Access reviews and entitlement governance: where teams still struggle

TL;DR: Ninety percent of organisations already periodically review access entitlements or plan to do so within three years, according to Netwrix’s survey of 590 IT professionals, but 41% still run reviews manually without business users involved. That gap shows access review is now a baseline control, while governance quality and operational discipline remain uneven.

NHIMG editorial — based on content published by Netwrix: 2022 Access Reviews Analytical Note

By the numbers:

• 41% of respondents admit that they perform access reviews not only manually but on their own, without involving business users at all.

Questions worth separating out

Q: How should organisations run access reviews so they reduce risk instead of just meeting audit requirements?

A: Organisations should route reviews to the people who can judge actual business need, not just technical assignment, and they should prioritise high-risk access first.

Q: Why do access reviews often fail to remove excessive permissions?

A: They fail when the process focuses on completion rather than decision quality.

Q: What is the difference between a manual access review and a governed entitlement review?

A: A manual review checks permissions in a labour-intensive way, often through spreadsheets or email, while a governed entitlement review uses defined ownership, structured evidence, and audit trails to support a defensible decision.

Practitioner guidance

• Segment reviews by access criticality Prioritise high-risk entitlements, privileged roles, and externally exposed access before low-risk routine permissions.
• Require business ownership for approval decisions Assign each review item to an accountable business owner who can confirm whether access is still required for the role or task.
• Use review evidence to drive revocation, not reporting Track whether each review results in retain, modify, or revoke decisions and measure how often stale access is actually removed.

What's in the full report

Netwrix's full analytical note covers the survey detail this post intentionally leaves for the source:

• The respondent breakdown behind the 590 IT professionals surveyed, useful for judging how broadly the findings apply.
• The manual versus automated review diagrams that show how organisations approach entitlement governance by size.
• The dedicated-tool benefit comparison, including why respondents prioritised risk reduction and time savings.
• The full access review framing and supporting charts that are not reproduced in this independent analysis.

👉 Read Netwrix's access review survey analysis for the full findings →

Access reviews and entitlement governance: where teams still struggle?

Explore further

View Full Forum →  |  NHI Foundation Course →