
Access reviews and AI identity agents: what changes for IAM teams?
Explore further
Manual review processes fail first at consistency, not intent. The article shows a common governance pattern: teams know access reviews matter, but they execute them through spreadsheets, tickets, and follow-up email. That model breaks because the control depends on human coordination across multiple systems, not on a stable governance workflow. The implication is that review programmes should be judged on execution reliability, not just policy completeness.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- That confidence gap sits alongside another finding from The 2024 ESG Report: Managing Non-Human Identities, where 72% of organisations said they have experienced or suspect a breach of non-human identities.
A question worth separating out:
Q: How can organisations tell whether access governance is actually working?
A: Look for evidence that reviews are completed on time, decisions are captured in one system, stale access is removed promptly, and audit proof is ready without manual effort. If the programme can only prove control after a scramble, it is not operating continuously.
👉 Read our full editorial: Lumos' governance model shows where manual access reviews fail