TL;DR: SOC 2 access control policies still struggle with least privilege, just-in-time provisioning, access reviews, and unused access removal across complex systems, according to Zluri. The hard part is not the policy language but the governance machinery needed to keep access current as identities, roles, and systems change.
NHIMG editorial — based on content published by Zluri: SOC 2 Access Control: Challenges & Implementation
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should security teams implement least privilege in SOC 2 access control programmes?
A: Start with a live entitlement map that ties roles and attributes to actual business tasks, then remove broad defaults that are not strictly needed.
Q: When does just-in-time access create more governance value than static access grants?
A: Just-in-time access is most valuable when privileges are high-risk, infrequently used, or difficult to justify as standing access.
Q: What do organisations get wrong about periodic access reviews?
A: They often treat the review itself as the control instead of the remediation that follows it.
Practitioner guidance
- Map access to live business need Rebuild the access control matrix from current roles, systems, and data classifications so approvals are based on today’s operating model rather than legacy job titles.
- Convert high-risk grants to JIT workflows Use just-in-time provisioning for privileged and sensitive access, with automatic expiry and logged revocation so permissions do not become standing privilege.
- Remove unused access on a fixed cadence Run scheduled reviews to identify dormant entitlements, orphaned accounts, and permissions no longer tied to active projects or customers, then revoke them promptly.
What's in the full article
Zluri's full blog covers the implementation detail this post intentionally leaves for the source:
- Role-by-role access control matrix examples for mapping users to permissions
- Operational detail on just-in-time provisioning and approval-driven revocation
- Practical steps for running periodic access reviews and removing unused access
- SOX-oriented review workflows and reporting outputs for audit preparation
👉 Read Zluri's guide to SOC 2 access control challenges and implementation →
SOC 2 access control: are your governance controls keeping up?
Explore further
SOC 2 access control fails when entitlement governance is treated as a periodic review exercise rather than a living identity control. The article describes the right policy objectives, but the hard problem is that access changes continuously while review programmes usually do not. That gap matters across human access and NHI governance alike. Practitioners should treat access control as a lifecycle discipline, not a compliance checklist.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to NHI Mgmt Group research.
A question worth separating out:
Q: Who is accountable when access control failures lead to SOC 2 gaps?
A: Accountability usually sits with the system owner, identity governance team, and access approver chain, but each organisation should assign one clear owner for entitlement accuracy and one for remediation. Without named accountability, access reviews become reporting exercises rather than operational controls.
👉 Read our full editorial: SOC 2 access control exposes the limits of least privilege