A periodic check of directory permissions to confirm that users still need the access they hold. In practice, the quality of the review depends on whether the process reflects current entitlements, includes inherited permissions, and produces evidence that can be acted on immediately.
Expanded Definition
An active directory access review is not just a permission audit; it is a governance check on whether directory entitlements still match business need, job function, and delegated administration realities. In NHI environments, that scope must include service accounts, application groups, nested group membership, inherited permissions, and any access granted through privileged role assignments. The review is strongest when it compares effective access, not merely assigned access, because AD inheritance can hide privilege that is operationally active even when it is not obvious in a simple report.
Definitions vary across vendors on what a “complete” review includes, but the practical standard in identity governance is evidence that can drive removal, not just documentation. That is why this term sits close to access recertification, entitlement attestations, and privileged access governance. It is also aligned with the risks called out in the OWASP Non-Human Identity Top 10, where stale or excessive permissions are treated as a structural exposure rather than a clerical issue. The most common misapplication is reviewing only direct user assignments while ignoring nested groups and inherited permissions, which occurs when reports are generated from directory records instead of effective access paths.
Examples and Use Cases
Implementing Active Directory access reviews rigorously often introduces timing and evidence-collection overhead, requiring organisations to weigh stronger least-privilege assurance against slower certification cycles.
- Quarterly manager attestations for employee groups, where reviewers confirm that terminated transfers, role changes, and temporary exceptions have been removed from AD security groups.
- Privileged group review for domain admins and delegated administration teams, using Ultimate Guide to NHIs as a reference point for why excessive privilege is a recurring NHI control failure.
- Service account recertification after application upgrades, where access owners validate whether a legacy account still needs local admin rights, LDAP read access, or cross-domain trust permissions.
- Audit preparation for evidence-backed revocation, using the review record to show who approved, what was removed, and when the change was enforced.
- High-risk remediation after breach analysis, informed by the 52 NHI Breaches Analysis, when investigators trace lateral movement through over-permissioned directory objects.
Because AD permissions can be inherited through group nesting, effective review workflows often depend on tooling that resolves transitive access before the certifier signs off.
Why It Matters in NHI Security
Active Directory access review matters because AD often becomes the control plane for both human and non-human identities, which means stale entitlements can silently persist long after the original business need has ended. For NHI security, the review is one of the few practical ways to catch service accounts that still hold broad privileges, application groups that were never cleaned up, and delegated admin paths that no longer match current ownership. This is especially important when secrets are tied to accounts, because the account review and secret lifecycle must be treated as connected controls rather than separate tasks.
NHI Mgmt Group reports that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface. That statistic makes access review a governance necessity, not a paperwork exercise. It also aligns with the NHI Lifecycle Management Guide, where review is part of continuous entitlement hygiene rather than an annual event. Organisations that miss inherited permissions, orphaned groups, or stale service accounts usually discover the problem only after a credential is abused, at which point access review becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Access review exposes excessive or stale NHI permissions in directory paths. |
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and access governance require recurring entitlement validation. |
| NIST Zero Trust (SP 800-207) | AC-5 | Zero Trust limits standing access and supports continuous authorization checks. |
Review effective AD entitlements and remove any service or user access no longer justified.
Related resources from NHI Mgmt Group
- What is the difference between direct access and effective access in Active Directory?
- How should teams govern PostgreSQL access when Active Directory is the identity source?
- How should security teams govern Active Directory access across multiple databases?
- How should teams handle stale Active Directory objects before access reviews?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
