Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk What breaks when access reviews are only completed…
Governance, Ownership & Risk

What breaks when access reviews are only completed on paper?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated June 7, 2026 Domain: Governance, Ownership & Risk

When access reviews are only completed on paper, the control exists in name but not in practice. Auditors can quickly see that nobody evaluated usage, business need, or role fit. That weakens least privilege, increases repeat findings, and forces teams into manual remediation because the organisation cannot prove that access decisions were meaningful.

Why This Matters for Security Teams

Paper-only access reviews create a control that looks complete but cannot prove anything about actual use. That matters because access recertification is supposed to test whether an identity still needs its permissions, whether role assignment still fits the job, and whether privileged access is being used as intended. When the review happens on a spreadsheet or printed form, those checks are usually reduced to signatures rather than evidence. Current guidance from the OWASP OWASP Non-Human Identity Top 10 treats weak governance and missing lifecycle controls as core risk drivers, not paperwork issues. For non-human identities, the gap is even wider. A service account, API key, or automation token can accumulate entitlements long after the business process changed, and paper reviews rarely surface that drift. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, which makes manual review especially fragile; the broader context is covered in the Ultimate Guide to NHIs and the Ultimate Guide to NHIs — Key Challenges and Risks. In practice, many security teams discover stale access only after an audit exception, an incident, or a production outage has already exposed the weakness.

How It Works in Practice

effective access review needs evidence, not endorsement. A real review should show who used the access, when it was used, whether the access matched business purpose, and whether the entitlement still fits the role or workload. That means pulling logs from IAM, PAM, cloud platforms, ticketing systems, and application telemetry, then comparing them against the approved access path. For human users, role-based access control can still help, but the review should verify usage patterns and business need rather than asking managers to approve inherited rights by memory alone. For NHIs, the same process should examine workload identity, secret age, rotation history, and whether the account is still tied to an active system or pipeline. A practical review workflow usually includes:
  • usage evidence from logs, not only attestation signatures
  • exception handling for privileged or break-glass access
  • removal of dormant entitlements after a defined inactivity threshold
  • validation that secrets and tokens are rotated or revoked when access is removed
  • reassignment checks when the role, service, or agent has changed
The NHI Lifecycle Management Guide and the 52 NHI Breaches Analysis both show that lifecycle failures tend to produce recurring exposure, especially where secrets are long-lived. The OWASP guidance also aligns with this approach because access control without verification is not real control. These controls tend to break down when accounts are shared across teams or embedded in CI/CD systems because ownership, usage, and purpose become too ambiguous to review reliably.

Common Variations and Edge Cases

Tighter access review often increases operational overhead, requiring organisations to balance audit depth against the cost of gathering evidence and interrupting business owners. That tradeoff is real, especially in fast-moving environments where teams want a lighter approval path for low-risk access and deeper scrutiny for privileged or sensitive entitlements. Current guidance suggests a tiered model is better than treating every account the same, but there is no universal standard for this yet. Paper reviews also fail differently depending on the environment. In cloud and DevOps pipelines, access can change daily, so a monthly paper sign-off is already stale by the time it is completed. In agentic or automated systems, the review must go further because the identity may act autonomously, chain tools, or request new permissions based on task context. In those cases, access review should be paired with just-in-time issuance, short-lived secrets, and workload identity checks rather than static approval lists. That is why the OWASP Non-Human Identity Top 10 is best read alongside lifecycle guidance and real breach analysis, not as a standalone checklist. The practical edge case is simple: when access changes faster than the review cycle, paper evidence becomes a record of intent, not proof of control.

Deepen Your Knowledge

Ultimate Guide to NHIs → NHI Foundation Course → Discussion Forum →
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.