TL;DR: Quarterly access review execution is often harder than policy design, because teams still need to map reviewers, handle self-review conflicts, track sign-off, and produce audit evidence across a 17 to 21 day cycle, according to Zluri. The governance risk is not the certification itself but the operational gap between documented intent and repeatable execution.
NHIMG editorial — based on content published by Zluri: Security & Compliance User Access Review Procedure: Step-by-Step Execution Guide
Questions worth separating out
Q: How should teams run quarterly access reviews without turning them into manual projects?
A: Treat quarterly access reviews as a repeatable control workflow, not a one-off audit task.
Q: Why do access reviews often fail even when the policy is documented?
A: Documented policy fails when identity ownership data, reviewer assignments, or remediation integrations are incomplete.
Q: What signals show that access review governance is not working?
A: Look for incomplete sign-offs, repeated fallback reviewer use, remediation failures, and certifications that finish as reports rather than entitlement changes.
Practitioner guidance
- Validate reviewer ownership before each certification Check that app owners, reporting managers, and fallback reviewers are present and correct before launching the review.
- Enforce separation of duties on self-review records Use auto-reassign or a named alternate reviewer when the assigned reviewer would be certifying their own access.
- Track sign-off as a separate completion state Monitor records that are fully reviewed but not signed off, because those certifications are still open even when the visible work appears done.
What's in the full article
Zluri's full guide covers the operational detail this post intentionally leaves for the source:
- Exact click-paths for each certification step, including setup, launch, and completion.
- Reviewer-view screenshots and field-by-field configuration details for applications, scopes, and columns.
- Remediation playbook setup examples for revoke and modify actions across integrated applications.
- Error-handling notes for incomplete reviews, failed playbooks, and evidence generation.
👉 Read Zluri's step-by-step guide to quarterly access review execution →
Quarterly access reviews: what teams miss in execution and evidence?
Explore further
Quarterly access review failure is usually an execution problem, not a policy problem. The guide makes clear that organisations can document the certification process and still fail at the operational layer if reviewer ownership, fallback logic, or sign-off handling is inconsistent. That is a classic IGA weakness: control intent exists, but the workflow does not survive day-to-day exceptions. Practitioners should treat access review execution as a governed process with measurable failure states, not as an annual compliance ritual.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows why review quality depends on upstream identity data, not just reviewer discipline.
A question worth separating out:
Q: Who should be accountable when an access review stalls or misses remediation?
A: Accountability should sit with the certification owner for workflow completion, with application and identity owners for accurate reviewer mapping, and with operations teams for remediation execution. If any of those roles are undefined, the review process will drift into exception handling instead of controlled governance.
👉 Read our full editorial: Quarterly access reviews fail when execution becomes tribal knowledge