Glossary · Compliance concepts

What is Access Review?

Also known as: User Access Review, Access Recertification, Entitlement Review, UAR

An access review is a periodic check that each user's permissions still match what their role actually requires. By confirming and revoking access on a recurring basis, organizations enforce least privilege and catch the over-permissioned or orphaned accounts that accumulate over time. Access reviews are a standard control across SOC 2, ISO 27001, and other frameworks.

Key takeaways

  • An access review confirms permissions still fit each user's current role.
  • It enforces least privilege and supports segregation of duties.
  • Reviews catch orphaned accounts from departed staff and role changes.
  • Reviewers should be managers or data owners, not just IT.
  • Auditors expect dated evidence of the review and any revocations made.

Why access drifts and why reviews catch it

Permissions accumulate. People change teams, take on temporary projects, or leave, and their access often lingers. Over time this produces over-permissioned users and orphaned accounts that expand risk without anyone deciding to grant it.

A recurring access review is the control that resets this drift, reaffirming least privilege and supporting segregation of duties by ensuring no one quietly accumulates a dangerous combination of rights.

How an access review is performed

A sound review pulls a current list of who has access to each system, routes it to the people who actually know whether that access is appropriate, and records their decisions along with any resulting changes.

  • Generate an accurate inventory of users and their entitlements per system.
  • Send the list to managers or data owners to confirm or revoke each access.
  • Pay special attention to privileged, admin, and service accounts.
  • Revoke or adjust access promptly based on the decisions.
  • Retain dated evidence of the review and the actions taken.

Reviews should be owned by people with business context, not solely by IT, since a manager is best placed to know whether a report still needs access to a given system.

Common findings and the move toward continuous review

Auditors frequently find access reviews that were never completed, completed late, or completed without evidence of any action taken. Another classic gap is leftover access for terminated employees, a clear signal that joiner-mover-leaver processes are weak.

Because access changes constantly, many teams supplement scheduled reviews with continuous control monitoring that flags risky access, such as a new admin or an orphaned account, the moment it appears rather than at the next quarterly cycle.

Tightly scoped access also limits blast radius: the fewer rights an account holds, the less an attacker gains by compromising it.

Frequently asked questions

How often should access reviews happen?
Frequency is risk-based, but quarterly reviews are common for sensitive systems and privileged accounts, with at least annual reviews for lower-risk access. Critical systems often warrant more frequent checks.
Who should perform the review?
Managers and data or system owners with business context are best, because they know whether a user still needs a given access. IT typically facilitates and executes revocations rather than deciding appropriateness alone.
What is an orphaned account?
An orphaned account is one that still exists and has access but no longer has a valid owner, often left behind when an employee departs. These accounts are a frequent audit finding and a real attack vector.
What evidence do auditors want for an access review?
Auditors look for a dated record showing what was reviewed, who reviewed it, the decisions made, and proof that any revocations were actually carried out.

Authoritative sources

← Back to the glossary