User access reviews and the governance gap teams keep missing

TL;DR: Manual access reviews consume 149 person-days per quarterly cycle and still let violations persist because organisations review only what their identity provider can see, according to Zluri. The real problem is incomplete discovery, not reviewer diligence: access governance built on partial visibility creates the illusion of control.

NHIMG editorial — based on content published by Zluri: Security & Compliance User Access Reviews: 101 Introductory Guide

By the numbers:

• Manual access reviews consume 149 person-days per quarterly cycle.

Questions worth separating out

Q: What breaks when user access reviews only cover the identity provider?

A: The review loses sight of direct app access, shadow IT, contractor accounts, and other entitlements that never flow through SSO.

Q: Why do manual access reviews still leave risky access behind?

A: Manual reviews fail when reviewers lack context and are asked to make too many decisions too quickly.

Q: How can security teams make access reviews more effective?

A: Start with complete discovery, then certify based on risk, role, and entitlement source instead of raw user counts.

Practitioner guidance

• Map the full access graph before the next certification cycle Inventory identities, applications, and direct entitlement paths outside the directory and SSO layer so reviews cover the full review population, not just visible users.
• Separate high-risk systems from broad quarterly review pools Run tighter certification for finance, admin, and customer-data systems, then apply broader group-based reviews only where role taxonomy is reliable.
• Require contextual evidence in reviewer workflows Show entitlement age, last use, source of provision, and role context so managers are not approving access blind from a flat spreadsheet export.

What's in the full article

Zluri's full guide covers the operational detail this post intentionally leaves for the source:

• A breakdown of when user-based, group-based, application-based, and role-based reviews make sense in real programmes.
• The article's step-by-step review workflow, including how managers, app owners, and IT teams are expected to split responsibilities.
• The reported time and labour metrics behind manual review cycles, including the author’s calculations for quarterly effort and cost.
• Implementation guidance for moving from quarterly certification toward continuous governance using automated discovery and remediation.

👉 Read Zluri's guide to security and compliance user access reviews →

User access reviews and the governance gap teams keep missing?

Explore further

View Full Forum →  |  NHI Foundation Course →