User access review automation: where IAM teams still struggle

TL;DR: Access review programmes fail when they depend on manual coordination instead of governed, auditable decision loops, according to Zluri. It describes how it automates user access review workflows for applications such as Salesforce, combining auto-discovery, multi-level certification, bulk reviewer actions, and closed-loop remediation to support compliance and least privilege across sensitive business systems.

NHIMG editorial — based on content published by Zluri: How We Do User Access Review at Zluri

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

Questions worth separating out

Q: How should security teams run user access reviews without turning them into manual admin work?

A: Use a certification workflow that collects access data automatically, routes it to named reviewers, and connects each decision to a remediation action.

Q: Why do user access reviews often fail to improve security in practice?

A: They fail when teams stop at review evidence and never enforce the decision.

Q: What signals show that access review is actually working?

A: Look for shrinking numbers of inactive, orphaned, and overprivileged accounts after each cycle, plus short time from decision to entitlement change.

Practitioner guidance

• Tie certification decisions to enforced remediation Ensure revoke and modify decisions trigger actual entitlement change in the application, not a follow-up ticket or email task.
• Standardise reviewer evidence Show last access time, account type, role, department, and privilege indicators so reviewers can make consistent decisions.
• Use access reviews to find lifecycle drift Track which accounts repeatedly appear in certifications because they are inactive, orphaned, or overprivileged, then treat that as a governance backlog.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step setup of a Salesforce access review campaign, including certification owner, reviewers, and recurrence settings.
• The exact reviewer workflow inside the platform, including bulk approve, revoke, and modify actions with mandatory comments.
• Examples of the audit-ready PDF output and how remediation playbooks are triggered after a decision is recorded.
• How Zluri maps application metadata such as job title, department, and license type into the certification experience.

👉 Read Zluri's guide to automating user access reviews in Salesforce →

User access review automation: where IAM teams still struggle?

Explore further

View Full Forum →  |  NHI Foundation Course →