Why Traditional Access Reviews Fail

 > IT Management >  Why Traditional Access Reviews Fail
Jim Guckin February 18, 2026 0 Comments

Print PDF eBook

There is a moment (or every quarter) in almost every organization where access reviews are sent out, inboxes fill up, and managers everywhere collectively sigh. We’ve all seen the email: “Please review and certify user access for your team.” I’ve run the program…and I still sighed when I got it.

On paper it sounds simple, the responsible thing to do, even necessary and on paper, it checks a very important box. Access reviews are a foundational control in identity and access management. They are supposed to ensure that the right people have the right access at the right time. Clean…logical…auditable.

In reality, they often turn into something closer to a streaming service recommendation algorithm. You open it, scroll for a few seconds, don’t recognize half the options, and eventually just click whatever gets you out of the screen fastest.

Approve all.

If you are diligent…you maybe skim a few names and remove one obvious outlier to feel productive, and then move on. Just like that, another access review cycle is complete and off your plate. You can ask and everyone feels like they did their part. The system records completion. Audit evidence is generated. Compliance achieved.

Compliance completed…but what about security? That’s a different conversation. The uncomfortable truth is that traditional access reviews fail not because organizations don’t care, but because the process itself is fundamentally misaligned with how humans think, how systems evolve, and how modern environments actually operate.

We built a control that assumes clarity in a world that is anything but clear.

Let’s start with the basic premise that access reviews rely on the idea that managers or system owners understand what access their people have and whether it is appropriate. That assumption might hold up in simpler environments with smaller teams, a few systems and clearly defined roles. In most organizations that world does not exist anymore.

Today, users accumulate access like characters collecting power-ups in a video game. They start in one role, move to another, pick up temporary permissions for a project, help out on a cross-functional team, gain access during an incident, and never quite give any of it back. Over time, their access profile becomes less of a clean job description and more of a highlight reel of everything they have ever touched (I’ve been guilty of this…well my accounts have)

When the access review email arrives, the manager is not reviewing a clean, understandable set of permissions. They are staring at a list of system names, role identifiers, and entitlements that often require translation just to understand.

“Finance_App_RW_Level_3”
“Legacy_DB_Admin_Temp”
“Shared_Service_API_User”

None of these mean much without context and sometimes with context need historical knowledge to understand. So what does the manager do? They make a decision based on what they do know, the person, not the access.

“They’ve been here for years.”
“They’re a high performer.”
“They probably need it.”

Click Approve.

This is not negligence, it is human nature. When faced with complexity and ambiguity, people default to trust and familiarity. Now layer this in scale, could be hundreds of users, with thousands of entitlements and multiple systems that may have different naming conventions. Combine that with limited time to review and competing priorities and now the access review becomes less of a thoughtful security exercise and more of a task to complete.

We have effectively turned what is a critical control into a cognitive overload event and cognitive overload leads to one predictable outcome…Approve all.

If this sounds familiar, it should..if it doesn’t I envy you for an awesome organization or ignorance to the problem. It is the same behavior we see in other areas of life, think about terms and conditions in applications…No one reads them. Not because people are irresponsible, but because the cost of understanding them outweighs the perceived benefit. So we click accept and move on and access reviews have fallen into the same trap.

The second issue is fear of breaking things, and one I’ve been in many times. Removing access feels risky, where as approving access feels safe. If a manager removes a permission and something breaks, they are immediately visible…there are questions, there is disruption and there might be a late night call.

If they approve access that is not needed, nothing happens (at least not immediately). So the safest decision, politically and operationally, is to approve (not saying it’s an excuse). Security loses to convenience every time when incentives are misaligned. This is where leadership matters more than tooling, because this is not just a process problem. It is a cultural one.

Organizations often say they want least privilege. In practice, they tolerate over-privilege because it avoids friction. Access becomes sticky. It accumulates. It rarely (if ever) gets challenged. Over time, this creates what for lack of a better term I’ll call access debt. Mostly because we’re use to talking about technical debt, and like it access debt it builds quietly. Each unnecessary permission is small. Individually insignificant. Collectively dangerous.

Attackers understand this better than we do, they think about it more that we do. They are not always trying to break in to a known high level account. Often, they are looking for what is already there. Existing accounts with excessive permissions. The more over-privileged your environment, the less work they have to do.

This is why breaches so often involve “legitimate credentials.” The access was real. It just should not have existed in that form. Traditional access reviews are supposed to catch this… yet they rarely do.

Another challenge is ownership. In many environments, it is not clear who truly owns access decisions. Is it the manager? The application owner? The IAM team? The business? When ownership is diffuse, accountability is weak. We’re all participants in this systems, but no one owns…and when no one owns, the process becomes performative.

Traditional access reviews are the cybersecurity version of a movie set where everything looks real from the outside. The buildings have facades, the streets are laid out, the actors are in costume…but if you walk behind the scenes, you realize half of it is just painted plywood.

It looks like a city, but it is not a city.
Access reviews look like control, but they are often just evidence.

Now, to be clear, the answer is not to eliminate access reviews (I assume everyone just groaned). They are required, they are valuable when done correctly and they align directly to core security principles around identity management, governance, and operational security.

The answer is to evolve them, mature organizations should treat access reviews differently. They focus on context, instead of presenting raw entitlements, translate access into meaningful descriptions. What system is this? What does this role allow someone to do? Why does it exist? Without context, you are asking people to make decisions blind.

Second, shift from broad reviews to targeted ones…not every access decision carries the same risk. Focus attention on high-risk systems, privileged access, and sensitive data. Reduce noise so that the signal stands out.

Third, introduce time-bound access wherever possible. Temporary access should expire automatically. Not rely on someone remembering to remove it during a quarterly review.

Fourth, clarify ownership. Every access point should have a clear owner responsible for its lifecycle. If no one owns it, it should not exist.

Fifth, and most importantly, align incentives. Leaders must create an environment where removing unnecessary access is seen as responsible, not risky. Where breaking something temporarily in the name of security is acceptable, and where restoring access is easier than cleaning up a breach. Here is the reality. It is far easier to re-grant access than to explain to a board why an attacker had it in the first place.

Modern identity strategies, including zero trust models, are pushing organizations toward continuous validation rather than periodic certification. Access is no longer something you grant and forget. It is something you evaluate constantly and that shift matters as it moves us away from theater and toward actual control.

At its core, this is about understanding that identity is part of the new perimeter and if your perimeter is built on assumptions, it is not a perimeter. It is a suggestion. Leaders need to ask better questions.

Not just “Did we complete the access review?” but “What access did we remove?”
Not just “Who approved this?” but “Who owns this?”
Not just “Is this compliant?” but “Is this necessary?”

Because compliance without intent is just documentation and documentation does not stop attackers (I wish it did).

The next time an access review hits your inbox, pause for a moment. Look beyond the checkbox. Look beyond the completion status. Ask yourself whether this process is actually reducing risk or just recording that you looked at it. Because in many organizations, the biggest risk is not the access you do not know about. It is the access you reviewed, approved, and never questioned.

Let’s Be honest, because we can’t grow if we’re not. When was the last time an access review in your organization resulted in meaningful access being removed? Not one or two obvious cleanups. Real reduction or are we all just getting really efficient at clicking “approve all”?

I’d love to hear how others are tackling this. What’s working, what isn’t, and where you’ve seen access reviews actually make a difference.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.