Your last access review came back 90% approved. That’s not a clean environment. That’s a broken process with a completion date stamped on it.
I’ve spent thirty years watching identity governance programs fail — at big companies, small companies, and everything in between. And almost without exception, the failure isn’t technical. The tools work. The problem is organizational. Nobody actually owns the dirty work, and everybody in the room knows it.
HOW IT BREAKS DOWN
Here’s the setup. IT builds the review workflow. Security signs off on the process. Managers get a portal, a list of names, and a deadline. Those managers have no real idea what half the access does, why it was originally granted, or what removing it would break downstream. So they approve everything and get back to their actual job. That’s not laziness — that’s rational behavior given what they were handed.
The auditors come in, check the box, and the program is declared “operational.” Nobody lied. Nobody deliberately cut a corner. But nobody governed anything either.
I’ve been watching this exact pattern since before most of the current platforms existed. New tools. Same human behavior.
THE REAL ORGANIZATIONAL FAILURES
When I work through this with security teams, the same structural problems come up every time:
- Access reviews are delegated to people without context. The manager certifying entitlements often has no visibility into what those entitlements actually do. They’re certifying names, not risk. You cannot make a real decision without understanding what you’re deciding.
- Approving feels safe. Removing feels dangerous. This is backwards, but it’s how most people experience it. If you approve access and something bad happens later, you were following process. If you remove access and someone can’t do their job on Monday morning, your phone rings immediately. The incentives push toward approval every single time.
- No one is accountable for the outcome. The team running the review owns the process — did we collect certifications, did we hit the deadline, did we produce the report. They don’t own what happens six months later when a rubber-stamped dormant account shows up in an incident investigation. That accountability gap is where governance programs go to die.
- Security and IT don’t share the same definition of “done.” IT considers the review complete when certifications are collected. Security considers it complete when risk is actually reduced. Those two things are not the same, and most programs never reconcile them.
WHAT A REAL PROGRAM LOOKS LIKE
Fixing this requires getting uncomfortable in a few specific ways. Let me tell you what actually moves the needle.
Someone has to own the outcome, not just the process. That means if your access reviews consistently come back with 90%+ approval rates and your organization later experiences an access-related incident, there’s a person — a named person with a title — who has to answer for it. Right now most programs are structured so that literally nobody is accountable for bad outcomes. Fix that first.
Managers need real context before they certify anything. Not a list of usernames and entitlement codes. Actual plain-language descriptions: what this access allows, when it was granted, when it was last used, and what the business justification was. I’ve watched organizations reduce rubber-stamping significantly just by making the review process feel like a real decision instead of a data entry task.
You have to be willing to flag reviews done in bad faith. If a manager certified 150 accounts in 11 minutes, that review didn’t happen. Most programs accept it anyway because the alternative — having a hard conversation with a business unit leader — is uncomfortable. That discomfort is exactly where the work is.
And here’s the thing most governance programs avoid entirely: recertification needs teeth. If access is approved without adequate justification and later contributes to an incident, that needs to trace back to the approval decision. Not to punish people, but because without consequences, the incentive to rubber-stamp never goes away.
STOP CALLING IT GOVERNANCE IF IT ISN’T
A completed access review isn’t evidence of a functioning program. It’s evidence that someone clicked through a list. Those are different things, and treating them as equivalent is how organizations end up with documented risk that nobody actually managed.
The word “governance” implies accountability. It implies that decisions are being made, not just recorded. If your program can’t tell you who made what decision, based on what information, and what changed as a result — you’re not governing access. You’re generating audit artifacts.
The hard part isn’t finding the right tool. It’s being honest about what your current process is actually producing — and being willing to restructure the ownership and accountability to make it real.
If you want to go deeper on building identity governance programs that hold up under scrutiny, check out the resources I’ve put together at jrobertsonsecurity.gumroad.com. Practical guidance, not theory.