Introduction
The quarterly access review exists because auditors asked for it. Not because it works. Every 90 days, your team pulls a spreadsheet, sends it to 200 managers, waits three weeks for responses, chases the 40% who never reply, and then certifies that access is appropriate. The auditor checks the box. The risk stays exactly where it was.
This is ceremonial security. It feels like governance. It produces documentation. But it does not reduce the probability that a terminated contractor still has VPN access, or that a developer promoted six months ago still holds production database write permissions they no longer need. The quarterly cadence is too slow for how fast your organization actually changes.
The fix is not a better spreadsheet or a faster review cycle. The fix is rethinking what access governance actually needs to accomplish, and building controls that work continuously instead of quarterly. That shift requires a different tooling strategy, a different conversation with your auditors, and a different way of measuring success for your board.
Browse the Full Cybersecurity Market: 118 Categories, 9,000+ Tools.
Why the Quarterly Cadence Fails on Its Own Terms
The average enterprise adds or changes thousands of access entitlements per month. A 90-day review window means you are certifying a snapshot that was already stale before the review started. By the time managers click approve, the underlying role may have changed twice.
Manager-driven certification compounds the problem. Most managers do not know what specific system permissions mean. They see a name, a system, and a checkbox. They approve because denying access creates a support ticket they do not want to deal with. Studies consistently show rubber-stamp approval rates above 85% in manual certification campaigns.
The result is a control that satisfies your compliance requirement while providing almost no actual risk reduction. Your auditors love it. Your adversaries are indifferent to it.
The Real Risk You Are Trying to Manage
Before you redesign the process, be clear about what you are actually trying to prevent. Access governance exists to address three distinct risk categories:
- Orphaned accounts: Former employees or contractors who retain active credentials after offboarding
- Privilege creep: Current employees who accumulate permissions over time without ever losing old ones
- Toxic combinations: Entitlement pairs that create segregation of duties violations, such as the ability to both create and approve a payment
Each of these has a different detection mechanism and a different remediation path. Treating them all as one problem that a quarterly spreadsheet solves is why the control fails. A terminated employee's account should be disabled within hours, not caught in the next quarterly cycle.
Continuous Controls Beat Periodic Reviews for Orphaned Accounts
Orphaned account risk is the easiest to solve with automation. Your HR system knows when someone is terminated. Your identity provider knows which accounts are active. The gap between those two systems is where the risk lives, and that gap should be closed in real time, not quarterly.
The architecture is straightforward: HR termination triggers an automated workflow that disables the identity provider account, revokes SSO sessions, and queues a review of any service accounts or shared credentials that person may have known. This is not a new idea. Most mature IGA platforms support it. The barrier is usually integration work and organizational will, not technology.
When you have this working, you can tell your auditors that orphaned account risk is managed continuously, with automated evidence. That is a stronger control than a quarterly review, and it is easier to defend in an audit because the evidence is systematic rather than dependent on manager responsiveness.
Privilege Creep Requires a Different Approach: Role Engineering
Privilege creep is harder because it requires understanding what access people should have, not just what they do have. That requires role engineering, which is unglamorous, time-consuming work that most teams deprioritize because it does not show up on a dashboard.
The practical starting point is not a full role model. Start with your highest-risk systems: production databases, financial applications, identity infrastructure, and cloud management consoles. For each system, define a small number of roles with clearly bounded permissions. Then enforce those roles as the only path to access.
Once you have defined roles, you can run continuous drift detection. Any entitlement that falls outside a defined role is flagged automatically. That is a much smaller, higher-signal review queue than a full quarterly certification. Instead of 2,000 entitlements to certify, you are reviewing 40 anomalies per week.
Segregation of Duties Violations Need Automated Detection, Not Human Memory
SoD violations are the access risk that causes the most expensive failures. A single employee who can both initiate and approve a wire transfer is a fraud risk that no quarterly review reliably catches, because the violation is not visible in a simple entitlement list. You have to analyze entitlement combinations across systems.
