User access review

What a user access review is, how the process works, why most reviews are rubber-stamped, and what auditors actually expect as evidence.

3 min read · Last updated July 2026

A user access review is a periodic check of who has access to what, where a reviewer decides per entitlement whether each grant is still appropriate and revokes what is not. It is a core control for SOC 2, ISO 27001, and similar frameworks, and the primary defense against privilege creep and orphaned access.

Also known as: User access review, UAR, Access review, Access recertification

A user access review is the recurring check that asks, for every account and entitlement, whether the person still needs it. Someone with authority looks at the access, decides per item to keep it or pull it, and the decision is recorded. It is one of the load-bearing controls in every major compliance framework, and it is also one of the most commonly faked.

Why the control exists

Access accumulates. People join, change roles, join projects, and pick up permissions along the way. The mover stage of the lifecycle rarely removes the old access, so grants pile up over time. Left alone, a long-tenured employee ends up with access reaching back through every role they have held.

The access review is the periodic correction. It is the moment someone is supposed to look at the accumulated access and cut what is no longer justified. Done well, it is the main thing standing between a stack and quiet privilege creep. It is also how orphaned and over-scoped accounts get caught between offboarding events.

The process

The mechanics are consistent across frameworks.

Pull the current access: every account and entitlement across the systems in scope. Route each to a reviewer who can judge it, usually the person's manager or the owner of the resource. The reviewer decides, per item, keep or remove. Removals are executed. The whole thing is recorded: who reviewed, when, what they decided, and proof the removals happened.

That last step is the one that separates a real review from a documented one.

Why most reviews are theater

The common failure is the rubber stamp. A reviewer is sent a spreadsheet with hundreds of rows, each a cryptic entitlement string, with no indication of what the access does, whether it is used, or why it was granted. Investigating each row would take hours. Approving the whole sheet takes one click. So the sheet gets approved, the audit is satisfied, and not a single grant changes.

This passes compliance and accomplishes nothing. The access that should have been removed stays. The review exists as evidence, not as a control. That gap between the paperwork and the reality is what practitioners mean by governance theater.

The second failure is quieter: the decision is made but not enforced. A reviewer marks access for removal, the note is saved, and the revocation never actually runs. Now the evidence says the access was removed while the system says it is still there. An auditor who checks both finds the discrepancy.

What makes a review real

Two things fix it.

Context at the point of decision. The reviewer sees what the entitlement grants, when the account was last used, and how the person got it. With that, the decision is informed and takes seconds honestly rather than seconds dishonestly.

Enforcement wired to the decision. A rejection triggers the actual revocation automatically, across the app where the access lives. The review changes the state of the system, and the evidence is a record of real actions rather than a spreadsheet of intentions.

The test: after a review closes, can you show that everything marked for removal is actually gone, without checking by hand? If not, the review documented a decision it did not enforce.

Related terms

  • Access certification. The formal term for the same control.
  • Attestation. The reviewer's signed statement that the access is correct.
  • Privilege creep. The accumulation of access that reviews exist to correct.
  • Orphaned account. One of the things a review is meant to catch.

Frequently asked questions

Is a user access review the same as an access certification?

In practice they are used for the same thing. Access certification is the more formal term, common in compliance and legacy IGA. User access review is the more common working term. Both mean: review who has access, decide per item whether it stays, and record the decision. This page uses them interchangeably.

Why do access reviews get rubber-stamped?

Because the reviewer is handed a spreadsheet of hundreds of entitlements they do not recognize, with no context on why each was granted or whether it is used. Approving everything is faster than investigating, so that is what happens. The review passes the audit and changes nothing, which is why it is called governance theater.

How often should access reviews happen?

Quarterly is the common cadence for SOC 2 and ISO 27001, with higher-sensitivity systems reviewed more often. The trend is toward continuous review, where changes are evaluated as they happen rather than batched into a quarterly scramble.

What evidence does an access review need to produce?

Who reviewed what, when, what they decided per entitlement, and proof that rejected access was actually removed. The last part is where manual reviews fail: the decision gets recorded but the revocation never happens, so the evidence and the reality diverge.

What makes a review actually effective instead of theater?

Context and enforcement. Reviewers need to see what the access is, whether it is used, and why it was granted, so the decision is informed. And a rejection has to trigger an actual revocation automatically, so the review changes the state of the system rather than just documenting it.