Notifications
Clear all
Topic starter
25/06/2026 5:12 pm
TL;DR: AI-driven access recommendations use peer-group and identity-attribute analysis to suggest approve or revoke decisions during access certification, while excluding birthright access and auto-approving low-risk items to reduce review fatigue, according to SailPoint. The deeper issue is that certification only works when reviewers have enough context to make precise revocation decisions, not just rubber-stamp entitlements.
NHIMG editorial — based on content published by SailPoint: AI-driven Access Recommendations - Less Certification. More Revocation
Questions worth separating out
Q: How should security teams use AI in access certification without losing accountability?
A: Use AI to reduce review noise, not to replace the reviewer.
Q: Why do access reviews often fail to remove the right entitlements?
A: They fail when reviewers are given too many items with too little context.
Q: Should organisations exclude birthright access from certification campaigns?
A: Yes, when birthright access is well-defined and consistently provisioned.
Practitioner guidance
- Separate baseline access from discretionary access Remove birthright items such as standard collaboration and productivity entitlements from certification queues before reviews begin, so managers evaluate only access that can genuinely be revoked.
- Use recommendations to prioritise exceptions Tune review workflows so AI suggestions highlight outlier access, unusual entitlement patterns, and high-risk permissions instead of pushing every entitlement through the same path.
- Measure revocation quality, not campaign speed Track how many inappropriate entitlements are removed, how often reviewers override recommendations, and whether post-review access aligns better with role and department norms.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- How Access Recommendations classifies peers using identity attributes such as role, department, and location
- Which entitlements are automatically excluded from the certification queue as birthright access
- How low-risk access is auto-approved while higher-risk items are pushed into human review
- What the product experience looks like for business managers and application owners during a certification campaign
👉 Read SailPoint's blog on AI-driven access recommendations and revocation →
AI-driven access recommendations: are certification reviews keeping up?
Explore further
25/06/2026 5:46 pm
Certification fatigue is the real control problem, not the existence of access reviews. The article shows that managers often approve everything when they lack context, which turns periodic review into ceremonial compliance. That is a governance failure because the control exists on paper but does not reliably remove unnecessary access. The practical conclusion is that review design must be judged by revocation quality, not by campaign volume.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How do you know if access recommendations are improving governance?
A: Look for higher-quality revocation decisions, fewer blanket approvals, and less reviewer fatigue over time. If campaigns finish faster but almost nothing is removed, the programme is only optimising administration. Real value appears when recommendations change outcomes on unnecessary access.
👉 Read our full editorial: AI-driven access recommendations expose the limits of certification
