For years, user access reviews (UARs) have been treated as the centerpiece of identity governance.
If you want to prove control, you run reviews. If you want to pass an audit, you document reviews. If something goes wrong, you point to the last completed review.
This was fine in a world where all identities were human users. But today, with the increasing number of service accounts, AI agents, and bots, UARs alone cannot manage identity risk.
The problem isn’t how access reviews are executed, it’s how identity functions today. Identity risk today is continuous, contextual, and action-based. A review-centric program cannot keep up with how modern systems actually operate.
Access reviews were designed for a slower world
Access reviews made sense when identity was relatively static: Users were humans. Roles changed infrequently. Access was granted once and lingered. Infrastructure was long-lived.
In that world, periodically asking a manager to confirm access was a reasonable proxy for control. You could pause, review the current state, and correct drift.
That world no longer exists. Today’s environments include:
- Ephemeral cloud infrastructure
- SaaS sprawl with overlapping permissions
- Contractors, vendors, and partners rotating constantly
- Non-human identities that outnumber humans
- AI agents taking action without logging in like a person
Access doesn’t sit still long enough to be reviewed meaningfully. By the time a review cycle starts, the environment has already changed.
Periodic reviews fail in dynamic, agent-driven environments
The core assumption behind access reviews is that risk accumulates slowly and predictably. That assumption breaks down in modern identity systems.
Access today is:
- Granted just in time
- Used briefly
- Changed frequently
- Executed by automation and agents
- Dependent on context, not just role
A quarterly or even monthly review cannot capture:
- Access that existed for minutes
- Actions taken by agents using delegated permissions
- Temporary privilege escalation
- Machine-to-machine access paths
- Contextual risk that changes by workload or data sensitivity
There is a deeper mismatch at play.
Reviews ask:
- Who has access?
- Should they still have it?
Modern identity risk depends on:
- Why access was needed
- What action was taken
- Under what conditions
- For how long
- With what downstream impact
A static list of entitlements doesn’t answer those questions.
In an agentic environment, the question is no longer “Does this identity have access?” It is “Is this action allowed right now, under this context, with these guardrails?” Access reviews, as they stand today, were never designed to answer that.
Identity risk is action-based, not entitlement-based
This is the shift most programs have not fully made yet. Identity risk is not primarily about standing access. It is about what identities can do. Two identities with identical permissions may represent radically different risks depending on whether access is just-in-time or always on, whether those actions require approval, whether an activity is logged and reversible, and whether scope is tightly constrained.
A review-centric program focuses on entitlement inventory. A modern program focuses on action control.
That means governing when access is granted, how long it lasts, what actions are permitted, what approvals or verifications are required, and what happens automatically versus manually.
When risk is framed this way, reviews stop being the center of governance. They become a validation layer, not the control plane.
What should replace a review-centric identity program
The alternative isn’t “no reviews ever.” Modern identity programs are built around continuous enforcement, not periodic validation.
That looks like:
- Policy enforced at the moment access is requested or action is taken
- Just-in-time access replacing standing permissions
- Context-aware decisions based on role, system, data, and risk
- Automated controls that prevent risky states from existing at all
- Reviews used to confirm policy effectiveness, not to compensate for missing controls
In this model, access reviews still exist, but they play a very different role. Instead of functioning as a mechanism to keep systems safe, they answer questions like:
- Are our policies working?
- Are there patterns of exception we should address?
- Where should controls be tightened or automated next?
Evolving without breaking audit expectations
One reason teams cling to access reviews is fear of audits. Audit expectations can be high, but auditors typically just need to see specific assurances. Instead of point-in-time UARs, those assurances can be demonstrated through policy-as-code, automated enforcement, event-level logging, time-bound access records, and evidence that risky access cannot persist unchecked.
In fact, this can actually make the audit process easier. Instead of asking teams to attest to thousands of entitlements, teams can show:
- Access was granted only when needed
- Access expired automatically
- High-risk actions required approval
- Controls were applied consistently across identities
That is stronger assurance than any spreadsheet-driven review cycle can provide.
Access reviews today aren’t useless, but they are insufficient—reflecting how identity used to behave in static environments, not how it behaves now. As identity becomes the control plane for cloud infrastructure, SaaS, and AI agents, governance has to move from retrospective confirmation to real-time control.
The teams that succeed will stop asking, “Did we review access?” and start asking, “Did our policies prevent unnecessary risk from existing at all?”
That’s how you shift from reviewing access to governing it.
If you want help building strong, automated identity governance, ConductorOne can show you where to start. Book a demo.
