Access Review Checklist

Use this to run a periodic access certification (review) that holds up to audit. Adapt scope and cadence to your risk and regulatory needs.

Before the campaign

• Define scope: which systems, roles, and identities (include service and non-human accounts).
• Set cadence and trigger (quarterly, on role change, regulatory deadline).
• Confirm the data source of truth for entitlements is current.
• Identify reviewers (managers, application owners) and a fallback for absentees.
• Decide what "evidence" you must retain for auditors.

During the campaign

• Present each reviewer only the access they own, with clear context (who, what, why granted, last used).
• Flag high-risk items: privileged access, dormant accounts, separation-of-duties conflicts.
• Require an explicit decision (keep, reduce, revoke) with a reason, not a blanket approve.
• Track completion and chase non-responders before the deadline.

After the campaign

• Revoke or reduce access where decided, and confirm the change actually took effect.
• Retain immutable evidence: who reviewed what, when, and the decision.
• Feed findings back into roles and birthright access to reduce next cycle's noise.
• Report metrics: completion rate, items revoked, exceptions, time to remediate.

Common failure modes

• Reviewers rubber-stamp because there is too much to review or no context.
• Decisions are recorded but never enforced in the target system.
• Service and non-human accounts are excluded and quietly accumulate access.