SaaS access reviews: what IAM teams need to fix now

TL;DR: Access reviews are the operational backbone of SaaS governance, but 1Password argues that spreadsheets, custom apps, and fragmented visibility still make them slow, inconsistent, and audit-prone. The real issue is that many organisations are reviewing access across tools their governance model cannot fully see or standardise.

NHIMG editorial — based on content published by 1Password: access reviews for SaaS governance and compliance

Questions worth separating out

Q: How should security teams run access reviews across SaaS applications?

A: Security teams should use a standard workflow that covers every app type, including SCIM, non-SCIM, and custom applications.

Q: Why do access reviews fail in complex SaaS environments?

A: Access reviews fail when entitlement data is fragmented across multiple tools and the reviewer cannot see enough context to make a reliable decision.

Q: How do organisations know if access reviews are working?

A: They should measure coverage, reviewer accountability, and post-review remediation.

Practitioner guidance

• Standardise review workflows across all app types Define one access review process that covers SCIM, non-SCIM, and custom applications so reviewers are not forced into one-off exceptions for every system.
• Tie review outcomes to de-provisioning actions Route approved removals, role corrections, and permission reductions directly into offboarding and mover workflows so stale access does not survive the review cycle.
• Require reviewer context before certification Expose role, access level, cost center, and known access issues at the moment of review so approvals are based on evidence rather than memory or guesswork.

What's in the full article

1Password's full analysis covers the operational detail this post intentionally leaves for the source:

• Step-by-step access review workflow design for SaaS estates with SCIM, non-SCIM, and custom applications.
• How 1Password structures reviewer notifications, approvals, and inline permission changes inside the product.
• Examples of exportable review reports and audit evidence fields for compliance teams.
• Coverage details for over 350 native API integrations and CSV-based support for non-SCIM apps.

👉 Read 1Password's analysis of access reviews for SaaS governance →

SaaS access reviews: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →