How to Run a Quarterly Privileged Account Access Review That Is Not Rubber-Stamp Theater

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The quarterly privileged access review that generates 400 email approvals and closes in 3 days is not functioning as a risk control. It is functioning as a documentation generator. The approving managers did not have the context to make real decisions -- they did not know when the account last authenticated, what permissions it actually carried, or whether the original business justification still applied. They clicked approve because the alternative (escalating uncertainty) takes more time and creates friction with the team member whose access is under review.
The fix is not in the review process itself -- it is in the context provided to reviewers before the review begins. A manager who receives an account record showing "last authenticated 8 months ago, carries domain admin permissions, original justification from 2022 for a project that completed in Q1 2023" has enough information to make a real decision without investigation. A manager who receives a list of names and a button labeled "Approve / Revoke" is going to approve everything.
This guide covers the pre-built context format that enables real decisions, the three justification criteria that produce consistent reviewer decisions, the escalation path for accounts that cannot be justified, and the metrics that distinguish a substantive review from a rubber-stamp one.
What Privileged Accounts to Include: Scope Definition
Access reviews that try to cover all accounts in the organization produce the rubber-stamp outcome because the volume overwhelms reviewer attention. Access reviews scoped to privileged accounts only -- with a consistent definition of "privileged" -- produce manageable volume and meaningful decisions.
Define privileged account categories for your environment:
Tier 0: Highest-privilege accounts. Domain administrators, global administrators (Microsoft 365, AWS root, Google Workspace Super Admin), and emergency access accounts. These warrant review at every cycle and individual justification for every account.
Tier 1: Elevated administrative accounts. Local administrators on servers, service accounts with write access to production systems, accounts with access to encryption keys or certificate stores, accounts with access to identity provider administrative functions (Okta admin, Entra ID privileged roles below Global Admin). These warrant review quarterly.
Tier 2: Sensitive but non-administrative accounts. Service accounts with read access to production databases containing regulated data, third-party vendor accounts with access beyond public-facing systems, privileged access workstation accounts. These warrant review semi-annually.
Define this categorization explicitly in your access management policy. Without explicit scoping, the review either covers too much (every account, which produces rubber-stamping) or too little (only the accounts the IAM team already knows about, which misses discovered accounts).
Identify all accounts in each tier by querying your identity provider for role membership: in Entra ID, query members of Global Administrator, Privileged Role Administrator, Exchange Administrator, and custom high-privilege roles. In AWS, query for accounts with AdministratorAccess or accounts whose attached policies include "Action": "*", "Resource": "*". In Okta, query for Super Admin and Org Admin role assignments. In Active Directory, query Domain Admins, Schema Admins, Enterprise Admins, and custom tier-0 groups.
Pre-Building Context: The Four Data Points That Enable Real Decisions
Each account record sent to a reviewer for the access review should include four pre-built data points, collected from your IAM systems and authentication logs before the review package is assembled:
1. Last authentication date. When did this account last successfully authenticate? Pull from your identity provider's authentication logs: Entra ID sign-in logs, Okta system log, AWS CloudTrail (for IAM users and assumed roles), or Active Directory domain controller authentication events. Express as "last authenticated N days ago" rather than a raw timestamp -- reviewers process "last authenticated 287 days ago" faster than "last authenticated 2024-09-14."
2. Permission scope summary. What elevated permissions does this account carry? Not a raw dump of every policy attachment -- a human-readable summary. For an Entra ID account: "Global Administrator, Exchange Administrator." For an AWS IAM user: "AdministratorAccess policy (all services, all resources)." For an Active Directory account: "Member of Domain Admins, WSUS Administrators." This allows a reviewer to assess whether the permission scope is appropriate without reviewing raw policy JSON.
3. Original provisioning justification. Why was this account created with these privileges? Pull from your IAM ticketing system, the original provisioning request, or the access management policy record. "Provisioned for Active Directory migration project, Q2 2022. Project status: completed Q4 2022." A reviewer seeing this does not need to investigate why the account exists -- they can make an immediate decision based on the current state versus the original justification.
4. Account owner. Who is the named owner of this account today? For human accounts: the account holder's current manager. For service accounts: the team responsible for the application or service the account serves. An account with no identifiable current owner should automatically be flagged for escalation regardless of authentication activity.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The Three Justification Criteria for Consistent Decisions
Reviewers given subjective judgment ("is this access appropriate?") produce highly variable outcomes across different reviewers and different periods. Reviewers given objective criteria produce consistent decisions.
A privileged account passes the review if and only if it meets all three criteria:
Criterion 1: Active use. The account has authenticated within the last 90 days. A privileged account with no authentication in 90 days has no demonstrated current business need. Exceptions: accounts that are legitimately used less frequently than quarterly (annual review accounts, break-glass emergency access accounts) should be explicitly tagged as low-frequency accounts with a documented rationale, and reviewed against their expected use pattern rather than the 90-day threshold.
