Notifications
Clear all
Topic starter
28/05/2026 11:39 am
TL;DR: Manual user access reviews can consume hundreds of hours per cycle and still leave access creep, terminated accounts, and machine identities unchallenged, according to Delinea's analysis. Automation turns access certification from a spreadsheet exercise into a control that can keep pace with hybrid environments and NHI sprawl.
NHIMG editorial — based on content published by Delinea: Save time and reduce risk by automating User Access Reviews
By the numbers:
- Across customer interviews, Fastpath reduced time spent on access reviews by up to 80%, with some customers reporting savings of 120 hours per quarter.
- Norwegian Cruise Line Holdings had 450 unique reviewers, 14,000 users, and approximately 300,000 lines of access across its in-scope SOX applications.
Questions worth separating out
Q: How should organisations automate user access reviews without weakening control quality?
A: Organisations should automate data collection, reviewer routing, reminders, remediation, and evidence capture, but keep human decision-making at the approval stage.
Q: When do user access reviews become too risky to run manually?
A: Manual reviews become too risky when the organisation has multiple systems, frequent role changes, or large volumes of human and non-human access.
Q: What is the difference between access certification and provisioning?
A: Access certification checks whether existing access should remain in place, while provisioning grants or removes access in the source system.
Practitioner guidance
- Map UAR scope to business risk Classify applications by data sensitivity, fraud exposure, and regulatory impact, then set review cadence accordingly.
- Automate ownership and reviewer routing Use attributes such as department, manager, location, and role ownership to route certifications to the right decision-maker.
- Validate removals in the source system Do not count a campaign as complete until rejected access is removed in the source application and the change is verified.
With 57% of organisations lacking a complete inventory of their machine identities, certification programs that do not account for non-human access will miss part of the risk surface entirely?
👉 Read Delinea's analysis of automating user access reviews for least privilege →
Explore further
28/05/2026 11:44 am
Automated access certification is now a lifecycle control, not a quarterly admin task. The article describes a familiar compliance process, but the real issue is lifecycle governance across a much larger identity estate. When access changes faster than review cycles, the organisation is no longer validating least privilege in practice. The practitioner conclusion is straightforward: access review must be integrated with provisioning, remediation, and ownership data.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, showing that one failure often signals recurring governance gaps.
A question worth separating out:
Q: How can teams govern machine identities and AI agents in access reviews?
A: Teams should assign ownership, define review cadence, and include machine identities and AI agents in the same certification logic as human access, but with role-appropriate approvers. If a non-human identity can act on sensitive data, it needs a lifecycle owner and a removal path just like any other privileged account.
👉 Read our full editorial: Automating user access reviews for least-privilege at enterprise scale
