← All insights

Making user access reviews actually mean something

Access recertification is one of the most widely performed and least effective controls in enterprise IT. The problem isn't the idea, it's how reviews are presented to the people doing them.

Periodic user access review, recertification, is a staple of every controls framework. Managers confirm their people still need the access they hold; inappropriate access gets removed; the organisation can show an auditor it checks. In principle it's one of the cleanest controls there is.

In practice, it's often theatre. A manager receives a list of cryptic role names against dozens of staff, a deadline, and a reminder that approval is required. They click "approve all." The campaign closes with a 99% certification rate and near-zero removals. Everyone has done their job, and nothing has actually been controlled.

A review where almost everything is approved and almost nothing changes isn't evidence the access is right. It's evidence no one really looked.

Why reviews get rubber-stamped

Reviewers aren't lazy. They rubber-stamp because the review, as presented, is impossible to do well.

• The information is unreadable. A reviewer sees role technical names, not what the access lets someone do. Asked to judge "Z_FI_GL_DISP_02," they have no basis to say no, so they say yes.
• There's no signal of risk. Every line looks the same. Nothing flags which assignments are sensitive, conflicting, or unused, so attention is spread evenly across everything and lands on nothing.
• Removing access feels risky. If a reviewer revokes something and it breaks someone's job, that's on them. Approving is safe. The incentives push entirely one way.
• It's too big and too rare. A giant annual campaign covering everyone at once guarantees fatigue. Volume defeats scrutiny.

What makes a review real

Effective recertification fixes the reviewer's experience, not just the process around it.

Translate access into plain language

Reviewers should see what access means, "can post and release payments," not a role code. When the description matches how a manager thinks about their team's work, they can make a real judgment instead of a default one.

Lead with risk and usage

Surface the things that deserve scrutiny: access that's sensitive, creates a segregation-of-duties conflict, or hasn't been used in months. Unused access is the easiest win in any review, it's low-risk to remove and almost always shouldn't be there. Putting it at the top turns a flat list into a prioritised one.

Make "remove" as safe as "keep"

If revoking access is reversible and low-drama, reviewers will do it. Clear consequences, an easy path to restore if something was genuinely needed, and assurance that thoughtful removal is the goal, these shift behaviour more than any reminder email.

Review more often, in smaller pieces

Continuous or event-driven review, triggered when someone changes role, or focused on a manageable slice at a time, beats one annual marathon. Smaller, more frequent reviews keep access current and keep reviewers engaged.

The measure that matters

The honest health check for a recertification programme isn't the completion rate. It's the change rate: what proportion of reviews resulted in an actual removal or adjustment. A campaign that removes nothing, year after year, is either reviewing a perfect estate (unlikely) or not really reviewing at all. A modest, steady stream of removals is the sign of a control that's doing something.

User access reviews can be one of the most valuable controls an organisation runs, but only if the people performing them are given a fair chance to do them well. Show reviewers what access actually means, point them at the risky and the unused first, make removal safe, and review in digestible pieces. Do that, and recertification stops being a box-ticking ritual and starts being what it was always meant to be: a regular, deliberate check that the right people hold the right access, and no more.