Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Self-service access reviews: what it means for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: About 50 IT tickets per week were redirected and access-request handling improved by linking requestors directly to approvers, while keeping audit trails and least privilege in place, according to Lumos. The real issue is not ticket volume but whether access governance can stay accountable as approval paths become more distributed.

NHIMG editorial — based on content published by Lumos: How Lumos Uses Lumos to Empower End Users with Self-Service

Questions worth separating out

Q: How should security teams design self-service access requests without losing accountability?

A: Security teams should route requests directly to the true entitlement owner, preserve the approver’s identity and decision history, and ensure every grant is recorded in an auditable workflow.

Q: Why do access reviews often fail to reduce privilege creep?

A: Access reviews fail when they end with attestation instead of entitlement change.

Q: What do IAM teams get wrong about direct approvals?

A: Teams often assume direct approvals are automatically cleaner than IT-mediated approval chains.

Practitioner guidance

  • Map every self-service path to a real entitlement owner. Document which app owner, business approver, or delegated role is authoritative for each entitlement, and remove any workflow path that sends decisions to IT by default when IT is not the decision maker.
  • Require approval evidence that survives audit. Capture who approved, who was reassigned, what entitlement was requested, and what context informed the decision, so the workflow can be reconstructed during review or incident investigation.
  • Connect access reviews to entitlement change. Treat review completion as incomplete until the outcome is applied, whether that means removal, reduction, escalation, or documented exception handling.

What's in the full article

Lumos's full blog post covers the operational detail this post intentionally leaves for the source:

  • How the internal AppStore experience is structured for request submission and approval handling
  • The exact workflow changes that helped redirect roughly 50 IT tickets per week
  • How Lumos handles override and reassignment when an approver is unavailable
  • The internal operating model for user access reviews and how it scales across the organisation

👉 Read Lumos's blog on self-service access requests and user access reviews →

Self-service access reviews: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

Self-service access governance is only useful when it preserves the control evidence that ticket queues used to hide. The article shows a familiar tradeoff: less IT friction, more distributed ownership, and a stronger need for recorded decision paths. That is not a product story, it is an identity governance pattern. Practitioners should treat the workflow as a control surface, not a convenience layer.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means many access workflows still operate without a complete inventory of who or what holds privilege.

A question worth separating out:

Q: How can organisations tell whether self-service access governance is working?

A: Look for faster request handling, fewer manual tickets, and stronger evidence quality at the same time. If the workflow is working, reviewers can see who approved access, exceptions are rare and documented, and entitlement changes follow review outcomes. Speed alone is not success if governance records are incomplete or stale.

👉 Read our full editorial: Self-service access reviews expose the next IAM governance gap



   
ReplyQuote
Share: