Access Review Patterns That Catch Drift
Access reviews catch more risk when they focus on entitlement drift and business context.
Key takeaways
- Access reviews should compare current permissions against role intent, recent activity, and ownership changes.
- Dormant access is a signal that the permission may be unnecessary even when it was once approved.
- Exceptions need expiration dates so temporary access does not become permanent infrastructure.
Access reviews are often too shallow because they ask managers to approve a list of names and roles without enough context. The better question is whether the access still matches the work. That means showing role intent, recent use, application owner, and any exception that granted the permission.
The review should pay special attention to drift. A user who changed teams, a service account with no recent owner, or a permission that has not been used in months may be more interesting than a newly requested grant. Dormancy is not proof of risk, but it is a reason to ask why the access remains.
The strongest pattern is expiration. Temporary access should have a date when it disappears unless someone renews it with a reason.