Manual reviews miss role changes, dormant users, and renewal deadlines. That creates a gap between the access someone should have and the access they actually keep. At scale, the result is over-provisioning, delayed revocation, and poor audit evidence for who approved what.
Why This Matters for Security Teams
Manual Salesforce licence reviews seem administrative, but they are actually an access-control failure mode. When approvals rely on spreadsheets, email trails, or quarterly check-ins, entitlement drift accumulates faster than reviewers can spot it. That matters because Salesforce often sits near revenue, customer data, and integration tokens, so stale access can become a direct path to data exposure or fraud. The NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts, which is a useful warning sign for any identity review process that depends on human memory rather than system evidence. NHI Mgmt Group’s Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0 both point toward continuous visibility and governed access as baseline expectations, not nice-to-haves. In practice, many security teams encounter licence sprawl only after an audit, a termination dispute, or an account misuse incident has already exposed the gap.
How It Works in Practice
The practical failure is not just that reviews are slow. It is that manual processes cannot reliably reconcile what a user was approved for, what they still need, and what Salesforce actually permits today. That creates three recurring problems: dormant users keep licences, role changes do not trigger entitlement changes, and renewal deadlines are missed until access is either overextended or abruptly cut off.
A stronger approach is to treat Salesforce access as a governed lifecycle, not a periodic checkbox. Current guidance suggests linking licence review inputs to authoritative sources such as HR status, manager attestations, and application usage telemetry. The review should ask whether the user still needs the licence, whether their role changed, and whether the account has been inactive long enough to justify revocation. Where the environment supports it, automate evidence capture so reviewers can see last login, assigned profiles, permission sets, and owner approvals in one record. That is especially important for non-human accounts, where lifecycle mistakes tend to persist longer and approvals are easier to lose. The Salesloft OAuth token breach is a reminder that long-lived access paths can be exploited when governance drifts. For broader identity hygiene, the NHI Mgmt Group’s Ultimate Guide to NHIs highlights how rotation, offboarding, and visibility all fail together when ownership is unclear.
- Use system-of-record triggers for joiner, mover, and leaver events instead of waiting for quarterly review cycles.
- Revalidate licence need against actual usage, not just manager sign-off.
- Track dormant accounts separately from active users so inactivity is not hidden inside a general access review.
- Require revocation evidence for removed users, including licence removal and connected-token cleanup.
These controls tend to break down in organisations with multiple Salesforce orgs, outsourced administration, or custom permission-set sprawl because no single reviewer can reliably see all effective access.
Common Variations and Edge Cases
Tighter licence governance often increases operational overhead, requiring organisations to balance stronger access control against reviewer fatigue and business disruption. That tradeoff becomes sharper in environments where Salesforce is used by contractors, shared service teams, or integrated automation accounts, because the right answer is not always immediate removal.
Best practice is evolving for these edge cases. A contractor may need short-term continuation while procurement renews the engagement, but that should be expressed as time-bound access with a clear expiry date, not an informal exception. A service account may legitimately remain active, but it should be separately owned, monitored, and excluded from human licence review logic. Likewise, some licences are retained for seasonal workflows, yet retention should be justified by a documented business need and rechecked against usage. The ASP.NET machine keys RCE attack illustrates how long-lived secrets and neglected access paths can become a launch point for broader compromise when governance is too manual. For control design, the NIST Cybersecurity Framework 2.0 supports repeated, evidence-based review rather than ad hoc sign-off. Manual reviews are least reliable when licence ownership is split across IT, sales operations, and application admins because accountability fragments before revocation happens.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Manual reviews fail to rotate or revoke stale access, a core NHI lifecycle risk. |
| NIST CSF 2.0 | PR.AC-4 | Licence reviews are access governance, which maps to least-privilege entitlement management. |
| NIST CSF 2.0 | GV.RM-01 | Manual processes weaken risk oversight and evidence quality for access decisions. |
Use PR.AC-4 to enforce periodic entitlement validation and removal of unnecessary Salesforce access.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
