Notifications
Clear all
Topic starter
25/06/2026 5:17 pm
TL;DR: Automatic access certification escalations can turn a routine governance workflow into a leadership inbox flood when owners ignore or miss review requests, as SailPoint describes from a financial services rollout. The episode shows that access review design must account for human response behaviour, not just workflow logic, or certifications become noisy and ineffective.
NHIMG editorial — based on content published by SailPoint: Blog Facepalm Files: The unintended consequences of automatic escalations
Questions worth separating out
Q: How should teams design access review escalations without creating notification overload?
A: Set escalation thresholds based on reviewer capacity, not just elapsed time.
Q: Why do access certification workflows fail even when they are fully automated?
A: They fail when automation replaces governance judgment instead of supporting it.
Q: What do security teams get wrong about automatic escalation in IGA programmes?
A: They often assume more escalation produces better compliance.
Practitioner guidance
- Map escalation depth before production rollout Model how many tiers a missed certification can traverse and identify the maximum approver level that is acceptable for routine review traffic.
- Pilot the reviewer experience with real owners Run a representative access review cycle with application owners who actually manage SOX-related applications, then measure response rates, completion time, and confusion points.
- Define exception handling for non-response Create a policy for unresolved reviews that distinguishes true risk cases from routine non-action, so escalation does not become the only available response.
What's in the full article
SailPoint's full blog post covers the practical details this post intentionally leaves at the governance level:
- The original access certification story from a financial services environment and how the escalation logic unfolded.
- The specific lessons the author drew about application owner buy-in and review workflow design.
- The trade-off between building a homegrown identity solution and buying a purpose-built platform.
- The testing approach that would have exposed the CEO-level escalation path before rollout.
👉 Read SailPoint's blog post on unintended consequences of automatic access review escalations →
Automatic access review escalations: are your controls ready?
Explore further
25/06/2026 5:52 pm
Automatic escalation is a governance amplifier, not a governance fix. The article shows how a well-intended workflow control can create more friction than accountability when it is allowed to cascade without constraint. Access certification succeeds only when the process design respects approver capacity, organisational hierarchy, and the practical limits of notification-based compliance. The practitioner conclusion is that escalation design is itself a control decision, not a back-office setting.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should be accountable when access review escalations reach senior leadership?
A: The IGA or identity governance team should own the escalation design, because they control routing rules, thresholds, and exception handling. Business approvers remain accountable for the certification decision, but the identity team is responsible for ensuring the workflow does not create avoidable operational harm.
👉 Read our full editorial: Automatic escalation in access reviews creates governance risk
