They should not rely on the identity provider alone. A review scope that only sees SSO-connected apps will miss shadow IT, personal purchases, browser-only SaaS, and other unmanaged access paths. The practical move is to combine IdP data with finance, endpoint, browser, and CASB discovery so the review list reflects the true attack surface.
Why This Matters for Security Teams
Access reviews only work when the review scope matches the real estate that users can actually reach. If the process starts and ends with the identity provider, it will miss browser-only SaaS, self-purchased tools, unmanaged integrations, and assets discovered outside SSO. That creates a false sense of coverage and leaves access decisions based on an incomplete map of risk. The same pattern applies to non-human identities, where Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into service accounts.
This is not just a hygiene issue. Incomplete review scopes distort entitlement recertification, delay deprovisioning, and hide orphaned access paths that attackers and insiders can exploit. Standards-based guidance such as the OWASP Non-Human Identity Top 10 reinforces that visibility is a prerequisite for governance, not an afterthought. In practice, many security teams discover the gap only after a SaaS audit, a finance reconciliation, or an incident reveals that the reviewed application list was never the full application estate.
How It Works in Practice
The practical fix is to build the review population from multiple sources, then deduplicate and classify what is actually in use. IdP data is still useful, but it should be only one feed among several. Finance and procurement reveal paid subscriptions that never touched SSO. Endpoint telemetry shows installed desktop apps and local launchers. Browser discovery captures web apps accessed directly. CASB and SaaS discovery identify shadow IT and connected integrations. For NHI-related access, the Ultimate Guide to NHIs — Key Challenges and Risks is clear that third-party exposure and excessive privileges are common enough to warrant broader discovery.
A good operating model usually includes:
- One authoritative inventory of business systems, not one list per control owner.
- Connector-based ingestion from IdP, finance, endpoint, browser, CASB, and cloud platforms.
- Normalization of app names, vendors, and ownership so duplicate records do not slip through reviews.
- Risk flags for personal purchases, unmanaged SaaS, and apps with no SSO or no admin ownership.
- Separate handling for non-human access, since service accounts, API keys, and OAuth grants often sit outside human recertification workflows.
Current guidance suggests that access reviews should be evidence-led rather than source-led: the reviewer should see the app, the owner, the user or secret path, and the business justification in one place. That aligns with the control intent in the OWASP Non-Human Identity Top 10, which treats weak visibility as a security failure, not merely an inventory problem. These controls tend to break down in decentralized SaaS environments where business units can buy and connect tools without passing through procurement or identity governance.
Common Variations and Edge Cases
Tighter scope control often increases operational overhead, requiring organisations to balance review accuracy against integration effort and owner fatigue. That tradeoff is real, especially in environments with many short-lived apps, multiple IdPs, or regional procurement processes. Best practice is evolving here, and there is no universal standard for the exact source mix, but the goal is consistent: reviewers should assess the real attack surface, not just the managed one.
Edge cases matter. Shared mailboxes, embedded SaaS inside another platform, and AI-enabled productivity tools can all create access paths that never show up cleanly in a classic entitlement report. For NHI-heavy environments, the issue becomes harder because OAuth grants, service accounts, and API keys can persist long after the app owner thinks the tool is gone. The NHI Lifecycle Management Guide is relevant here because offboarding and revocation must extend beyond human accounts to every credential path tied to the application.
Security teams should also watch for review sprawl. If every discovered app is treated the same, approvers will default to rubber-stamping. A better pattern is to tier the estate: critical apps, regulated apps, unmanaged apps, and service-to-service access paths. That keeps the review practical while still surfacing shadow IT and hidden privileges. The right question is not whether the IdP saw the app, but whether the organisation can prove who has access, by what path, and under whose ownership.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Asset visibility is required before access reviews can cover the full estate. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Weak visibility into identities and connected apps directly drives review blind spots. |
| NIST AI RMF | AI RMF supports governance over complex, changing access ecosystems and decision accountability. |
Build the review population from all discovery sources, not just the IdP, and maintain one authoritative asset inventory.
Related resources from NHI Mgmt Group
- How should security teams run access reviews for non-human identities?
- How should security teams govern non-human identities that have persistent access?
- How should security teams make NHI best practices usable across the business?
- How should security teams govern API keys used for generative AI access?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
