Identity Jedi Newsletter
Posts
The Access Review Problem: Why We’re Still Stuck in 1999

The Access Review Problem: Why We’re Still Stuck in 1999

David Lee
February 17, 2025

In partnership with

10x Your Outbound With Our AI BDR

Imagine your calendar filling with qualified sales meetings, on autopilot. That's Ava's job. She's an AI BDR who automates your entire outbound demand generation.

Ava operates within the Artisan platform, which consolidates every tool you need for outbound:

300M+ High-Quality B2B Prospects
Automated Lead Enrichment With 10+ Data Sources Included
Full Email Deliverability Management
Personalization Waterfall using LinkedIn, Twitter, Web Scraping & More

Book a demo and supercharge your sales team.

Access reviews are a waste of time. There, I said it.

Every quarter, companies scramble to pull access reports, send out approval requests to managers who barely understand what they’re signing off on, and then store that data in a folder—never to be looked at again. Meanwhile, attackers don’t wait for quarterly reviews to exploit over-permissioned accounts.

So why are we still doing access reviews like it’s 1999?

Giphy

The answer is simple: Compliance says we have to. But just because something is required doesn’t mean we have to do it the dumb way. It’s time to move beyond periodic, manual access reviews and into continuous, automated access validation. Here’s how.

The Future of Access Reviews: Real-Time, Automated, and Risk-Based

1. Know What a User Has Access to—At Any Given Time

The first problem with traditional access reviews? They rely on static reports. By the time an access review is completed, it’s already outdated.

Instead, IAM systems should be able to:

✅ Continuously track access assignments in real-time.

✅ Map those assignments to actual applications and resources the user can reach.

✅ Surface risks dynamically—not wait for a quarterly report to expose a problem.

With a real-time access model, organizations wouldn’t need to dig through old spreadsheets. They’d have an on-demand view of every user’s effective access, enriched with context on how that access is actually being used.

2. Automate Policy Checks & Access Simulations

Once you have real-time visibility into access, the next step is automating validation.

Instead of running quarterly attestation campaigns, imagine this:

🚀 IAM runs continuous policy checks to verify that a user’s access aligns with pre-defined security policies.

🚀 Access simulations predict the impact of changes before they happen, preventing excessive permissions before they even hit production.

🚀 Automated alerts notify security teams when a user’s access deviates from expected norms—triggering action before it becomes a security risk.

No more “check-the-box” access reviews. Just continuous, automated validation that actually enhances security.

3. Adjust Access Based on Actual Usage

We all know the truth—most users have more access than they actually use. But traditional access reviews don’t account for that.

A modern system should:

🔹 Track how often a user accesses an application or resource.

🔹 Automatically remove access if it’s not being used.

🔹 Re-grant access dynamically, based on real-time need.

This eliminates the concept of stale access, reducing the attack surface without manual intervention. Zero Standing Privilege (ZSP) should be the goal—users don’t have static access; they get it when they need it and lose it when they don’t.

4. Build an Interface for Auditors to Validate Policies in Real Time

One of the biggest reasons access reviews exist is auditability—proving that organizations are enforcing policies correctly.

Instead of storing PDFs and spreadsheets, or looking at screenshots, imagine if auditors could:

🔹 Log into a dedicated interface to view real-time access data.

🔹 Run policy simulations to verify that controls are working as intended.

🔹 Pull compliance reports on demand, without waiting for the next review cycle.

This would flip audits from reactive to proactive—giving organizations a way to prove compliance in real-time, not just during scheduled review cycles.

In conclusion my dear friends,

Quarterly access reviews are security theater. They don’t improve security, they don’t prevent breaches, and they don’t reflect how identity works in modern organizations.

The future of access management isn’t periodic manual reviews—it’s real-time, automated access validation.

✅ See what a user has access to at any moment.

✅ Run automated policy checks & access simulations.

✅ Adjust access dynamically based on actual usage.

✅ Give auditors a way to validate security controls in real-time.

Because attackers aren’t waiting three months to exploit excessive access. So why are we waiting three months to review it?

What do you think? Are quarterly access reviews dead, or are we still stuck in 1999? Tell me where I’m wrong, what did I miss? Let’s talk about it!!!

Reply

or to participate.