Spreadsheet-based reviews break down because they capture a static snapshot of a directory that is still changing. Nested groups, delayed approvals, and manual reconciliation create state drift between the review record and the live access model, so reviewers can certify the wrong entitlement set. Live integration and executable revocation are needed to preserve control.
Why This Matters for Security Teams
Spreadsheet reviews look efficient because they turn access certification into a familiar workflow, but they are a poor fit for active directory where group nesting, inherited entitlements, and ongoing change are the norm. A spreadsheet can record who signed off, but it cannot prove that the access state under review still matches the live directory at the moment of certification. That gap becomes more dangerous when reviewers are asked to approve access they cannot fully see.
This is not a theoretical concern. NHI Management Group notes that only 5.7% of organisations have full visibility into their service accounts in its Ultimate Guide to NHIs, and hidden or stale access is exactly what spreadsheet workflows fail to surface. The same pattern appears in broader identity governance: static review artifacts age quickly while directory permissions continue to shift. Current guidance from OWASP Non-Human Identity Top 10 reinforces that identity controls need live enforcement, not just evidence collection.
In practice, many security teams discover excess privilege only after a recertification cycle has already approved it, rather than through intentional access design.
How It Works in Practice
Active Directory access reviews fail when the review process is detached from the directory’s live state. Spreadsheets freeze a point-in-time export, but AD entitlements are often indirect, layered through nested groups, delegated administration, and inherited policy. By the time a reviewer validates a row, the effective access may already have changed, or the entitlement may be broader than the exported label suggests.
Operationally, this creates several failure points:
- Nested group membership obscures the true effective privilege.
- Manual reconciliation introduces transcription errors and missed exceptions.
- Delayed approvals create state drift between the spreadsheet and the directory.
- Revocation is often advisory rather than executable, so removed access may persist.
Better practice is to connect certification directly to the authoritative identity source and generate evidence from the live graph of access, not from an exported table. That means using directory-aware queries, documenting effective access, and making revocation actionable through the same control plane that granted the privilege. NHI Management Group’s NHI Lifecycle Management Guide emphasises that access control has to follow the lifecycle of the identity, including review, rotation, and offboarding. For teams mapping to broader governance language, the identity assurance and access review principles in OWASP Non-Human Identity Top 10 align with the same operational outcome: verify what exists now, then revoke what should no longer exist.
These controls tend to break down when review windows are long and AD changes are frequent, because the certified state is no longer the real state by the time remediation starts.
Common Variations and Edge Cases
Tighter access certification often increases administrative overhead, so organisations have to balance review speed against accuracy. That tradeoff is especially visible in hybrid directories, cross-forest trusts, and environments with heavy contractor turnover, where a simple spreadsheet can feel faster until exceptions start accumulating.
There is no universal standard for this yet, but current guidance suggests a few practical distinctions. Low-risk, low-frequency entitlements may tolerate scheduled reviews, while privileged or nested access needs continuous or event-driven validation. Groups that grant access indirectly should be reported as effective permissions, not just raw membership lines. Where evidence is required for audit, the record should show the live entitlement at the moment of decision, plus the revoke action that followed any denial.
Teams often underestimate how quickly spreadsheet logic breaks when AD is used as a distribution layer for other systems. A single row may represent multiple downstream permissions, and a reviewer cannot reliably assess that fan-out without live integration. The operational lesson is simple: spreadsheets can document a review, but they cannot be the control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Live entitlement review and revocation address stale access records. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed and reviewed against current state. |
| NIST AI RMF | Risk governance requires traceable, current access decisions. |
Establish governance that validates live access state before certification and remediation.
Related resources from NHI Mgmt Group
- What breaks when Active Directory access reviews are not tied to effective access?
- How should security teams run access reviews for non-human identities?
- How should security teams run privileged access reviews without missing high-risk accounts?
- What breaks when access reviews are manual and inconsistent?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
