For years, access reviews have been one of the most recognizable controls in identity governance. Every quarter, managers receive a list of users and their access. They are asked a simple question: Should this person still have this access? The idea is straightforward. If we periodically verify who has access, we reduce the risk of excessive privileges and meet audit requirements.
This model made sense when access was mostly static. In many systems, access was granted through roles, groups, or direct assignments. A user joined a role such as Finance Analyst or Database Admin, and that role determined what they could do. Reviewing access meant reviewing those assignments.
But modern systems are changing how access actually works.
Increasingly, access is not something a user permanently has. It is something the system decides in real time.
In policy-driven authorization models such as PBAC, attribute-based access control, and zero trust architectures, access decisions depend on many factors beyond a simple assignment. Policies may consider user attributes, device posture, location, time of day, risk signals, or temporary elevation. The system evaluates these inputs at runtime before allowing an action.
In these environments, access becomes dynamic. A user may be allowed to perform an action in one situation but denied in another, even if their role has not changed.
This raises an interesting question.
What exactly are we reviewing during a traditional access review?
Most reviews focus on artifacts like roles, group memberships, or entitlements. For example, a manager might see something like this:
User: Alice
Group: Engineering
Application Role: Build System Developer
The manager approves or revokes the assignment. The review is complete. But the assignment alone does not actually explain what Alice can do.
Consider a simple policy-driven system. A developer may be allowed to access a production build environment only if several conditions are true:
- The user belongs to the engineering group
- The device is a managed corporate device
- The request occurs during business hours
- The risk score is low
The access decision might look like this:
Access allowed if:
User in Engineering AND Device trusted AND Time within work hours AND Risk score below threshold
In this model, the engineering group membership is only one input into the decision. The final access outcome depends on multiple conditions evaluated at runtime.
Now imagine a manager reviewing Alice’s access. They see that she belongs to the Engineering group and approve the assignment. But that review does not answer several important questions.
Can Alice access the system from a personal device?
Can she access it after hours?
What happens if her device posture changes? What if the risk engine flags unusual activity?
The review confirms the presence of one artifact, but it does not fully explain how access decisions are actually made.
This is where many organizations are starting to feel a gap between traditional governance practices and modern authorization architectures.
In practice, many organizations have adapted access reviews to serve a different but related purpose: validating software entitlements in seat-licensed products. This is a real and legitimate use case. But it is worth separating from the question of governing access decisions, which is a distinct problem.
Access reviews were designed to govern static assignments. But many modern systems rely on dynamic decisions. And those decisions are largely invisible to the people who understand the business context behind them. A manager may have a legitimate reason to want Alice to access a system from a personal device, or outside business hours. But if the policy engine is making that determination silently, the manager has no surface to exercise that judgment. The review confirms an assignment. It says nothing about whether the decision logic itself reflects business intent.
This does not mean access reviews are useless. They remain valuable in environments where access is directly tied to roles, groups, or application assignments. Many enterprise applications still operate this way, and reviewing those assignments is still a meaningful control.
However, as organizations adopt policy-driven authorization and zero trust principles, reviewing assignments alone becomes incomplete.
Instead of focusing only on who holds certain artifacts, governance may need to shift toward understanding how access decisions are made.
One way to think about this shift is through a concept we might call decision governance.
Decision governance focuses on governing the mechanisms that produce access decisions rather than only reviewing the artifacts associated with users.
In a decision governance model, organizations would ask questions such as:
Are authorization policies defined and reviewed regularly?
Are the attributes used in policies accurate and trustworthy?
Are policy changes tracked and approved?
Are access decisions logged and observable? Are exceptions or overrides monitored?
Instead of only reviewing who has access, governance begins to examine how access decisions are produced.
This approach aligns more closely with modern authorization systems where policies, attributes, and contextual signals determine outcomes dynamically.
The natural home for decision governance is the authorization platform where policies are stored, evaluated, and logged. These platforms can make access decisions provable and auditable in ways traditional tools cannot. The identity inputs feeding those decisions, whether managed through an IGA platform or directly through an identity provider, still need to be accurate and trustworthy. But the accountability for how decisions are made sits with the system making them.
For security teams, this shift also reflects a broader change in how systems are designed. Many organizations are externalizing authorization logic into centralized policy engines. DevOps teams are adopting policy-as-code. Machine identities and automated workflows are multiplying across cloud environments. Access is no longer just about users and applications. It is about systems making continuous decisions.
As this shift continues, governance models may need to evolve alongside it.
But they may no longer be sufficient on their own in environments where access is dynamic and contextual.
If access is calculated at runtime, governance may need to focus less on reviewing assignments and more on understanding and governing the decision systems that ultimately determine who can do what.
In other words, the future of identity governance may not be about reviewing access.
It may be about governing access decisions.
Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.
About the Author
Vatsal Gupta is a Senior Security Engineer at Apple, where he focuses on authorization architecture and enterprise access governance. His work sits at the intersection of identity systems, security policy, and agentic AI, with a particular interest in how AI systems can be governed within defined authorization boundaries at scale. Outside of Apple, he contributes to open standards through the OpenID Foundation’s AuthZEN and SSF working groups, serves on the ISSA Journal Editorial Advisory Board, and has published across academic and industry venues on topics ranging from access governance frameworks to AI-driven policy generation. He is an IEEE Senior Member and an active contributor to the Cloud Security Alliance’s IAM working group.
