TL;DR: As cloud services, mobile access and remote work expand the attack surface, user access reviews become the control that keeps permissions aligned with business need, according to Zluri. Regular certification helps limit privilege creep, dormant accounts and compliance drift, but only if reviews are operationally enforced, not treated as a calendar exercise.
NHIMG editorial — based on content published by Zluri: Security & Compliance Identity as the New Perimeter: Role of User Access Reviews
By the numbers:
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%).
Questions worth separating out
Q: How should security teams structure user access reviews in SaaS-heavy environments?
A: Start with the applications and identities where access drift creates the most risk, then require reviewers to confirm current business need, owner and role alignment.
Q: Why do user access reviews matter if MFA and contextual access controls are already in place?
A: MFA and contextual controls reduce the chance of risky entry, but they do not correct access that was granted months ago and is no longer justified.
Q: What breaks when access reviews are manual in large identity estates?
A: Manual reviews break at scale because reviewer attention, entitlement records and remediation steps become inconsistent across applications.
Practitioner guidance
- Rebuild access review around entitlement justification Require reviewers to validate current business need, not just confirm that an account exists.
- Prioritise high-risk applications and roles first Start with SaaS systems, privileged users, contractors and dormant accounts where stale access creates the highest exposure.
- Separate entry controls from post-grant review Use contextual controls such as device and location checks at sign-in, then use certifications to catch access that became excessive after provisioning.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step access certification workflow setup for application, user and group reviews
- Automation settings for reviewer assignment, fallback reviewers and scheduled certification cycles
- Hands-on remediation actions and template saving steps for repeatable review operations
- Platform-specific examples of how Zluri structures the review stage and approval flow
👉 Read Zluri's analysis of user access reviews and the identity perimeter →
User access reviews and the identity perimeter: are controls keeping up?
Explore further
Identity perimeter governance fails when access review is treated as a calendar event rather than a control. The article is right to frame identity as the new perimeter, but that perimeter only exists if entitlement state is continuously tested against business need. Once reviews become ceremonial, least privilege becomes an assumption, not an operating condition. The implication is that IGA maturity should be judged by entitlement accuracy, not certification completion rates.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who should be accountable when access reviews fail to remove excessive privileges?
A: Accountability should sit with the entitlement owner and the business manager who approved the access, not only with the IAM team. Governance fails when ownership is unclear or when reviewers can approve access without being able to trigger removal. Clear remediation authority is what turns certification into control.
👉 Read our full editorial: User access reviews are becoming the new identity perimeter