Notifications
Clear all
Topic starter
25/06/2026 3:03 pm
TL;DR: AI is being used to reduce reviewer fatigue in access certifications by flagging unusual entitlements, grouping low-risk items, and supporting faster decisions, according to SecurEnds. The shift matters because access review quality, not just completion, is now the real audit and governance problem.
NHIMG editorial — based on content published by SecurEnds: AI in access review and reviewer fatigue
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams use AI in access review without weakening governance?
A: Use AI to rank entitlements, surface anomalies, and reduce reviewer workload, but keep humans responsible for the final decision.
Q: Why do access reviews fail when reviewer fatigue is high?
A: They fail because reviewers optimise for finishing the queue rather than evaluating each entitlement carefully.
Q: How do organisations know if AI-assisted access review is actually working?
A: Look for lower noise in the queue, higher challenge rates on risky access, fewer blanket approvals, and faster resolution of outlier entitlements.
Practitioner guidance
- Separate high-risk and low-risk entitlements before certification Group routine access so reviewers do not waste attention on low-impact items, but force explicit review for admin, cross-system, and dormant entitlements.
- Require model rationale for every AI-assisted recommendation Store the score, the attributes that influenced it, and the reviewer’s final action for each item.
- Extend review design beyond human accounts Bring service accounts, tokens, and other non-human identities into the same governance logic where they create privilege risk.
What's in the full article
SecurEnds's full article covers the operational detail this post intentionally leaves for the source:
- Examples of how the AI scoring layer is applied inside access review workflows
- The vendor's explanation of how reviewers receive recommendations and contextual prompts
- A closer look at the platform's audit trail, documentation, and reviewer support features
- The article's discussion of explainability, privacy, and human-in-the-loop concerns
👉 Read SecurEnds's analysis of AI in access review and reviewer fatigue →
AI in access review: where manual certification is breaking down?
Explore further
25/06/2026 4:20 pm
AI in access review is a governance augmentation pattern, not a governance substitute. The article correctly frames AI as a helper for reviewer fatigue, and that is the right boundary. Certification still depends on human accountability, policy context, and auditable decisions, especially where entitlements are sparse signals inside large identity estates. The practitioner implication is clear: use AI to improve decision quality, not to blur who owns the control.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
A question worth separating out:
Q: How should IAM teams govern access review for service accounts and other NHIs?
A: Put non-human identities into the same certification discipline as human access, but weight the review around ownership, use, and privilege scope. A service account without a clear business owner or recent usage signal should be treated as a governance exception, not as routine access.
👉 Read our full editorial: AI in access review exposes the limits of manual certification
