They often review access as if profiles were stable job roles, when in reality business needs and integrations change continuously. If reviews focus only on whether an entitlement exists, they miss whether the access model still fits current work. Effective reviews check both necessity and composition of access.
Why Security Teams Misread Salesforce Permission Reviews
Salesforce access reviews often collapse into a checkbox exercise: confirm the profile exists, mark the ticket complete, and assume the entitlement is still appropriate. That approach misses how Salesforce environments actually drift. Integrations, connected apps, delegations, and temporary business changes can make a once-reasonable profile too broad long before the next review cycle. The control problem is not just whether access exists, but whether the access model still matches current operational reality.
That gap matters because NHI-style access patterns often hide inside Salesforce through OAuth apps, API users, and automation accounts. NHIMG research notes that only 1.5 out of 10 organisations are highly confident in securing NHIs, and 85% lack full visibility into third-party vendors connected via OAuth apps. The same review failure pattern shows up in incidents like the Salesloft OAuth token breach, where access existed long after the original trust assumption no longer held.
Security teams usually get this wrong when they treat permission reviews as a role certification problem instead of an access composition problem. In practice, many reviews discover misfit access only after an integration, token, or delegation path has already been abused.
How Effective Salesforce Reviews Actually Work
A useful review starts by separating human access from non-human access. Salesforce profiles and permission sets may look like role-based controls, but the risk often sits in connected apps, API-enabled users, delegated admin rights, report exports, and automation identities. Current guidance suggests reviewing the full access chain, not just the user record. The OWASP Non-Human Identity Top 10 is a strong reference point for understanding why token scope, rotation, and visibility matter in these environments.
- Confirm who or what is using the access: human user, service account, integration, or third-party app.
- Check whether the business process still exists and whether the privilege level still matches that process.
- Review connected apps, OAuth grants, API tokens, and session policies alongside profiles and permission sets.
- Look for privilege accumulation, especially when permission sets were added to solve a one-time ticket.
- Validate logging and owner accountability so a reviewer can tell whether access is active, dormant, or no longer justified.
This is where NHIs become central. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks highlights how excessive privileges and weak visibility amplify exposure, and that same pattern applies when Salesforce permission reviews ignore OAuth-connected workloads. Practitioners should also use OWASP Non-Human Identity Top 10 to sanity-check whether a review process is actually covering the identity surface that matters.
These controls tend to break down in large Salesforce orgs with many sandbox refreshes, outsourced operations, and app sprawl because entitlement ownership becomes unclear and reviewers cannot reliably tell which permissions are still necessary.
Common Review Mistakes and the Edge Cases That Matter
Tighter permission reviews often increase administrative overhead, so organisations have to balance certainty against review fatigue. That tradeoff becomes visible in Salesforce because not every access grant has the same risk profile. Best practice is evolving, but there is no universal standard for treating a long-lived profile the same way as a short-lived integration token.
Common mistakes include approving access because a manager still recognises a job title, ignoring nested permission sets that recreate removed privileges, and missing third-party OAuth grants that bypass normal user lifecycle controls. Another frequent error is assuming that a quarterly review is enough when the underlying business process changes monthly or after every major release. In those cases, the permission review is too slow to detect drift.
The practical test is simple: can the reviewer explain why this access still exists, who owns it, what it enables, and how it will be removed if the justification disappears? If not, the review is confirming entitlement presence rather than validating necessity. In real environments, this breaks most often where Salesforce is used as both a business application and an integration hub, because the same access path can serve human workflow, automation, and third-party data exchange at once.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Salesforce reviews often miss OAuth apps and service identities. |
| NIST CSF 2.0 | PR.AA-01 | Permission reviews are identity assertion and access governance work. |
| NIST AI RMF | Access drift and opaque automation fit AI risk governance principles. |
Verify each Salesforce entitlement still matches current business need and owner accountability.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