Criterion 2: Justified current scope. The permission scope is documented in a current business requirement that the reviewer can confirm is still active. "This account is the Domain Admin for the Active Directory infrastructure" is a justified current scope for an IT infrastructure team member. "This account has Domain Admin because they needed it for the 2022 migration project" is a historical justification that does not support current elevated access.
Criterion 3: Named current owner. A specific person (or team, for service accounts) who can be contacted, who acknowledges responsibility for the account, and who has the authority to authorize or revoke the access. An account whose owner has left the company, transferred to a different team, or cannot be identified fails this criterion.
The review decision tree: if all three criteria are met, approve. If any criterion is not met, the reviewer should initiate the escalation path rather than approving with reservations.
The Escalation Path for Accounts That Cannot Be Justified
The escalation path is what transforms the access review from a documentation exercise into a risk reduction exercise. An account that fails one or more justification criteria should not be approved with a note -- it should be escalated for resolution within a defined timeframe.
Escalation tier 1: The reviewer escalates to the IAM team (within 5 business days of the review start). The reviewer marks the account as "cannot justify" in the review platform and provides the specific criterion that was not met. The IAM team contacts the account owner (or attempts to identify the owner) and requests a justification document or schedules account removal. For accounts that fail Criterion 1 (no recent authentication): the IAM team disables the account (not deletes -- disabling preserves audit logs) and sets a 30-day monitoring window. If no one complains about loss of access in 30 days, the account is deleted.
Escalation tier 2: The CISO escalates to the account holder's department leadership (within 15 business days of the review start). If the IAM team cannot reach the account owner, or if the account owner disagrees with the revocation and escalates, the CISO presents the account's current state (no authentication in N days, original justification no longer applicable) to the relevant business leader with a clear binary choice: provide a current business justification or authorize revocation. This removes ambiguity and documents the decision at an appropriate authority level.
Emergency revocation (immediate, no waiting period). Any account where the owner's employment has ended, where the account appears in an external threat intelligence report, or where the account is associated with an active security investigation should be disabled immediately rather than waiting for the standard escalation process.
Tooling That Reduces Administrative Burden Without Reducing Decision Quality
Manual access review process management (spreadsheets, email campaigns, manual log queries) makes thorough reviews operationally difficult for the IAM team and time-consuming for reviewers. Identity Governance and Administration (IGA) tools automate the administrative work while preserving decision quality.
What IGA platforms automate: reviewer notification and follow-up, pre-building the four data points per account (last authentication, permission scope, justification, owner), capturing reviewer decisions with timestamps, generating audit reports of review completion, and routing non-approved accounts to the escalation queue.
IGA tools commonly used for privileged access reviews: SailPoint IdentityNow and SailPoint IIQ (enterprise, large environments), Saviynt (enterprise, strong cloud integration), Microsoft Entra ID Governance (native for Microsoft environments, includes access reviews with last sign-in data), Okta Identity Governance (native for Okta environments), Ping Identity, and smaller tools like Lumos, ISIM, or Bravura Security for mid-market environments.
Minimum viable without an IGA platform: If you are running access reviews without IGA tooling, the minimum viable process uses: a structured spreadsheet template with pre-populated columns for last authentication (pulled from identity provider export), permission scope (pulled from role membership export), justification (from provisioning ticket system), and owner. The spreadsheet is distributed to reviewers with a documented decision threshold (the three criteria) and a firm deadline. Follow-up is manual but structured -- daily reminders to incomplete reviewers with manager escalation on day 5.
The key constraint without IGA: the IAM team bears the administrative burden of pre-building the data and chasing reviewers. For an environment with 200+ privileged accounts, this becomes a full-time task each quarter. That operational burden is the business case for IGA tooling investment.
Metrics That Distinguish a Substantive Review From a Rubber Stamp
Report the following metrics after each access review cycle. These metrics distinguish a review that produced real decisions from one that produced documentation of non-decisions.
Accounts reviewed versus accounts changed. What percentage of accounts reviewed resulted in removal or scope reduction? A review where 100% of accounts are approved unchanged is either a perfectly clean environment (unlikely) or a rubber-stamp review (likely). Target: at least 5 to 15% of accounts should result in modification (removal or scope reduction) in a healthy access review cycle. First-cycle reviews often produce 20 to 30% modification rates as historical accumulation is surfaced.
Review completion rate. What percentage of assigned reviewers completed the review by the deadline? Low completion rates indicate either too many accounts per reviewer (volume overwhelm) or insufficient reviewer engagement (reviewers do not understand why the review matters). Track and trend over time.
Time-to-resolution for escalated accounts. How long did accounts that failed the justification criteria take to reach resolution (approval with new justification or revocation)? Escalated accounts that remain unresolved after 30 days indicate the escalation process is not functioning. Track the number of escalated accounts and their average resolution time.
