Big ACL Sign up
Documentation Blog Architecture Roadmap Pricing Contact
Log in

Identity Governance

Access Review & Recertification

Access review and recertification are critical processes for ensuring users maintain only the permissions they need, when they need them.

What is Access Review?

Access review (also called access certification or recertification) is the process of periodically verifying that users have appropriate access rights. It answers the question: "Should this user still have these permissions?"

Access reviews are essential for:

  • Compliance – Meeting regulatory requirements (SOX, GDPR, HIPAA, SOC 2)
  • Security – Preventing privilege creep and orphaned accounts
  • Least privilege – Ensuring users have minimal necessary access
  • Audit readiness – Demonstrating access governance to auditors

Access Recertification Process

A typical recertification campaign involves:

1

Scope Definition

Define which users, applications, and permissions to review

2

Reviewer Assignment

Assign managers or resource owners to review access

3

Review & Decision

Reviewers approve, revoke, or flag permissions for investigation

4

Remediation

Remove or modify access based on review decisions

5

Documentation

Generate audit trails and compliance reports

Challenges with Traditional Access Reviews

Periodic access reviews face several challenges:

  • Rubber-stamping – Reviewers approve everything without careful evaluation
  • Point-in-time snapshot – Reviews only catch issues at review time, not between cycles
  • Manual effort – Time-consuming process that frustrates reviewers
  • Lack of context – Reviewers don't understand what permissions actually allow
  • Disconnected from policies – Reviews happen separately from authorization rules

From Periodic Reviews to Continuous Access Governance

Modern access governance moves beyond periodic recertification campaigns to continuous compliance:

Traditional Approach

  • Quarterly/annual review campaigns
  • Manual reviewer decisions
  • Spreadsheet-based tracking
  • Reactive remediation

Continuous Governance

  • Policy-based access validation
  • Automated anomaly detection
  • Real-time policy enforcement
  • Proactive risk mitigation

How Big ACL Enables Continuous Access Governance

Big ACL transforms access reviews by connecting governance to your actual authorization policies:

  • Policy-based validation – Access is automatically validated against explicit rules
  • Change detection – Get alerted when access patterns deviate from policies
  • Audit trails – Every policy change is versioned and traceable
  • Clear semantics – Reviewers see policies in natural language, not cryptic permissions
  • Integration with IGA – Connect with identity governance platforms for unified access management

By using Big ACL as your Policy Administration Point, access reviews become a validation of policies rather than a review of individual permissions.

Move from periodic reviews to continuous access governance

Start with Big ACL

Related Topics

Big ACL for IAM Leaders

Policy governance and business alignment

Big ACL for Security Teams

Access risk visibility and compliance

Policy Administration Point

Centralized policy management

Policy Decision Point

Runtime authorization enforcement