This is where purpose-built IGA tooling earns its cost. Modern platforms can maintain a ruleset of prohibited entitlement combinations and flag violations in real time as access is provisioned. The control fires at the point of provisioning, not 90 days later.
Your SoD ruleset does not need to be exhaustive on day one. Start with the combinations that your external auditors or your finance team have already identified as high-risk. Get those automated. Expand the ruleset over time as you build confidence in the detection logic.
What to Actually Keep From the Quarterly Review
Not everything in the quarterly review is worthless. The cadence creates a forcing function for conversations that otherwise never happen. The problem is that the conversation is happening with the wrong people, about the wrong things, at the wrong frequency.
Keep a periodic review, but redesign it. Instead of asking managers to certify individual entitlements, ask application owners to certify that their role definitions are still accurate. That is a smaller, more meaningful question. An application owner who knows their system can tell you whether the 'Finance Analyst' role still makes sense. A manager cannot tell you whether a specific database permission is appropriate.
Run this role certification annually, not quarterly. Pair it with a quarterly anomaly review where your identity team looks at the drift detection output and closes out flagged items. That combination gives you continuous coverage on the high-frequency risks and periodic governance on the structural questions.
The Tooling Decision: IGA Platform vs. Point Solutions
If you are running access reviews in spreadsheets or in a basic ticketing system, you are doing manual work that should be automated. The question is whether you need a full IGA platform or whether you can assemble the capability from point solutions.
Full IGA platforms from vendors like SailPoint, Saviynt, or Omada give you provisioning, certification, role management, and SoD detection in one place. The integration cost is real, typically 12 to 18 months for a mid-size enterprise, and the licensing is not cheap. But the operational efficiency gain is significant. Teams that move from manual reviews to automated IGA typically reduce access review labor by 60 to 70 percent.
Point solutions can work if your environment is less complex. A strong identity provider with good lifecycle management, combined with a SIEM that can detect anomalous access patterns, can cover a significant portion of the risk surface. The gap is usually SoD detection and formal role management. Know what you are trading off before you decide the point solution approach is sufficient.
You can explore and compare IGA platforms, identity lifecycle tools, and access governance solutions across thousands of products in the CybersecTools database to build your evaluation shortlist before you start vendor conversations.
How to Report This to Your Board Without Losing Them
Your board does not care about entitlement counts or certification completion rates. They care about whether the company is exposed to fraud, regulatory penalty, or breach from an insider or a compromised credential.
Frame your access governance metrics in those terms. The metrics that land with boards and audit committees are:
- Mean time to deprovision: How quickly are terminated employee accounts disabled? Target under 4 hours for standard offboarding, under 1 hour for involuntary terminations
- Orphaned account count: How many active accounts belong to people no longer in the HR system? Target zero, with a defined remediation SLA for any exceptions
- SoD violation rate: What percentage of access provisioning requests triggered a SoD conflict, and how many were overridden with business justification?
- Privilege creep index: What percentage of user entitlements fall outside defined roles? Trending down is the story you want to tell
These metrics tell a risk story. They connect access governance to business outcomes your board already understands: fraud prevention, regulatory compliance, and insider threat reduction.
Frequently Asked Questions
Most compliance frameworks, including SOC 2, ISO 27001, and PCI DSS, require periodic access reviews but do not mandate quarterly spreadsheet campaigns. The requirement is for a control that demonstrates access is appropriate and reviewed. Continuous automated controls with documented evidence often satisfy auditors more effectively than manual quarterly certifications. Have the conversation with your auditor before you assume the process is fixed.
Conclusion
The quarterly access review is not going away entirely. Auditors will keep asking for it, and some version of periodic governance will always make sense. But treating it as your primary access control is a mistake that leaves real risk unmanaged while consuming significant team capacity. The shift to continuous controls, automated deprovisioning, role-based drift detection, and real-time SoD enforcement is not a future state. It is achievable with current tooling, and the organizations that have made the shift are spending less time on access reviews and carrying less actual risk. Start with the highest-consequence gap, build the evidence base, and use it to fund the next phase. That is how you move from ceremonial security to security that actually works.
Stop Guessing About Vendor Health. Start Querying It with MCP.