Are AI Agents About to Break Access Reviews?

Phil Kinsley

Field CTO, Security

AI agents are forcing organizations to rethink access reviews, identity lifecycle management, and non-human identity governance. The real issue is not the review campaign itself, but whether reviewers have enough context to make meaningful access decisions.


Start with the access review most organizations already recognize.

A manager gets an email saying a review campaign is ready. They click into the portal and get a list of users, groups, apps, roles, guests, and permissions, with a button that asks them to approve or remove access. The workflow ran, the notification worked, the campaign has an owner, and the auditor can see that the process exists.

On paper, that looks like governance.

Then you sit with the people actually doing the review and the conversation changes pretty quickly. The manager is not usually asking for a better button. They are asking whether they know enough to make the decision in front of them.

Why does this person have access? Was it requested properly or added manually because someone needed something quickly? Is it tied to their job, a department, a project, or some group they inherited two roles ago? Did the project end? Is there a risk signal on the account that should change the answer? And if they remove the access, does anything break that the business still depends on?

That is the access review problem. It is not usually the campaign itself. It is the missing context around the decision.

Do AI Agents Break Access Reviews?
Not by themselves. AI agents expose the weaknesses already present in access reviews: unclear ownership, weak lifecycle controls, excessive permissions, and missing context around why access exists.


The Review Became the Control

This is the part I keep coming back to in customer conversations. A lot of organizations have treated the access review as the control, when it is really supposed to be one checkpoint inside a larger identity lifecycle.

If access is requested poorly, granted manually, inherited through messy groups, left in place after someone changes jobs, and then reviewed once a quarter by someone who does not know the story behind it, the review is not fixing the problem. It is giving the organization a cleaner way to document the problem.

That sounds harsher than I mean it. Most reviewers are trying to do the right thing with the information they have. The issue is that the system asks them, โ€œShould this person still have access?โ€ when what they really need to know is, โ€œWhat is this access for, how was it approved, who owns the resource, what business process depends on it, and what risk comes with leaving it there?โ€

A completed campaign can make everyone feel like governance happened, but completion is not the same as control. The access may still be too broad, ownership may still be unclear, and the removal process may still depend on someone being brave enough to click a button when they are not sure what will happen next.

That is not an access review failure by itself. It is an identity lifecycle failure showing up in the access review.

Completion Is Not Control
A finished access review does not prove access is appropriate. It only proves the review happened. Governance depends on whether the decision had enough context to reduce risk.

Cybersecurity Team using Computer in Blue Light

Now Take That Same Problem and Add AI Agents

Not AI in the abstract, and not the version where everyone sits around talking about transformation. The operational version is already starting to happen.

When AI Pilots Become Production Identities

Someone creates an agent to summarize tickets, pull information from a customer system, update a workflow, draft a response, search across internal content, or take action inside a business process. It starts as a pilot, then a team depends on it, then it gets connected to another system because the demo is better when the data is real.

At some point, that agent has an identity. Maybe it is tied to an app registration. Maybe it uses delegated permissions. Maybe it runs under a service account. Maybe it has access because the person who created it had access. Maybe the team knows exactly what it can reach, or maybe everyone assumes someone else checked.

The Access Review Questions Get Harder

Put that into an access review and the questions get harder. Who owns the agent? What identity does it use? What data can it read? What can it change? Can it act on behalf of a user? Did it get access directly, through a group, through delegated permissions, through app consent, or through a workflow nobody has looked at since the pilot? Does the access expire when the project ends, or does it stay there because nobody wants to break something that seems to be working?

These are not future-state architecture questions. They are operating questions, and they start showing up the moment agents move from interesting demos to actual work.

Before Approving AI Agent Access, Ask:
Who owns the agent? What identity does it use? What data can it read? What can it change? Can it act on behalf of a user? When should access expire?


We Already Had This Problem

Security teams have been dealing with non-human identities for years. Service accounts, app registrations, automation accounts, certificates, secrets, scripts, connectors, break glass accounts, and the rest of the plumbing have always carried some version of this risk.

Non-Human Identities Were Already Risky

Nobody wants to touch the account that has been around for six years because it might break reporting, payroll, backups, provisioning, or some process everyone forgot existed until it fails. AI agents do not create that weakness from nothing. They make it more visible, more common, and potentially more consequential.

Why This Matters
AI agents are part of a broader non-human identity problem. The risk is not just that they can sign in. The risk is what they can do once they are connected to tools, workflows, and business data.

What Makes AI Agents Different

The difference is that an agent is not always just authenticating in the background. It may be reasoning over data, calling tools, creating content, triggering workflows, and taking actions that look a lot like work. So the identity question becomes bigger than โ€œCan it sign in?โ€ The more useful question is, โ€œWhat can it do once it is in, who decided that was appropriate, and do our Conditional Access policies still make sense when the thing accessing the resource is not always a person?โ€

The old review model assumes a fairly understandable relationship between a person, a role, and a resource. AI identities do not always fit that shape. An agent may support a team rather than a single person, operate across departments, use delegated access in one system and application permissions in another, and be built by one group while being used by another. If nobody knows whether the reviewer should be the builder, business owner, application owner, data owner, or security team, the review is already behind.


What Good Starts To Look Like

The better version starts before the review. For people, joiner, mover, and leaver processes have to work. Access should be tied to role, department, location, project, and business need where possible.

For agents, the same thinking has to be adapted. The agent needs an owner, a purpose, an identity, a permission boundary, and a lifecycle. It should be clear whether it can read, write, act on behalf of a user, access sensitive data, or keep access after the business need changes.

