Summary: 73% of organizations still rely primarily on manual access review processes — resulting in rubber-stamped approvals and recurring audit findings. Oleria Trustfusion, an AI-native identity security platform, replaces gut-feel certification with AI-powered access certification that surfaces three evidence signals — dormancy, peer-group analysis, and HR changes — on every review line, so reviewers make decisions on context, not memory.
73% of organizations rely primarily on manual processes for user access reviews (2025 State of IGA Report, Zilla Security). The result is well-documented: reviewers don't know what their reports actually use, so they approve everything to avoid disrupting work. Reviews complete on time but produce no real narrowing of access. Audit increasingly treats this as a finding because the review isn't doing the control's job.
This isn't a process problem. It's an evidence problem. Most IGA tools surface entitlements but not usage; they ask reviewers to certify access without the data to certify it on. As Mark Carter, CIO & CISO at Vimeo, puts it — "the traditional compliance process might make you compliant, but it doesn't make you secure."
Oleria's AI evaluates three signals — Dormant Days, Peer Group Analysis, HR Changes — and proposes Approve, Needs review, or Reject for every line. Reviewers spend their attention on the outliers, not the bulk. Continuous least privilege, powered by deep access intelligence.
Cycle time Weeks → days
Per-reviewer effort Hours → 30–60 minutes
Access actually narrowed by review From near zero to materially significant
Audit findings on review quality Eliminated
If 73% of organizations run reviews on manual processes, the question isn't whether your program could be better — it's how much risk that gap is creating now. Oleria's Identity Security Maturity Assessment benchmarks your access governance program and shows where evidence-driven reviews can close the gap.
Start with privileged or regulated-data scope; expand from there. By the fourth cycle, the review just runs.
SOX, HIPAA, ISO 27001, PCI DSS 4.0, GDPR, FedRAMP, NIST — evidence becomes the audit pack directly.
Threshold periods are customizable per organization, feature, and application.
Yes — by department, manager, or start date for risk-tiered cadences.
Three signals per line: Dormant Days, Peer Group match, HR Changes — with Approve, Needs review, or Reject recommended.
73% run on manual processes. Reviewers certify without evidence and rubber-stamp to avoid disruption.
