Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

User access review automation: where IAM teams still struggle


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Access review programmes fail when they depend on manual coordination instead of governed, auditable decision loops, according to Zluri. It describes how it automates user access review workflows for applications such as Salesforce, combining auto-discovery, multi-level certification, bulk reviewer actions, and closed-loop remediation to support compliance and least privilege across sensitive business systems.

NHIMG editorial — based on content published by Zluri: How We Do User Access Review at Zluri

By the numbers:

Questions worth separating out

Q: How should security teams run user access reviews without turning them into manual admin work?

A: Use a certification workflow that collects access data automatically, routes it to named reviewers, and connects each decision to a remediation action.

Q: Why do user access reviews often fail to improve security in practice?

A: They fail when teams stop at review evidence and never enforce the decision.

Q: What signals show that access review is actually working?

A: Look for shrinking numbers of inactive, orphaned, and overprivileged accounts after each cycle, plus short time from decision to entitlement change.

Practitioner guidance

  • Tie certification decisions to enforced remediation Ensure revoke and modify decisions trigger actual entitlement change in the application, not a follow-up ticket or email task.
  • Standardise reviewer evidence Show last access time, account type, role, department, and privilege indicators so reviewers can make consistent decisions.
  • Use access reviews to find lifecycle drift Track which accounts repeatedly appear in certifications because they are inactive, orphaned, or overprivileged, then treat that as a governance backlog.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step setup of a Salesforce access review campaign, including certification owner, reviewers, and recurrence settings.
  • The exact reviewer workflow inside the platform, including bulk approve, revoke, and modify actions with mandatory comments.
  • Examples of the audit-ready PDF output and how remediation playbooks are triggered after a decision is recorded.
  • How Zluri maps application metadata such as job title, department, and license type into the certification experience.

👉 Read Zluri's guide to automating user access reviews in Salesforce →

User access review automation: where IAM teams still struggle?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Access review is lifecycle governance, not a reporting task. Zluri’s workflow shows why certification only has value when it changes access state, not when it produces an audit PDF. Access review exists to remove unjustified entitlements before they become privilege creep, and that applies equally to human accounts, service accounts, and delegated application access. The practitioner takeaway is simple: if the review does not alter live entitlements, it is administrative theatre.

A few things that frame the scale:

  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who should own access review decisions in an IAM programme?

A: Ownership should sit with the people closest to business use, such as app owners or department heads, while IAM or IGA teams govern the workflow and enforcement. That split keeps decisions grounded in context without losing central control over evidence, auditability, and remediation.

👉 Read our full editorial: User access review automation at Zluri and what it means for IAM



   
ReplyQuote
Share: