TL;DR: Quarterly access reviews validate access at a point in time, but role changes create hidden exposure between cycles as old entitlements persist, new privileges are added, and access drift builds, according to OpenIAM. Calendar-based governance can prove oversight without reflecting the real-time access posture of internal mobility.
NHIMG editorial — based on content published by OpenIAM: How Role Changes Between Quarterly Access Reviews Create Hidden Risk
Questions worth separating out
Q: What breaks when role changes are only reviewed quarterly?
A: Quarterly review-only governance breaks because access can become incorrect the moment a promotion, transfer, or project assignment takes effect.
Q: Why do role changes increase access risk in identity governance programmes?
A: Role changes increase risk because they create a mismatch between current business responsibility and the permissions that still exist in downstream systems.
Q: How can teams tell whether access drift is becoming a governance problem?
A: Look for users whose permissions outgrow any single current role, especially after multiple internal moves or temporary assignments.
Practitioner guidance
- Trigger access reconciliation on every mover event Link HR job changes, manager approvals, and IAM entitlements so that promotions, transfers, and project assignments automatically create a remediation workflow before the next certification cycle.
- Revoke legacy entitlements at the point of role change Compare the new role against the prior role and remove permissions that are no longer justified, rather than leaving them in place until quarterly review.
- Track temporary access as a separate entitlement class Isolate project, admin, and emergency privileges so they can be reviewed and removed independently when the business need ends.
What's in the full article
OpenIAM's full blog post covers the operational detail this post intentionally leaves for the source:
- The step-by-step logic behind access layering across promotions, transfers, and temporary project assignments.
- The review-cycle limitations that make quarterly certification miss change-driven exposure.
- The practical remediation discussion for delayed deprovisioning across HR, IAM, and application owners.
- The broader access review failure patterns linked to access drift and certification remediation.
👉 Read OpenIAM's analysis of hidden access risk between quarterly reviews →
Role-change access risk: what IAM teams are missing between reviews?
Explore further
Time-based access governance fails when the access change is event-driven. Quarterly certification was designed for stable access states that last long enough to be reviewed, challenged, and remediated. That assumption fails when promotions, transfers, and project assignments alter access immediately and continuously between cycles. The implication is not that certification is useless, but that it cannot be the control that carries the whole burden of access governance.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who should be accountable when access remains active after a role change?
A: Accountability should sit with the workflow that owns the change event, not with the next scheduled review. HR, IAM, managers, and application owners need a defined handoff so removal happens when the role changes, not after the cycle closes.
👉 Read our full editorial: Role changes between access reviews create hidden IAM risk