User access reviews and the identity perimeter: are controls keeping up?

TL;DR: As cloud services, mobile access and remote work expand the attack surface, user access reviews become the control that keeps permissions aligned with business need, according to Zluri. Regular certification helps limit privilege creep, dormant accounts and compliance drift, but only if reviews are operationally enforced, not treated as a calendar exercise.

NHIMG editorial — based on content published by Zluri: Security & Compliance Identity as the New Perimeter: Role of User Access Reviews

By the numbers:

• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%).

Questions worth separating out

Q: How should security teams structure user access reviews in SaaS-heavy environments?

A: Start with the applications and identities where access drift creates the most risk, then require reviewers to confirm current business need, owner and role alignment.

Q: Why do user access reviews matter if MFA and contextual access controls are already in place?

A: MFA and contextual controls reduce the chance of risky entry, but they do not correct access that was granted months ago and is no longer justified.

Q: What breaks when access reviews are manual in large identity estates?

A: Manual reviews break at scale because reviewer attention, entitlement records and remediation steps become inconsistent across applications.

Practitioner guidance

• Rebuild access review around entitlement justification Require reviewers to validate current business need, not just confirm that an account exists.
• Prioritise high-risk applications and roles first Start with SaaS systems, privileged users, contractors and dormant accounts where stale access creates the highest exposure.
• Separate entry controls from post-grant review Use contextual controls such as device and location checks at sign-in, then use certifications to catch access that became excessive after provisioning.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step access certification workflow setup for application, user and group reviews
• Automation settings for reviewer assignment, fallback reviewers and scheduled certification cycles
• Hands-on remediation actions and template saving steps for repeatable review operations
• Platform-specific examples of how Zluri structures the review stage and approval flow

👉 Read Zluri's analysis of user access reviews and the identity perimeter →

User access reviews and the identity perimeter: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →