TL;DR: Access review automation is being positioned as the practical way to reduce permission drift, speed up audits, and enforce governance across cloud, on-premise, and hybrid environments, according to Soffid. The real issue is not automation itself but whether identity governance can prove who had access, why, and for how long.
NHIMG editorial — based on content published by Soffid: Identity Governance (IGA): Cómo automatizar revisiones de acceso y estar listo para auditoría
By the numbers:
- In 2025, Europe exceeded 2,300 million euros in GDPR sanctions, up 38% from the previous year.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should security teams automate access reviews without losing audit evidence?
A: Automate the data collection and routing, not the accountability.
Q: Why do access reviews fail when identity data is incomplete?
A: Access reviews fail because reviewers cannot make a reliable decision if ownership, entitlement scope, or last-use data is missing.
Q: What do organisations get wrong about recertification cycles?
A: They often treat recertification as a compliance event instead of a control outcome.
Practitioner guidance
- Automate entitlement harvesting before review cycles begin Pull application, directory, and cloud entitlements into a single review dataset so reviewers see current access rather than stale exports.
- Separate lifecycle workflows by identity type Run different offboarding and recertification paths for human users, service accounts, and workload identities.
- Preserve decision lineage for every access change Store approver identity, policy basis, timestamp, and entitlement state at the moment of approval or removal.
What's in the full article
Soffid's full article covers the operational detail this post intentionally leaves for the source:
- The article’s step-by-step framing for automating access reviews across identity governance and IAM workflows.
- The specific compliance and audit angle used to justify review automation in regulated environments.
- The practical discussion of permission misconfiguration, excessive privilege, and review cadence inside Soffid IGA.
- The source’s own description of how monitoring and reaccreditation are presented as part of the lifecycle process.
👉 Read Soffid's article on automating access reviews for audit-ready IGA →
Automated access reviews and audit readiness: what IAM teams need?
Explore further
Automated access reviews are a governance accelerator, not a substitute for identity truth. The control only works when entitlement data, ownership, and lifecycle state are accurate enough to review. If the underlying identity graph is stale, automation simply scales bad decisions faster. Practitioners should treat review automation as a force multiplier for good governance, not as a cleanup mechanism for broken identity data.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who should own access governance when human and non-human identities share systems?
A: Ownership should sit with the business or technical control owner who can explain the access need, not with the review tool. When human and non-human identities share systems, the governance model must still distinguish who consumes the access, who approves it, and who is responsible for removing it.
👉 Read our full editorial: Automated access reviews are reshaping audit-ready IGA programmes