TL;DR: Quarterly access reviews catch recurring overprovisioning, offboarding gaps, and role drift, but they do not fix the workflows that create those failures, according to Zluri. The governance problem is not review frequency alone; it is the missing feedback loop between access reviews and access management.
NHIMG editorial — based on content published by Zluri: Access Management, The Two Wings of Access Governance: Reviews and Management
Questions worth separating out
Q: How should teams connect access reviews with access management?
A: Teams should treat review findings as input to workflow redesign, not as a standalone remediation list.
Q: Why do access reviews keep finding the same problems every quarter?
A: Because reviews detect the symptom, but they do not repair the upstream cause.
Q: What do security teams get wrong about quarterly access reviews?
A: They often treat quarterly reviews as proof that governance is working.
Practitioner guidance
- Convert recurring findings into workflow defects Tag every repeated access review issue by root cause, then route it into the provisioning, transfer, or offboarding workflow that created it.
- Shorten validation cycles for high-risk access Run weekly validation for admin, production, and financial access, and reserve longer cycles only for low-risk entitlements.
- Tie role design to observed exceptions If a role keeps requiring manual exceptions, redesign the role rather than preserving the exception pattern.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- A step-by-step model for linking review findings to provisioning and offboarding workflow fixes.
- Practical examples of how recurring access exceptions should change role design and policy maintenance.
- Implementation guidance for connecting review outputs to workflow backlogs and revalidation cycles.
- A platform-oriented view of how access reviews, access management, and access requests can be operationalised together.
👉 Read Zluri's analysis of why access reviews and access management must work together →
Access reviews and management: where is your governance loop broken?
Explore further
Reviews and management are not adjacent controls. They are one governance system. Access reviews identify bad outcomes, but access management determines whether those outcomes reappear. When those functions sit in separate teams or separate tools, organisations preserve the root cause while endlessly remediating the symptom. The implication is that governance maturity is measured by whether review findings reduce over time, not by whether attestations are completed on schedule.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- The same report found that enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, showing how quickly governance gaps repeat when lifecycle controls fail.
A question worth separating out:
Q: How do organisations know whether access governance is actually improving?
A: Look for a declining rate of repeat findings, faster correction of workflow defects, and fewer manual exceptions in core roles. If the same issues keep returning, governance is not improving even if the review calendar is perfectly on time. Improvement shows up as shorter feedback loops and less drift between policy and reality.
👉 Read our full editorial: Access reviews and access management fail when they stay separate