Notifications
Clear all
Topic starter
11/06/2026 10:38 pm
TL;DR: Manual access reviews, provisioning, deprovisioning, and certification create visibility and compliance gaps across SaaS estates, according to Zluri, and its 2026 IGA positioning centres on automation, discovery, and ticketless requests for governance workflows. The deeper issue is that access governance only works when entitlement state is current, complete, and reviewable, which manual processes rarely guarantee.
NHIMG editorial — based on content published by Zluri: Why is Zluri the Best IGA Platform in 2026?
Questions worth separating out
Q: How should security teams govern SaaS access reviews at scale?
A: They should start with complete entitlement visibility, then tie review decisions to business context such as usage, role, and status.
Q: Why do manual access request and certification processes break down in SaaS environments?
A: They break down because the environment changes faster than the governance workflow can keep up.
Q: What do organisations get wrong about ticketless access requests?
A: They often assume self-service reduces risk by itself.
Practitioner guidance
- Audit entitlement visibility across SaaS apps Check whether access review owners can see last login, app usage, department, status, and permission level for every reviewed account before certification begins.
- Redesign self-service around approval policy Treat the app catalog as a policy object, then document which apps are pre-approved, which require review, and which need exception handling before request automation expands.
- Tie provisioning and offboarding to authoritative lifecycle signals Connect onboarding, mover events, and deprovisioning workflows to HR and identity sources that define employment status and role changes, then reconcile any mismatch before automation runs.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step onboarding workflow setup for role-based SaaS provisioning
- Detailed access certification configuration, including reviewer assignment and fallback handling
- Offboarding workflow mechanics for revoking application access after departure
- Access request flow details for the ticketless self-service model
👉 Read Zluri's article on IGA automation, access certification, and SaaS governance →
IGA automation and access reviews: what teams should scrutinise?
Explore further
12/06/2026 6:52 am
Manual IGA fails first as a data-quality problem, not a workflow problem. The article correctly points to incomplete visibility as the reason access reviews and access governance become unreliable in SaaS environments. Reviewers cannot certify what they cannot see, and automation cannot repair a broken entitlement inventory. Practitioner conclusion: identity governance starts with accurate access state, not with faster approvals.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when automated deprovisioning does not happen after access review?
A: Accountability sits with the identity and application owners who defined the workflow, not with the automation alone. If rejected access remains active, the control failed at design time because the revocation path was missing, unclear, or not connected to authoritative lifecycle signals.
👉 Read our full editorial: Zluri’s IGA pitch exposes where manual access governance breaks
