The Quarterly Access Review Is Broken. Here Is What to Do Instead.

The quarterly access review is one of the most expensive rituals in enterprise security. Your team spends two weeks pulling reports, chasing down managers who ignore the first three emails, and documenting approvals that nobody reads until an auditor asks for them. At the end of it, you have a spreadsheet that proves you did the work. You do not have evidence that your access posture actually improved.

Most organizations run this process because their compliance framework requires it. SOC 2, ISO 27001, and HIPAA all want to see periodic access reviews. So security teams build a process that satisfies the auditor, not one that reduces risk. The result is ceremonial security: a quarterly event that creates the appearance of control without the substance. Your team dreads it. Your managers resent it. And the accounts that actually matter, the privileged service accounts, the dormant contractor credentials, the over-provisioned admin roles, often slip through anyway.

There is a better model. It does not require replacing your compliance process overnight. It requires rethinking what access governance is actually for, and building controls that work continuously instead of quarterly. This article is about making that shift without blowing your budget, burning out your team, or losing your auditors in the process.

The quarterly review cycle was designed around audit convenience, not threat reality. Attackers do not wait 90 days. A contractor account that goes dormant on day 2 of a new quarter sits live for 88 more days before anyone looks at it. That is not a control. That is a scheduled gap.

The original logic made sense in a world where access changes were slow, systems were on-premises, and your identity estate was a single Active Directory domain. None of that is true anymore. The average mid-size enterprise now has 40 to 60 SaaS applications, multiple cloud environments, and an identity sprawl problem that a quarterly spreadsheet cannot address.

When you frame this for your board, the question is not whether you completed the review. The question is: what is the average age of an unreviewed access grant in your environment right now? Most teams cannot answer that. That gap is where the risk lives.

A typical quarterly access review for a 1,000-person organization consumes 200 to 400 hours of combined effort across your security team, IT, and business managers. At fully-loaded labor costs, that is $30,000 to $60,000 per cycle, or $120,000 to $240,000 per year. That number does not appear in any vendor's TCO calculator, because it is your cost, not theirs.

Add the opportunity cost. Those are hours your team is not spending on threat detection, vulnerability management, or the security architecture work that actually moves your risk posture. Every quarter, you are trading proactive security work for a compliance artifact.

The hidden cost is accuracy. Studies on access review completion rates consistently show that managers approve 70 to 90 percent of access requests without meaningful review. They click approve because the list is long, the deadline is real, and they have no context for what the access actually does. You are paying full price for a control that delivers partial value.

Continuous access governance is not a product. It is a design principle. The goal is to move from scheduled reviews to event-driven controls: access that is automatically flagged when it goes unused, automatically reduced when a role changes, and automatically expired when a project ends.

The practical starting point is joiner-mover-leaver automation. Most organizations have this partially built but poorly maintained. Leaver processes are usually the strongest because HR drives them. Joiner and mover processes are where the drift happens. A promotion triggers a new access grant but rarely removes the old one. Over time, every long-tenured employee becomes over-provisioned by default.

Layer on top of that: usage-based access reviews. Instead of reviewing all access quarterly, review access that has not been used in 30, 60, or 90 days. That list is far shorter, far more actionable, and far more likely to contain actual risk. Your team spends less time and finds more problems.

First: automated deprovisioning triggers tied to HR events. When someone changes roles or leaves, access removal should be automatic and logged, not dependent on a manager remembering to submit a ticket. This single control eliminates the largest category of access risk in most organizations.

Second: time-bound access for privileged and sensitive roles. Privileged access should expire by default. If a developer needs production database access for a deployment, grant it for four hours, not permanently. Just-in-time access models, supported by tools like CyberArk, BeyondTrust, or cloud-native PAM solutions, make this operationally feasible without creating friction for legitimate work.

Third: anomaly-based access alerting. If an account that has not logged in for 60 days suddenly authenticates at 2 AM from an unusual location, that is a detection event, not a quarterly review item. Your SIEM or identity threat detection tooling should surface this in real time. The quarterly review would have caught the dormant account eventually. The anomaly alert catches the compromise.

