Accountability usually sits with the system owner, the identity governance function, and the business approver, because each has a role in entitlement visibility, certification, and remediation. In regulated industries, auditors and insurers may also examine whether the organisation could prove timely review and revocation. Shared responsibility does not remove ownership.
Why This Matters for Security Teams
When a user access review misses improper access, the failure is rarely just a paperwork problem. It usually means the organisation could not reliably see who had what, why they had it, and whether that access still matched the business need. That breaks certification, remediation, and auditability at the same time. Guidance from the OWASP Non-Human Identity Top 10 reinforces a broader point that identity review is only effective when identities, entitlements, and ownership are visible enough to challenge.
For NHI Management Group, the core issue is accountability, not blame. The system owner is responsible for the access model, the identity governance function is responsible for the control process, and the business approver is responsible for attesting to need. If any one of those steps is weak, a review can still “pass” while toxic access remains in place. NHIMG’s NHI Lifecycle Management Guide makes the same operational point for machine identities: lifecycle ownership must be explicit or review becomes theatre.
In practice, many security teams discover missed entitlements only after an auditor, incident responder, or fraud analyst exposes them, rather than through a well-run certification cycle.
How It Works in Practice
Accountability should be mapped to the control chain that makes a review succeed or fail. The business owner defines whether the access is still justified. The identity governance team runs the review, supplies evidence, and tracks completion. The system owner or application owner fixes the technical entitlement and confirms revocation. In mature programs, this is reinforced with documented remediation SLAs and exception handling, because “reviewed” is not the same as “removed.”
That operating model is especially important where privileged access or NHIs are involved. NHIMG’s Ultimate Guide to NHIs and the related 52 NHI Breaches Analysis show how identity oversight breaks down when ownership is diffuse and revocation is delayed. For user reviews, the same pattern appears when approvers rubber-stamp entitlements they do not understand or when inventories are incomplete.
- Define one accountable owner per application, system, or data domain.
- Require evidence of entitlement usage, not just business titles.
- Track review outcomes to closure, including revocation timestamps.
- Escalate stale or unowned access to the system owner and governance lead.
- Preserve an audit trail showing who approved, who remediated, and when.
Framework guidance supports this split responsibility. The OWASP Non-Human Identity Top 10 emphasises lifecycle and credential control, while the NIST SP 800-53 Rev. 5 access control family expects organisations to define, review, and enforce entitlement decisions consistently across systems. These controls tend to break down when access is inherited through nested groups or synchronized from multiple directories because no single reviewer can reliably reconstruct effective access from the UI alone.
Common Variations and Edge Cases
Tighter access review governance often increases administrative overhead, requiring organisations to balance stronger assurance against review fatigue and slower approvals. That tradeoff becomes visible in large enterprises, shared services, and high-churn environments where entitlements change faster than quarterly certifications can keep up.
Best practice is evolving for cases where reviews fail due to poor inventory quality rather than a bad approval decision. In those environments, accountability is shared but not diluted: the business approver still owns the decision, yet the platform or application owner may be the only party able to prove what access actually existed. Where access is generated dynamically, current guidance suggests pairing periodic reviews with event-driven entitlement checks, because static certification alone cannot keep pace with short-lived access paths.
This is also where NHIMG’s research on The State of Secrets in AppSec is relevant in a wider sense: organisations often believe control is strong until remediation data shows otherwise. A failed review is not just a compliance miss; it is evidence that ownership, inventory, or enforcement was incomplete. In environments with federated administration, outsourced operations, or multiple IAM platforms, accountability breaks down when no one is assigned to verify the final revocation step.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access rights must be reviewed and enforced, not merely approved. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Identity lifecycle failures often begin with poor entitlement visibility and ownership. |
| NIST AI RMF | Accountability and traceability are core governance requirements for automated decision workflows. |
Document responsibility, evidence, and escalation paths so review failures can be traced end to end.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