None of that is anti-AI. It is basic operating discipline.

Good AI Agent Governance Requires:
A named owner, a clear purpose, a defined identity, permission boundaries, lifecycle rules, access expiration, and risk-based monitoring.


Where Microsoft Entra Suite Fits

This is where Microsoft Entra Suite becomes useful, but not in the lazy way where we pretend a suite fixes governance by itself.

The useful part is that it brings more of the identity control points together. Microsoft Entra ID Governance helps with entitlement management, lifecycle workflows, and access reviews. Microsoft Entra ID Protection adds risk context, because identity changes based on behavior, sign-in risk, and other signals that should influence the access decision. Microsoft Entra Verified ID gives organizations another way to think about trust before access is issued, especially where stronger proof of identity matters.

Better Context Makes Reviews Meaningful

The value is not that the access review screen looks cleaner. The value is that the review has a better chance of being connected to the rest of the lifecycle. Who is this person? What role are they in? Who approved the access? What has changed since then? Is there risk on the account? Should the access expire? Should the manager review it, or should the resource owner review it because they understand the process better than anyone else?

Those are the questions that make an access review meaningful.

Where Microsoft Entra Helps
Microsoft Entra Suite can make access reviews more meaningful when reviews are connected to identity lifecycle workflows, entitlement management, risk signals, verified identity, and agent identity governance.


Agent 365 and Entra Agent ID

With agentic AI, Microsoft Entra Agent ID and Agent 365 become important because agents need their own identity and governance model.

Agents Need Their Own Governance Model

Treating every agent like a human user is wrong, but treating every agent like a traditional application is also too simple. Agents sit in a more complicated place because they can act, reason, delegate, and interact with tools and data in ways that are more dynamic than a normal app permission.

An agent should not be a mystery object in the tenant. It should have an owner, a purpose, a defined permission boundary, and a review process. It should not keep access forever because the original project team forgot about it. It should not inherit broad permissions because that made the pilot easier. It should not reach sensitive data just because a connector made it convenient.

Why Microsoft 365 E7 Is Worth Watching

This is also why Microsoft 365 E7 is worth watching as AI moves from pilots into operations. The packaging will matter for cost and licensing, but the more interesting point is that Microsoft is building toward a world where employees and agents are governed together across productivity, identity, security, endpoint, data, compliance, and operations.


The Security Team Cannot Govern Agents From A Spreadsheet

There is a tempting version of the early AI governance program where someone says, โ€œFor now, we will just track the agents manually.โ€ That may work for the first few pilots, but it will not survive real adoption once business units start building agents, copilots become part of normal workflows, SaaS platforms add their own assistants, and automations start acting across systems.

Discovery has to be continuous. Ownership has to be assigned. Risk has to be visible. Controls have to be enforced where the work is happening. Otherwise, the access review becomes a cleanup exercise after the environment has already moved on.


Where eGroup Helps

This is where the conversation becomes practical for clients, because most organizations do not need another abstract AI governance discussion. They need help connecting the pieces they already own and turning that into an operating model that can survive past the first workshop.

Start With the Current Identity Lifecycle

That starts with the identity lifecycle today, including onboarding, movers and leavers, privileged access, app registrations, application ownership, data ownership, and exceptions. Then the AI identity layer has to be added to that model, including which agents exist, what access they have, what data they can reach, what identities they use, and how risky behaviors are detected.

Turn Microsoft Tools Into a Control Model

That is where eGroup can help your organization make Microsoft Entra Suite, Microsoft 365 E7, Agent 365, Defender, Purview, Intune, Sentinel, and Security Copilot work as a control model rather than a collection of products.

Operate Identity and AI Risk Around the Clock

There is also a managed operations reality here. A risky sign-in, unusual app consent, abnormal data access pattern, suspicious agent action, or endpoint behavior tied to an automation should not sit in a queue until someone has time to investigate.

That is where eGroupโ€™s ThreatDefender Managed Extended Detection and Response service earns its place, helping operate the Microsoft security stack around the clock so identity and AI activity are not treated as separate problems. The tools surface the signal. The operating model decides whether that signal becomes action.


The Part No Campaign Fixes

The executive truth is fairly simple. Access reviews are not usually broken because people refuse to review access. They are broken because the review is disconnected from the lifecycle that created the access in the first place.

AI makes that problem harder because the identities are no longer only people. They are agents, apps, automations, service principals, copilots, and workflows acting inside the business. Some will be sanctioned. Some will be discovered later. Some will have more access than anyone intended, not because anyone was reckless, but because the business moved faster than the governance model.

The answer is not to slow everything down or treat AI as something to block by default. The answer is to put identity governance where it belongs, at the center of how work is done.

Know who the person is. Know what the agent is. Know what each can access. Know who approved it. Know when it should expire. Know when risk changes the answer.

Then make the review mean something.

The Executive Takeaway
Access reviews only work when organizations know who or what has access, why that access exists, who approved it, when it should expire, and how risk changes the decision.


Make Access Reviews Mean Something

Connect access reviews, identity lifecycle controls, and AI agent governance with an operating model built for people, apps, automations, and agents.

Get in Touch with Us

Connect with an expert to learn what we can do for your business.

Request Access to Win Wires

Enter your work email to request access to the eGroup Win Wires repository.

By requesting access, you confirm you are using an approved business email domain. Youโ€™ll receive a secure, one-time login link after returning to the Win Wires page.