Notifications
Clear all
Topic starter
25/06/2026 2:41 pm
TL;DR: Manual quarterly access reviews leave ERP, cloud, and ITSM environments exposed to audit findings, insider fraud, and segregation-of-duties failures, according to SafePaaS. Continuous, evidence-based identity governance is now the practical baseline because reactive certification cycles cannot keep pace with modern entitlement sprawl.
NHIMG editorial — based on content published by SafePaaS: continuous user access review and identity governance
By the numbers:
- 75% of access-related audit findings stem from poor, om poor visibility and manual review processes.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should security teams move from quarterly access reviews to continuous governance?
A: Security teams should connect live entitlement data, policy checks, and remediation workflows so access is evaluated as conditions change.
Q: Why do manual access reviews keep missing toxic access combinations?
A: Manual reviews miss toxic combinations because they rely on stale snapshots, human memory, and incomplete context across systems.
Q: What breaks when privileged access is not part of identity governance?
A: Governance breaks at the highest-risk tier because privileged accounts can create, hide, or amplify access problems that normal reviews do not surface.
Practitioner guidance
- Replace quarterly attestation with live entitlement review Tie certification to current access data from ERP, cloud, and ITSM systems so reviewers see active entitlements, not stale exports.
- Unify provisioning checks with SoD policy enforcement Evaluate access requests against segregation-of-duties rules before approval is granted, and block conflicting entitlements from being created in the first place.
- Connect PAM telemetry to governance workflows Feed privileged account activity, dormant elevation, and exception status into the same review process used for standard entitlements.
What's in the full article
SafePaaS's full article covers the operational detail this post intentionally leaves for the source:
- Platform-specific workflow design for automated access certifications across ERP and ITSM environments
- Detailed handling of segregation-of-duties conflicts, exception routing, and approval evidence
- Integration patterns for privileged access management platforms and audit-ready reporting
- Implementation context for moving from periodic reviews to continuous governance
👉 Read SafePaaS's analysis of continuous user access review and identity governance →
User access reviews: are your governance controls keeping up?
Explore further
25/06/2026 3:47 pm
Continuous review has become the real control boundary. Quarterly certification was designed for access states that change slowly enough to be sampled. That assumption fails when ERP, cloud, and ITSM entitlements move continuously and privileged access can be abused between review windows. The implication is that governance must be treated as a live control layer, not a periodic audit artifact.
A few things that frame the scale:
- Nearly 75% of access-related audit findings stem from poor visibility and manual review processes, according to Top 10 NHI Issues.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to the 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when access review failures lead to audit findings or fraud?
A: Accountability sits with the control owner, the business approver, and the governance function that defined the review process. Regulators and auditors expect evidence that access controls are operating continuously, not just that a review happened. A documented process without live enforcement does not satisfy that expectation.
👉 Read our full editorial: Continuous user access review is becoming identity governance
