A user access review is the recurring check that asks, for every account and entitlement, whether the person still needs it. Someone with authority looks at the access, decides per item to keep it or pull it, and the decision is recorded. It is one of the load-bearing controls in every major compliance framework, and it is also one of the most commonly faked.
Why the control exists
Access accumulates. People join, change roles, join projects, and pick up permissions along the way. The mover stage of the lifecycle rarely removes the old access, so grants pile up over time. Left alone, a long-tenured employee ends up with access reaching back through every role they have held.
The access review is the periodic correction. It is the moment someone is supposed to look at the accumulated access and cut what is no longer justified. Done well, it is the main thing standing between a stack and quiet privilege creep. It is also how orphaned and over-scoped accounts get caught between offboarding events.
The process
The mechanics are consistent across frameworks.
Pull the current access: every account and entitlement across the systems in scope. Route each to a reviewer who can judge it, usually the person's manager or the owner of the resource. The reviewer decides, per item, keep or remove. Removals are executed. The whole thing is recorded: who reviewed, when, what they decided, and proof the removals happened.
That last step is the one that separates a real review from a documented one.
Why most reviews are theater
The common failure is the rubber stamp. A reviewer is sent a spreadsheet with hundreds of rows, each a cryptic entitlement string, with no indication of what the access does, whether it is used, or why it was granted. Investigating each row would take hours. Approving the whole sheet takes one click. So the sheet gets approved, the audit is satisfied, and not a single grant changes.
This passes compliance and accomplishes nothing. The access that should have been removed stays. The review exists as evidence, not as a control. That gap between the paperwork and the reality is what practitioners mean by governance theater.
The second failure is quieter: the decision is made but not enforced. A reviewer marks access for removal, the note is saved, and the revocation never actually runs. Now the evidence says the access was removed while the system says it is still there. An auditor who checks both finds the discrepancy.
What makes a review real
Two things fix it.
Context at the point of decision. The reviewer sees what the entitlement grants, when the account was last used, and how the person got it. With that, the decision is informed and takes seconds honestly rather than seconds dishonestly.
Enforcement wired to the decision. A rejection triggers the actual revocation automatically, across the app where the access lives. The review changes the state of the system, and the evidence is a record of real actions rather than a spreadsheet of intentions.
The test: after a review closes, can you show that everything marked for removal is actually gone, without checking by hand? If not, the review documented a decision it did not enforce.
Related terms
- Access certification. The formal term for the same control.
- Attestation. The reviewer's signed statement that the access is correct.
- Privilege creep. The accumulation of access that reviews exist to correct.
- Orphaned account. One of the things a review is meant to catch.