Auditors want evidence of control. They do not care whether that evidence comes from a quarterly spreadsheet or a continuous monitoring dashboard, as long as you can show them what you reviewed, when, and what action you took. The key is documentation parity: your new process needs to produce artifacts that map to the same control objectives your old process satisfied.

Start by mapping your current compliance requirements to control objectives, not control procedures. SOC 2 CC6.2 requires that access is provisioned based on authorization. It does not require a quarterly spreadsheet. If you can show continuous provisioning controls with audit logs, most auditors will accept that as stronger evidence, not weaker.

Have the conversation with your auditors before you change the process, not after. Most audit firms have seen this transition before. They will tell you what evidence they need. Build your reporting to produce that evidence automatically. The goal is to make compliance a byproduct of your operational controls, not a separate exercise.

Your CFO does not care about access reviews. They care about cost, risk, and efficiency. Frame the conversation in those terms. You are proposing to replace a $200,000 annual labor cost with a tooling investment that also reduces your breach risk from over-provisioned accounts. That is a business case, not a security request.

The risk reduction angle is quantifiable. Verizon's Data Breach Investigations Report consistently shows that credential abuse and privilege misuse account for a significant share of confirmed breaches. Over-provisioned accounts are a direct contributor. If you can show your CFO that reducing your average access grant age from 90 days to near-zero cuts your exposure in a measurable way, you have a number to work with.

Tooling costs for a mid-size organization typically run $150,000 to $400,000 annually for a full identity governance and administration platform. That sounds like a lot until you put it next to the labor cost you are replacing and the breach cost you are reducing. Build the three-column comparison: current state cost, proposed state cost, risk delta. That is the conversation your CFO can engage with.

Do not try to eliminate the quarterly review in one cycle. You will create compliance gaps and team chaos. Instead, run a parallel track for two to three quarters: maintain the existing review process while you build and validate the continuous controls. Once you can demonstrate that the continuous controls are catching what the quarterly review catches, and catching it faster, you have the evidence to retire the old process.

Phase one is data quality. You cannot automate what you cannot see. Spend the first quarter getting a clean, authoritative source of identity data: who has what access, in which systems, tied to which HR record. This is unglamorous work. It is also the foundation everything else depends on.

Phase two is automation for the highest-risk categories first. Privileged accounts, admin roles, and contractor credentials. These are the accounts that appear in breach investigations. Get those under continuous control before you worry about read-only SaaS access. Prioritize by risk, not by volume.

Stop reporting on review completion rates. That metric tells your board you did the work. It does not tell them whether the work reduced risk. Replace it with metrics that reflect actual access posture: average age of unreviewed access grants, percentage of privileged accounts with time-bound access, mean time to deprovision after a role change.

A mature program should be able to show: 100 percent of leavers deprovisioned within 24 hours, zero standing privileged access for production systems, and an average access grant age under 30 days across all systems. Those are outcomes. They are also defensible in a board conversation after a breach, which is the real test of whether your metrics mean anything.

Your board wants to know two things: are we getting better, and how do we compare to peers? Build a simple trend line on your key metrics and benchmark against your industry where data is available. The Verizon DBIR and the Identity Defined Security Alliance publish enough data to give you reasonable peer comparisons without paying for a benchmarking study.

The quarterly access review is not going away overnight. Compliance frameworks require periodic evidence, auditors expect familiar artifacts, and your organization has built workflows around the existing process. But the goal is to make the quarterly review a formality that confirms what your continuous controls already know, not a high-effort exercise that produces your only evidence of access governance. Start with the highest-risk accounts, build the automation that eliminates the manual work, and measure outcomes instead of completion rates. That is the shift from ceremonial security to actual security. It takes two to three quarters to get there. The organizations that make it stop dreading the audit cycle and start using it as a chance to show how far their program has come.