Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Access reviews and the governance gap teams keep missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Access reviews fail less because teams skip them than because discovery, context, and remediation are disconnected, according to Zluri, with 53% of security teams lacking continuous cloud and SaaS visibility according to Help Net Security. Access certification only reduces risk when review scope, reviewer context, and revocation are tied together end to end.

NHIMG editorial — based on content published by Zluri: Top Access Review Challenges IT Teams Face

By the numbers:

Questions worth separating out

Q: What breaks when access reviews only cover apps tied to SSO?

A: The review scope becomes incomplete because direct-login SaaS, department-owned tools, and shadow applications remain outside certification.

Q: When should organisations move from fixed access review cycles to event-based reviews?

A: They should do it when role churn, contractor turnover, or privilege changes happen more often than a quarterly or annual cycle can reflect.

Q: What do security teams get wrong about access review context?

A: They often treat approval as a binary task instead of a risk judgment.

Practitioner guidance

  • Expand discovery beyond SSO-only coverage Combine browser data, desktop signals, finance records, and identity integrations so apps reached outside central provisioning still enter the review population.
  • Enrich review decisions with live usage evidence Surface last login, activity trends, privilege level, and account status inside the certification workflow so reviewers can distinguish stale access from active business use.
  • Tie approval to enforced revocation Make removal an automated downstream action whenever possible, and verify that the entitlement disappears in the target application rather than only in the governance record.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • Multi-source SaaS discovery workflow using browser, desktop, finance, and identity data
  • Reviewer context examples for last login, inactivity, role changes, and privilege level
  • Closed-loop revocation patterns for deprovisioning, license changes, and privilege reduction
  • Multi-level certification workflow design with reminders, escalations, and audit logging

👉 Read Zluri's article on the top access review challenges IT teams face →

Access reviews and the governance gap teams keep missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Access review failure is usually a visibility failure first. Zluri is describing a control that cannot govern what it cannot discover, because unmanaged SaaS, contractor access, and direct-to-app logins sit outside the normal certification view. That is not a minor process gap. It means the programme is certifying a partial identity surface while assuming it is complete. Practitioners should treat discovery coverage as part of review design, not as a separate inventory exercise.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: Who is accountable when access is approved for removal but not actually revoked?

A: Accountability should sit with the owner of the closed-loop workflow, because certification is not complete until the change is enforced in the target system. If removal depends on manual tickets or disconnected follow-up, the programme has a governance gap that auditors and attackers can both exploit.

👉 Read our full editorial: Access review failure is a visibility problem, not just process



   
ReplyQuote
Share: