Permissions Don’t Tell Reviewers Enough — Authority Does

Access reviews are built on a simple premise: If you show someone what access exists, they can decide whether it should remain.

It sounds reasonable. It’s also where the problem begins. Because permissions don’t tell reviewers what they need to know.

The Assumption Behind Access Reviews

Most access reviews present a familiar view:

  • A list of users

  • A set of roles or entitlements

  • A request to approve or revoke

The expectation is that reviewers—typically business owners or managers—can assess whether that access is appropriate. But this assumes that permissions accurately reflect what an identity can actually do. In reality, they don’t.

Permissions Describe Intent—Not Reality

Permissions are how organizations express intent. They define what access should exist. They reflect policy, role design and provisioning decisions. But they are only one layer of a much larger structure.

Inside real environments, authority is shaped by far more than direct permissions:

  • Inheritance through groups and nested roles

  • Delegated access that extends control beyond original assignments

  • Service identities and automation acting on behalf of users

  • Cross-system relationships where access in one platform enables action in another

Each of these mechanisms is valid. Together, they create something that permissions alone cannot capture: effective authority. This is what an identity can actually do once all relationships are considered.

The Visibility Gap

This is where access reviews begin to break down. Reviewers are asked to make decisions based on permissions, while risk is determined by authority. Reviewers see fragments of the system. But system expects a judgement on the whole. So reviewer decisions become approximations. A role looks familiar, so it’s approved. An entitlement appears standard, so it’s left in place. A user seems appropriate, so access remains unchanged.

But the reviewer cannot see:

  • How that access combines with other permissions

  • Whether it creates an escalation pathway

  • If it contributes to a concentration of authority

  • Or whether it enables control across systems

The result is not negligence. It’s a structural blind spot.

Why Risk Gets Approved

When identity-related incidents are analysed, a pattern emerges. The issue is rarely that access was granted incorrectly in isolation. It’s that authority existed somewhere it shouldn’t have:

  • A combination of roles enabled end-to-end control

  • A delegated permission extended beyond its intended scope

  • A service account retained privileges long after its purpose ended

These are not permission-level failures. They are failures of authority visibility. And they are largely invisible in traditional access reviews.

The Limits of Better Data

The instinctive response is to improve the review process:

  • More frequent campaigns
  • Better entitlement descriptions
  • Cleaner data

These steps help, but only at the margins. This is because the core issue remains: permissions are not the right unit of analysis for understanding risk. No matter how clean or well-labelled they are, they do not show how authority behaves once it propagates across systems.

From Permissions to Authority

To make access reviews meaningful, the perspective has to shift.

Instead of asking: “Is this permission appropriate?”

Reviewers need to be able to ask: “What authority does this identity actually have?”

That means understanding:

  • How access combines across systems

  • Where authority concentrates

  • Which identities can execute critical actions end-to-end

  • How authority has evolved over time

This requires viewing identity not as a list of permissions, but as a structure of relationships—a connected model of how authority exists across the enterprise.

What Changes for Reviewers

When reviewers are given visibility into effective authority, the nature of the decision changes. They are no longer approving abstract access. They are evaluating real capability. A reviewer can see not just that a user has access, but that they can initiate, approve and reconcile a transaction across systems.

They can identify where authority is excessive, even if individual permissions appear valid. They can make decisions with context, not assumption. This transforms access reviews from a procedural task into a meaningful control.

A More Defensible Model

For regulated organizations, this shift is especially important. Audit and compliance processes increasingly expect not just evidence that reviews were completed, but that they were effective. That requires demonstrating:

  • What authority existed at a point in time

  • How it was evaluated

  • Why decisions were made

Permissions alone cannot support that level of assurance. Authority can because it reflects the actual conditions under which risk exists.

The Shift That Matters

Identity systems will always be essential for defining and managing access, but access does not determine risk. Authority does.

Until access reviews are grounded in that reality, organizations will continue to approve risk they cannot see.

Permissions are easy to list. They are straightforward to review. They create the appearance of control. But they are not enough. To understand risk, reviewers need to see how authority actually exists—how it accumulates, propagates and concentrates across the enterprise.

Only then can they answer the question access reviews were always meant to address:

Not “Does this access look right?”

But “Does this identity hold more power than it should?”

The Power of
Gathered Identities

Book your free 30 minute demo now.