Access reviews at scale: where IAM teams are losing time and risk

TL;DR: Access reviews often satisfy auditors while still consuming 149 person-days per cycle, leaving 25,000 data points, 18-day remediation delays, and recurring violations hidden in the process, according to Zluri. The real issue is not completion but governance design: manual review models are too slow, too broad, and too weak to reduce risk.

NHIMG editorial — based on content published by Zluri: Security & Compliance User Access Review Best Practices

By the numbers:

• Your IT team spent 149 person-days on your last review cycle, according to Zluri.
• You discovered 600 access violations, the same types you found last quarter, and the quarter before that, according to Zluri.
• You are probably reviewing only 40-60% of your actual application landscape, according to Zluri.

Questions worth separating out

Q: How should security teams make access reviews cover the real application estate?

A: They should not rely on the identity provider alone.

Q: Why do access reviews still leave risk behind even when auditors sign off?

A: Because completion is not the same as enforcement.

Q: What do teams get wrong about group-based access reviews?

A: They treat group review as a shortcut rather than a governance redesign.

Practitioner guidance

• Expand discovery beyond the identity provider Compare the applications visible in your IdP with finance, browser, endpoint, and CASB data so reviews cover the full application estate rather than only SSO-managed apps.
• Shift recurring reviews to group and role governance Validate application groups, permission sets, and role mappings first, then use membership checks to confirm that users are in the right access buckets.
• Automate revocation from review decisions Connect review outcomes to API-driven execution and proof of completion so revocation does not depend on ticket queues or manual follow-up.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• A step-by-step breakdown of the seven access review practices and how each one reduces review effort.
• Detailed examples of multi-method application discovery across SSO, finance, endpoint, browser, and directory data.
• Closed-loop remediation workflow examples showing how review decisions become executed changes.
• Operational guidance on using AI to prioritise high-risk access and reduce reviewer overload.

👉 Read Zluri's analysis of user access review best practices and automation →

Access reviews at scale: where IAM teams are losing time and risk?

Explore further

View Full Forum →  |  NHI Foundation Course →