The Certification Mirage: Why Compliance Reviews Don’t Equal Security

If you’ve ever sat through an access review campaign, you know the drill.Each quarter (or year), managers are asked to review the entitlements of their direct reports. They log into the system, check a few boxes, maybe remove a handful of users, and move on with their day.

It’s compliance theater.

It looks like security. It sounds like governance. But it rarely changes anything meaningful. That’s because access reviews aren’t inherently about security — they’re about satisfying auditors. And while that has value, the way they’re implemented in most organizations actually creates a false sense of safety. You think you’ve reduced risk. In reality, you’ve just checked the same boxes you did last time… without asking if the access itself still makes sense.

There are a few core problems with the traditional access certification model.

First, the wrong people are reviewing the access.

Managers are often expected to approve entitlements for systems they don’t understand. How is a sales director supposed to know whether a user’s entitlements in a cloud infrastructure platform are necessary or excessive? They don’t. So they approve everything to avoid accidentally breaking something.

Second, context is almost always missing.

Even if a manager has some knowledge of the system, they’re not given data about actual usage. Did the user access this system in the last 90 days? Has their role changed since they last got these entitlements? Has there been any anomalous behavior tied to the account? Without this context, reviews are just guesswork.

And third, certifications often don’t lead to removal of access — or if they do, it happens inconsistently.

Some systems require manual deprovisioning after a certification. Others are automated, but not monitored for success. In some cases, access is removed — only to be automatically re-provisioned the next time an HR feed updates the user’s profile.

This is how access becomes permanent by default. Even when a review flags something, there’s no guarantee the change sticks.

Ask around in any large organization, and you’ll find the same story:Access reviews feel like a chore. They show up in the inbox as a task to complete, not a moment to evaluate risk.

Managers are overwhelmed. They approve everything just to hit the deadline.

Security teams are frustrated. They know the process isn’t working, but they need to prove to auditors that it exists.

Auditors are content. The paperwork checks out.

And so the cycle continues.

This is the mirage of access certification — a process that gives the appearance of control without the substance. When access reviews become routine and toothless, they stop catching the edge cases that matter. That contractor whose role ended last month? Still has access. That administrator who changed teams six months ago? Still owns elevated entitlements. That service account tied to a decommissioned application? Still active — and still privileged.

In security, false negatives are deadly. If your review process tells you everything’s fine when it’s not, you’re more exposed than if you had no process at all. Because at least then, you’d know to look.

Worse still, these lapses create audit exposure. If regulators find that certified access was later involved in a breach, the certifications themselves become evidence of negligence — not protection.

Get rid of them. Find the deepest, darkest hole you can find and toss them in there. Followed by 50 pounds of gasoline and light a match.

I know, I know, the auditors…ok here’s a more realistic albeit less fun answer.

If you want access reviews to actually improve your security posture, you have to rewire the process from compliance-first to context-first. That means delivering access context in plain language. Who owns the system? What does this entitlement allow the user to do? When was it last used? Is it sensitive? Is it out-of-policy based on the user’s current role?

( It’s not too late to go the light it on fire route…)

You also need better targeting. Not all access is created equal — don’t waste time reviewing read-only access to a public reporting tool if you haven’t reviewed privileged access to production systems.

And then there’s automation. Instead of waiting for quarterly reviews, implement continuous access evaluation that flags high-risk or out-of-policy access the moment it happens — not months later. Finally, embed review outputs into identity lifecycle processes. Removing access shouldn’t be a manual afterthought. It should be a natural result of job changes, project completions, or inactivity.

You can’t certify your way to least privilege.The goal of access reviews was never to generate dashboards or pass audits. It was to reduce unnecessary access — and by extension, reduce risk. But somewhere along the way, we lost the plot.

IAM debt accumulates when we treat governance as a static process. When we assume that what was granted before is still valid today. When we stop asking why access exists and focus only on who has it.Access certification, when done right, is a powerful tool. But when done poorly, it’s just paperwork.The next time you hit “approve,” ask yourself this:

Do I know why this person needs this access?

Do I know if they’re using it?

Do I know what it could expose us to?

If the answer is no, then it’s not a certification. It’s a missed opportunity. And in IAM, missed opportunities almost always turn into risk.