User access review

What is a user access review?

A user access review (sometimes called a user access certification or entitlement review) is the process of verifying that every user account in your systems has the right level of access for their current role, and only that level of access. It answers three questions:

1. Who has access? Every user account across every system, including employees, contractors, service accounts, and API integrations.
2. What can they access? The specific permissions, roles, and data each account can reach.
3. Should they still have it? Whether the access is appropriate given the person's current job function, or whether it should be modified or revoked.

The goal is to enforce the principle of least privilege over time. People change roles, leave the company, or accumulate permissions they no longer need. Without regular reviews, access drifts, and that drift creates security risk.

Why user access reviews matter for startups

1. Compliance frameworks require them. SOC 2 Trust Services Criteria require organizations to demonstrate that access controls are reviewed and maintained over the audit period. ISO 27001:2022 Annex A control 5.18 requires that access rights be "provisioned, reviewed, modified and removed" on a defined schedule. HIPAA requires periodic review of information system activity records, including access logs. If you're pursuing any of these certifications, access reviews aren't optional.
2. Credential compromise is a top breach vector. The Verizon 2024 DBIR found that stolen credentials remain one of the most common initial access methods in confirmed breaches. Stale accounts with active credentials are particularly dangerous because no one is monitoring them. An attacker who compromises a former employee's account that was never deprovisioned has access with zero detection risk.
3. Access accumulates faster than you think. Startups move fast. People wear multiple hats, get added to systems for one-off projects, and retain access long after the project ends. A developer who temporarily needed production database access six months ago may still have it. A contractor who finished their engagement may still have active accounts across your SaaS tools. Without reviews, these accumulations compound.
4. Non-human identities are easy to forget. Service accounts, API keys, CI/CD tokens, and bot integrations all have access to your systems. They don't show up in your HR system, they don't leave the company, and they rarely get reviewed. Your access review needs to cover these machine identities alongside human users.

What a user access review covers

A thorough access review examines:

• SaaS applications. Every tool your team uses: cloud providers, code repositories, project management, communication tools, CRM, billing, analytics. Each one has its own user directory and permission model.
• Infrastructure access. SSH keys, cloud console access, database credentials, VPN accounts, and admin panels.
• Permission levels. Not just who has access, but what kind: admin vs. member vs. read-only. Overprivileged accounts (a marketing manager with admin access to your cloud console) are a common finding.
• Non-human identities. Service accounts, API tokens, OAuth integrations, and bot users. These often have elevated permissions and no expiration date.
• Inactive accounts. Accounts that haven't been used in 90+ days, accounts belonging to former employees or contractors, and test accounts that were never cleaned up.

How often should you review access?

NIST SP 800-53 (AC-2) requires organizations to review accounts for compliance at an organization-defined frequency. In practice, the standard cadences are:

• Quarterly for privileged and administrative access (SOC 2 auditors typically expect this)
• Semi-annually for standard user access
• Immediately when someone changes roles or leaves the organization

Most startups default to quarterly reviews across the board because it satisfies SOC 2 requirements and is manageable with the right tooling. The critical thing is consistency: auditors want to see that reviews happened on schedule throughout the audit period, not just right before the audit.

Running access reviews efficiently

• Centralize your identity data. The hardest part of access reviews is getting a complete picture. If you're logging into 15 different SaaS dashboards to export user lists, the process is already broken. Use a tool that discovers accounts across your connected services automatically.
• Flag issues, don't just list accounts. A useful access review doesn't just show you a spreadsheet of users. It highlights accounts missing MFA, users with admin access who shouldn't have it, inactive accounts, and permission anomalies.
• Generate exportable evidence. Your auditor needs documentation: who was reviewed, what was found, and what was remediated. The output of your access review should be audit-ready without additional formatting.
• Include offboarding verification. Every access review should confirm that former employees and contractors have been fully deprovisioned. Check for accounts that survived the offboarding process and revoke them.

How Fencer helps with user access reviews

Fencer auto-discovers accounts across your connected services, including both human and non-human identities (service accounts, bots, API keys). It flags accounts missing MFA, users with excessive permissions, and inactive accounts that should be deprovisioned. When it's time for a quarterly review, Fencer generates exportable CSV reports that satisfy SOC 2, ISO 27001, and other audit requirements, reducing review time from days to minutes.