TL;DR: Access reviews often satisfy auditors while still consuming 149 person-days per cycle, leaving 25,000 data points, 18-day remediation delays, and recurring violations hidden in the process, according to Zluri. The real issue is not completion but governance design: manual review models are too slow, too broad, and too weak to reduce risk.
NHIMG editorial — based on content published by Zluri: Security & Compliance User Access Review Best Practices
By the numbers:
- Your IT team spent 149 person-days on your last review cycle, according to Zluri.
- You discovered 600 access violations, the same types you found last quarter, and the quarter before that, according to Zluri.
- You are probably reviewing only 40-60% of your actual application landscape, according to Zluri.
Questions worth separating out
Q: How should security teams make access reviews cover the real application estate?
A: They should not rely on the identity provider alone.
Q: Why do access reviews still leave risk behind even when auditors sign off?
A: Because completion is not the same as enforcement.
Q: What do teams get wrong about group-based access reviews?
A: They treat group review as a shortcut rather than a governance redesign.
Practitioner guidance
- Expand discovery beyond the identity provider Compare the applications visible in your IdP with finance, browser, endpoint, and CASB data so reviews cover the full application estate rather than only SSO-managed apps.
- Shift recurring reviews to group and role governance Validate application groups, permission sets, and role mappings first, then use membership checks to confirm that users are in the right access buckets.
- Automate revocation from review decisions Connect review outcomes to API-driven execution and proof of completion so revocation does not depend on ticket queues or manual follow-up.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- A step-by-step breakdown of the seven access review practices and how each one reduces review effort.
- Detailed examples of multi-method application discovery across SSO, finance, endpoint, browser, and directory data.
- Closed-loop remediation workflow examples showing how review decisions become executed changes.
- Operational guidance on using AI to prioritise high-risk access and reduce reviewer overload.
👉 Read Zluri's analysis of user access review best practices and automation →
Access reviews at scale: where IAM teams are losing time and risk?
Explore further
Access reviews are failing because the control is being asked to govern an incomplete identity surface. If the review scope stops at the IdP, it will undercount shadow IT, non-SSO SaaS, contractor tools, and other unmanaged application access. That is not a process defect at the margins, it is a governance boundary problem. Practitioners should treat visibility as the precondition for any meaningful recertification outcome.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: How do access reviews fit with lifecycle governance for non-human identities?
A: They should validate lifecycle automation, not replace it. Service accounts, API keys, and application tokens need ownership, expiry, and offboarding triggers just like human access needs joiner-mover-leaver controls. The review process should confirm that machine identities were created, rotated, and retired according to policy.
👉 Read our full editorial: User access reviews are failing the scale test in IAM governance