Notifications
Clear all
Topic starter
07/06/2026 8:03 pm
TL;DR: User access review programs are often completed on time but fail in practice because repetition, missing context, and overloaded reviewers turn certification into a mechanical exercise, according to SecurEnds. The result is a governance model that preserves audit evidence while steadily weakening real decision quality.
NHIMG editorial — based on content published by SecurEnds: review fatigue in user access reviews and how it weakens IAM governance
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
Questions worth separating out
Q: What breaks when user access reviews become routine approval exercises?
A: The review stops being a decision control and becomes a workload control.
Q: Why do access reviews lose value when access rarely changes between cycles?
A: If the same entitlements appear every cycle, reviewers stop encountering new information.
Q: How can security teams tell whether review fatigue is setting in?
A: Look for near-universal approvals, low remediation, long campaign cycles, repeated IT clarifications, and complaints from managers who say they do not understand the access they are being asked to certify.
Practitioner guidance
- Reduce review scope before the campaign starts Exclude unchanged low-risk access from manual review and reserve human attention for privileged, sensitive, or recently changed entitlements.
- Attach usage and recency context to every certification item Surface last use, change history, owner, and business criticality in the review screen so the decision is evidence-based.
- Measure remediation, not just completion Track how many entitlements are removed, downgraded, or re-scoped after each campaign, and compare that against the number of approvals.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- The 10 review-fatigue indicators with practical examples for managers, auditors, and compliance teams
- The detailed breakdown of why manual workflows, spreadsheets, and email-based follow-up fail at scale
- The full set of remediation patterns for reducing certification overload without losing governance coverage
- The article’s explanation of how SecurEnds positions automation across recurring review cycles
👉 Read SecurEnds' analysis of review fatigue in user access reviews →
Review fatigue in access reviews: why are controls losing signal?
Explore further
07/06/2026 9:49 pm
Review fatigue is a governance failure, not a user behaviour problem. The core issue is that review design asks people to validate too much access with too little context, then treats speed as a success metric. That framing is wrong because the programme measures completion, not discernment. In identity governance terms, the control has drifted from certification to administrative throughput, and practitioners should treat that as a design defect, not a training issue.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them. That lifecycle weakness shows how quickly identity controls lose value when governance is left to manual effort.
A question worth separating out:
Q: Who should be accountable when an access review is completed but risky access remains?
A: Accountability sits with the identity governance owner, the business reviewer, and the control design that allowed high-volume certification to substitute for judgment. Frameworks such as the NIST Cybersecurity Framework and lifecycle governance models expect controls to reduce risk, not merely record activity.
👉 Read our full editorial: Review fatigue in user access reviews weakens IAM governance
