TL;DR: Traditional access reviews assume reviewers can judge whether access should remain from permissions alone, but real risk is shaped by effective authority across groups, delegation, service identities, and cross-system relationships, according to Gathid. That makes most review decisions approximations, not assurance, because the control is measuring intent rather than what an identity can actually do.
NHIMG editorial — based on content published by Gathid: Access reviews are built on a simple premise, but the article argues that effective authority is what really determines risk
Questions worth separating out
Q: What breaks when access reviews are based only on granted permissions?
A: Reviews based only on granted permissions miss whether access was actually used, whether it was excessive, and whether it still matches the job or workload.
Q: Why do access reviews miss hidden privilege paths?
A: Access reviews usually examine entitlements one system at a time, which means they can miss how separate permissions combine into control across platforms.
Q: What do security teams get wrong about access reviews?
A: Teams often treat access reviews as proof of control, when they are really only a point-in-time check.
Practitioner guidance
- Map effective authority paths before recertification Trace how direct entitlements, nested roles, delegated permissions, and service identities combine into end-to-end capability.
- Separate human review from machine authority analysis Do not run service accounts and automation through the same review logic used for employee access.
- Add point-in-time authority evidence to every approval Capture what the identity could execute at the moment of review, including escalation routes and transitive access.
What's in the full article
Gathid's full article covers the operational detail this post intentionally leaves for the source:
- How access review workflows represent inheritance, delegated permissions, and cross-system authority in real environments.
- Examples of why permission-only recertification produces approval decisions that look compliant but miss practical control paths.
- A deeper explanation of why effective authority is a better review unit than role membership for IAM and IGA teams.
👉 Read Gathid's analysis of why access reviews miss effective authority →
Access reviews and effective authority: what are teams missing?
Explore further
Access reviews fail when permissions are treated as the unit of risk. Permissions express intent, but effective authority is what creates exposure. When reviewers approve access from entitlements alone, they are validating a partial model of identity behaviour. The implication is that access review design must be anchored to realised capability, not the permission list that produced it.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who is accountable when a review approves excessive authority?
A: Accountability sits with the access owner, the control owner, and the governance process that accepted an incomplete evidence set. If the review cannot show effective authority, then the organisation has not actually demonstrated control. Regulators and auditors will judge the outcome by whether risk was truly evaluated, not whether a campaign was completed.
👉 Read our full editorial: Access reviews fail when authority is hidden behind permissions