Privileged account count trend. Total privileged accounts at the end of each review cycle. If privileged account count is growing quarter over quarter despite access reviews, the provisioning process is adding accounts faster than the review process is removing them -- a sign that least-privilege provisioning practices need attention, not just the review process.
The bottom line
A privileged account access review that produces real risk reduction requires three things that rubber-stamp reviews lack: pre-built context that enables managers to make decisions without investigation (last authentication date, permission scope summary, original justification, named current owner), objective three-criteria justification standards that produce consistent decisions across reviewers, and an escalation path that routes unjustified accounts to revocation rather than approval with reservations. The metrics that confirm whether the review is substantive are the accounts changed rate (target 5 to 15%), the review completion rate, the time-to-resolution for escalated accounts, and the trend in total privileged account count. A review that ends with fewer privileged accounts than it started with is functioning as a risk control. A review that ends with the same accounts is functioning as a compliance checkbox.
Frequently asked questions
What is a privileged account access review?
A privileged account access review is a periodic (typically quarterly) examination of accounts with elevated permissions -- domain administrators, global administrators, service accounts with write access to production systems, emergency access accounts, and third-party vendor accounts with elevated access. The purpose is to confirm that each account is still required, that the permission scope matches a current business need, and that access has not accumulated beyond what was originally provisioned. An effective review produces account removals and permission reductions, not just approval documentation.
What should be included in an access review package sent to managers?
Four pre-built data points per account: last authentication date (expressed as 'last authenticated N days ago' rather than a raw timestamp), permission scope summary (human-readable summary like 'Global Administrator, Exchange Administrator' rather than raw policy JSON), original provisioning justification (why the account was created with these privileges, and whether the project or role that justified it is still active), and named current owner (who is responsible for this account today). Without this context, managers cannot make real decisions -- they approve everything because investigating each account individually takes too long.
What are the criteria for keeping or revoking a privileged account?
Three criteria, all of which must be met for an account to pass review: active use (authenticated within the last 90 days -- accounts with no recent authentication have no demonstrated current business need), justified current scope (permission scope is documented in a current business requirement the reviewer can confirm is still active, not a historical justification from a completed project), and named current owner (a specific person or team who can be contacted, acknowledges responsibility, and has authority to authorize or revoke the access). An account failing any one criterion should be escalated for resolution rather than approved.
How do I handle accounts that reviewers cannot justify during an access review?
Use a two-tier escalation: Tier 1 -- the reviewer marks the account 'cannot justify' and the IAM team contacts the account owner within 5 business days to request a current justification or initiate account removal. For accounts failing the active-use criterion: disable immediately (not delete -- preserves audit logs) and monitor for 30 days; if no complaint about loss of access, delete. Tier 2 -- if the IAM team cannot resolve within 15 business days, the CISO presents the account to the relevant business leader with a binary choice: provide a current justification or authorize revocation. Emergency revocation (immediate, no waiting) applies to accounts with terminated owners, threat intelligence hits, or active security investigations.
What metrics indicate a privileged access review is substantive rather than a rubber stamp?
Four metrics: accounts changed rate (percentage of reviewed accounts resulting in removal or scope reduction -- target 5 to 15% for a mature environment, 20 to 30% for a first-cycle review surfacing historical accumulation), review completion rate (percentage of assigned reviewers completing by deadline -- low rates indicate volume overwhelm or reviewer engagement problems), time-to-resolution for escalated accounts (accounts failing justification criteria that remain unresolved after 30 days indicate a broken escalation process), and privileged account count trend (if total privileged accounts grow quarter over quarter despite reviews, provisioning is outpacing revocation).
What IGA tools support privileged account access reviews?
Enterprise IGA platforms: SailPoint IdentityNow and IdentityIQ, Saviynt (strong cloud integration), Ping Identity. Native platform tools: Microsoft Entra ID Governance (includes access reviews with last sign-in data pre-populated for Microsoft environments), Okta Identity Governance (native for Okta environments). Mid-market: Lumos, Bravura Security, ISIM. Without IGA tooling, the minimum viable process uses a structured spreadsheet with pre-populated columns for last authentication, permission scope, justification, and owner -- but the IAM team bears the full administrative burden of data collection and reviewer follow-up, which becomes a full-time task each quarter for environments with 200+ privileged accounts.
How often should privileged account access reviews run?
Tier 0 accounts (domain administrators, global administrators, emergency access accounts) should be reviewed every quarter at minimum, with some organizations reviewing monthly. Tier 1 accounts (elevated administrative accounts, production service accounts with write access) should be reviewed quarterly. Tier 2 accounts (sensitive non-administrative accounts, third-party vendor accounts with elevated access) can be reviewed semi-annually. Compliance frameworks often specify minimum frequencies: SOC 2 typically expects quarterly for privileged accounts, PCI DSS requires periodic review with quarterly being standard practice, ISO 27001 requires regular review without specifying frequency.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
