They fail when reviewers check account lists instead of control combinations. A user can look properly provisioned while still holding the power to create, approve, and conceal improper activity. Access reviews must be tied to workflow authority, exception paths, and evidence of conflicting permissions in the systems where fraud can happen.
Why This Matters for Security Teams
user access review are meant to confirm that people still have the right privileges for their role, but insider fraud usually happens through combinations of access, not a single over-permissioned account. A reviewer can see a legitimate title and a clean list of entitlements while missing the ability to create transactions, approve them, and erase evidence in separate systems. That is why account-centric recertification often gives false comfort.
This gap is well aligned with the risks described in the OWASP Non-Human Identity Top 10, where identity governance fails when teams focus on possession instead of effective control. NHIMG’s 52 NHI Breaches Analysis shows the same pattern in other identity abuse cases: attackers and insiders succeed when access is fragmented across tools and oversight is fragmented across teams.
In practice, many security teams encounter fraud only after a suspicious journal entry, refund, or vendor payment has already been executed, rather than through intentional access review design.
How It Works in Practice
Effective reviews start with business processes, not user rosters. The goal is to identify toxic combinations such as create plus approve, initiate plus reconcile, or request plus override. Reviews should map each entitlement to the specific workflow step it enables, then test whether a single person can move value, alter records, and suppress exceptions without an independent check. That is a stronger control than asking whether the account "looks appropriate."
Current guidance suggests three operational steps. First, define control families for fraud-sensitive workflows and inventory the systems where those controls live. Second, review combinations across applications, not just within one application, because fraud often depends on cross-system chaining. Third, use evidence from logs, approvals, and exception queues to confirm whether a permission is merely assigned or actually usable in a way that creates risk.
- Recertify authority over transactions, approvals, refunds, journals, and overrides together.
- Include emergency access, exception paths, and dormant but still-active delegations.
- Verify separation of duties with actual workflow traces, not only entitlement exports.
- Escalate unresolved conflicts to process owners, not only line managers.
For identity governance programs, the Ultimate Guide to NHIs is useful because it reinforces a core principle: identity is only as safe as the systems and actions it can reach. The same logic applies to people when fraud is the threat model. NIST’s identity guidance for access assurance, reflected in NIST SP 800-63, also supports stronger evidence-based verification rather than checkbox recertification.
These controls tend to break down when access spans ERP, payroll, case management, and reporting platforms because no single reviewer can see the full control chain.
Common Variations and Edge Cases
Tighter access reviews often increase operational overhead, requiring organisations to balance fraud prevention against reviewer fatigue and process disruption. That tradeoff matters because overbroad review campaigns create rubber-stamping, while overly narrow reviews miss the combinations that enable misconduct.
There is no universal standard for this yet, but current guidance suggests treating privileged business roles, not just IT roles, as high-risk review candidates. Finance, procurement, claims, customer support, and data governance teams often have the most dangerous combinations because they can create, approve, and conceal outcomes across different tools. Another common edge case is delegated authority. Temporary coverage, manager substitutes, and shared mailbox style access can survive long after the original business need has ended.
NHIMG’s NHI Lifecycle Management Guide is relevant here because stale access is a lifecycle problem, not just an annual review problem. For teams that need a broader governance lens, The State of Secrets in AppSec is a reminder that confidence in controls often exceeds actual control quality when inventory and remediation are fragmented. Access reviews work best when they are paired with continuous monitoring, because an annual certification alone cannot catch fast-moving privilege abuse or short-lived exception abuse before damage is done.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access rights must be reviewed against actual business privilege combinations. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Stale or excessive privileges create the same misuse risk as unmanaged NHIs. |
| NIST AI RMF | Governance needs evidence-based oversight, not checkbox assurance, to manage fraud risk. |
Use documented accountability, monitoring, and human oversight for high-risk access decisions.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
