Executive summary
Most enterprises have access request and approval workflows. Many have spent significant budget implementing them. Yet approvals routinely fail to reduce risk — they become rubber stamps that create audit trails without creating actual governance.
The result is the worst of both worlds: operational friction that slows legitimate work, combined with security theatre that lets inappropriate access sail through. When auditors dig deeper, they find approvals without context, approvers without authority, and exceptions without expiry.
What typically goes wrong
Approvers who can't actually approve
What happens: Managers receive approval requests for access they don't understand. They see a system name, a role name, and a requestor — but have no context about what the access actually grants or whether it's appropriate.
Why it fails: Approvers are chosen by org chart, not by knowledge. Line managers aren't technical experts. They approve to unblock their team, trusting the request is legitimate.
Result: Approval becomes a formality. The box is ticked, but no risk decision was actually made.
Approval fatigue and volume blindness
What happens: Senior approvers — often team leads or system owners — receive dozens or hundreds of requests. They approve in bulk to clear queues. Individual requests get seconds of attention, if any.
Why it fails: Workflow design assumes careful human review. Reality delivers overwhelming volume. There's no escalation path for high-risk requests buried in noise.
Result: High-risk access gets approved at the same rate as routine requests. The workflow can't distinguish between them.
Exceptions that never expire
What happens: Access is granted with a note: "temporary," "for project X," or "pending role definition." But there's no expiry date, no review trigger, and no accountability to remove it later.
Why it fails: Exception governance requires active management. Without automated expiry or mandatory review, exceptions become permanent. Nobody wants to revoke access and risk breaking something.
Result: Exception-based access accumulates indefinitely. What was temporary becomes the new baseline.
Bypass paths and shadow processes
What happens: When workflows are slow or cumbersome, teams find workarounds. Direct database grants, shared credentials, or "just this once" access outside the official process.
Why it fails: Workflow friction encourages circumvention. If the official path takes days and the workaround takes minutes, people choose speed — especially under delivery pressure.
Result: The approval workflow captures only a portion of actual access grants. Governance is incomplete by design.
The real root causes
Workflow failure isn't about bad tooling — it's about misaligned design:
Org chart routing
Approvals go to managers, not subject matter experts. The person approving doesn't understand what they're approving.
No risk tiering
All requests follow the same path. Routine access and privileged access get the same treatment and scrutiny level.
Missing context
Approval requests show what's requested, not why it matters. Approvers can't assess risk without understanding impact.
No outcome measurement
Approval rates aren't tracked. Nobody knows if workflows are working because nobody measures rejection rates or post-approval incidents.
Friction without value
Workflows slow things down but don't add security. Users experience pain without corresponding risk reduction.
Exception normalisation
Exceptions are so common they're no longer exceptional. The governance model assumes exceptions are rare; reality proves otherwise.
How auditors see this
From an audit perspective, workflow theatre creates specific evidence problems:
Approvals without justification: Requests were approved, but there's no documented rationale. Auditors can't determine if the decision was appropriate.
Approvers without authority: The person who approved didn't have the knowledge or role to make that decision. The control design is flawed.
Exceptions without boundaries: Temporary access was granted years ago and never reviewed. Exception management doesn't exist in practice.
Inconsistent enforcement: Some access goes through workflow; some doesn't. The control isn't comprehensive, so it can't be relied upon.
What effective approval governance looks like
Organisations with working approval workflows share common characteristics:
Risk-based routing
High-risk requests get more scrutiny. Routine access can be auto-approved or streamlined. Effort matches risk.
Informed approvers
Requests include context: what the access grants, why it's needed, what the risk is. Approvers can make real decisions.
Technical ownership
System owners or data stewards approve access to their domains, not just line managers. Authority matches accountability.
Time-bound exceptions
All non-standard access has an expiry date. Automated removal or mandatory review is built in.
Bypass detection
Access granted outside workflow is detected and flagged. Shadow processes are visible, not invisible.
Measured effectiveness
Rejection rates, approval times, and exception volumes are tracked. Workflows are tuned based on data.
How Solluna Caelum approaches this
We don't start by fixing workflows — we start by understanding what decisions actually need to be made and who can make them:
1. Decision mapping: Identify what access decisions matter, who has the knowledge to make them, and what information they need.
2. Risk tiering: Classify access by risk level. Design different paths for different risk tiers — streamlined for low risk, rigorous for high risk.
3. Context enrichment: Ensure approval requests include meaningful information — not just "User X wants Role Y" but "Role Y grants admin access to production database containing customer PII."
4. Exception governance: Implement time-bound exceptions with automated expiry and mandatory review cycles. Make exceptions visible and manageable.
5. Effectiveness measurement: Track approval metrics and correlate with security outcomes. Use data to continuously improve workflow design.
Suspect your approvals are rubber stamps?
If your approval workflows create friction without security value — or if auditors keep questioning your evidence — let's talk about designing governance that actually governs.
Related taxonomy: Approval & Workflow Governance · Exception Management · Access Request Design · Risk-Based Access Control · Compliance Evidence