Key points
- Compliance-driven: SOX, SOC 2, ISO 27001, HIPAA, PCI
- Run quarterly or semi-annually for in-scope systems
- Increasingly informed by usage data, not just entitlement lists
- Automated by IGA tools (SailPoint, Saviynt, Lumos, ConductorOne, Zilla)
- Failed reviews trigger deprovisioning workflows
What it is
An access review (also called access certification or UAR — user access review) is a recurring control where the right person — a manager, app owner, or data owner — looks at who has access to a system and explicitly approves or revokes each user.
How it works
An IGA tool pulls entitlements from in-scope apps (Salesforce, NetSuite, AWS, GitHub, etc.), groups them by reviewer, and presents a worklist: Alice Chen has access to Salesforce — Sales Cloud + Admin. Keep / Remove? Decisions feed back into provisioning systems to revoke unneeded access automatically.
Modern reviews include usage data — Alice hasn't used Admin in 90 days — so reviewers can make informed decisions instead of rubber-stamping.
When buyers care
- Preparing for SOX, SOC 2 Type II, ISO 27001, HITRUST, or FedRAMP audits
- After acquisitions, layoffs, or major reorgs
- Whenever an audit calls out 'access review fatigue' or rubber-stamp findings
Common misconceptions
- Access reviews are not the same as offboarding. Offboarding removes everything; reviews refine what's still needed.
- Spreadsheet reviews don't pass modern audits. Auditors increasingly expect tooling with evidence trails.
FAQ
How often should reviews run?
Quarterly for high-risk apps (financial, PHI, production); annually for low-risk apps. SOX-relevant systems typically require quarterly.
How is this different from IGA?
Access reviews are a capability of IGA. IGA also covers provisioning, role mining, SoD, and policy enforcement.