Regularly reviewing who has access to your organization’s critical systems and data is an essential cybersecurity practice. User access reviews (UARs) help you validate that only the right people are authorized to access sensitive resources—both to reduce the risk of data breaches and to ensure compliance with common regulatory and certification frameworks.
But depending on the size and complexity of your business, preparing and running UARs can be… daunting. Defining which resources and permissions are in scope, determining what information auditors need to see, chasing down account owners and managers to complete reviews—things get complicated quickly.
So it’s hard to blame IT and security teams for dreading UARs—at least in their traditional form—and running them only when absolutely required. However, with companies managing more permissions than ever and access-related cyberattacks on the rise, recommendations for how frequently to audit access are going up, not down.
The good news is that modern orchestration and automation capabilities can help you streamline UAR processes, making them both more effective and much less painful. Let’s look at some of the factors to consider when deciding how often to conduct UARs—and ways to make the whole process easier and more efficient.
Determining your UAR needs and requirements
The general best-practice recommendation is to run UARs quarterly—and many companies are upholding or exceeding this standard. Just over half (52%) of the security leaders surveyed for ConductorOne’s 2024 Identity Security Outlook Report said their organization audits user permissions at least once a quarter; only 22% of respondents said their company reviews access biannually, annually, or rarely.
Companies’ identity security risks and needs vary widely, however. While quarterly reviews may be more than adequate for some, for others, sensitive access should be much more frequently audited and/or reviewed whenever specific events occur. This is reflected in the review guidelines outlined by voluntary cybersecurity certifications like SOC 2, ISO 27001, NIST, which all acknowledge that one UAR schedule does not fit all. Rather than laying out hard-and-fast rules about UAR frequency, these frameworks dictate that reviews be done at least every six months or year but recommend running them more often if warranted.
Most mandatory compliance frameworks like SOX and the NYDFS Part 500 are similarly nonprescriptive, but more is generally considered better in the eyes of compliance auditors. The NYDFS recently updated its requirements to mandate at least annual reviews, and quarterly reviews, though not strictly required, are preferred for most publicly traded companies complying with SOX regulations.
UAR needs are shaped by internal factors as well. Higher-risk access rights will usually warrant more frequent reviews than others, reviews to ensure enforcement of policies like separation of duties (SoD) may need to happen more often, and trigger events like infrastructure changes, mergers and acquisitions, suspicious activity, and even routine employee promotions, transfers, or departures can be a reason to run one-off reviews.
So the official answer to how often you should run UARs is—it depends. We recommend following the gold standard of running reviews at minimum once a quarter. But variables including the sensitivity of the data your organization manages, how many and what type of entities (including employees, contractors, service providers, and non-human identities) interact with your systems and data, and the regulatory and certification frameworks you adhere to—and of course recommendations from your auditors—should all be taken into consideration when determining an appropriate UAR cadence.
Go deeper → User Access Reviews: Process and Best Practices Checklist
Running UARs more often—more easily
Once you’ve defined how often you should be running UARs to maintain good security and compliance, do what you can to set yourself up for UAR success.
A crucial first step is to pull all identity and access data from your environment together into one view that enables you to see fine-grained permissions, roles, groups, and their relationships. Once this information is centralized, it can be orchestrated to surface real-time access risks and support powerful automation of access controls and review tasks—ultimately removing a lot of the effort traditionally associated with UARs.
Proactively identify risky access
With a comprehensive view of your access environment, you can uncover active identity-based threats like overprivileged access and unused and orphaned accounts. Identifying and remediating these threats on an ongoing basis greatly reduces the number of issues you’ll find when you run scheduled UARs.
Implement strong access controls
You can further reduce access issues by using automation to both strengthen and simplify access control. For example, automation allows you to efficiently shift sensitive privileges to just-in-time (JIT) access—which entails removing standing privileges and enabling users to request privileged access only for the time required to perform their job. Automating JIT access requests and provisioning will not only improve your security posture but will decrease the number of active privileges in need of review when it’s time to audit access.
Automate UAR workflows
Automation is also key to streamlining notoriously time-consuming UAR tasks, like tracking down reviewers and documenting access decisions. When an access review campaign is kicked off in ConductorOne, for example, access reviewers are automatically notified and periodically reminded of their review tasks by email or in Slack, campaign administrators can see in real time which tasks have been completed, and a comprehensive campaign audit report can be automatically generated and downloaded in a click.
Set up recurring UARs
In the ConductorOne platform, we also recently added the ability to schedule recurring UAR campaigns, which adds a further layer of time savings to regular UAR processes. Now admins can create campaign templates scoped to specific review parameters and set them to automatically run at regular intervals. Campaign owners are notified a few days before the campaign is set to begin to confirm everything looks good—otherwise, campaign prep work and scheduling is effectively put on autopilot.
Scope UARs for specific review needs
We also just updated our campaign scoping features to enable more tailored and dynamic reviews. When setting up a UAR campaign, admins can now scope the campaign by specific users or user criteria like attributes, status, or direct reports, as well as by account parameters like ownership or type. These robust scoping capabilities give admins the ability to quickly run tightly scoped reviews in response to trigger events or specific needs, as well as to schedule repeating campaigns that will be automatically prepared using the most up-to-date system data.
Learn more → How Ramp Implemented Just-in-Time Access
Conclusion
UARs are not the only tool in your toolbox, nor should they be, but used in coordination with proactive risk management and strong access controls, they ensure you’re catching access threats from all angles and meeting important compliance requirements.
How often to run UARs depends on your business, access environment, and compliance needs. However, whether you’re conducting reviews once a quarter or once a week, if you can leverage modern tools that help orchestrate access data and automate workflows, the process won’t get in the way of the payoffs.
ConductorOne helps organizations streamline user access reviews and automate access control and governance. Contact us today to learn how we can help you implement these strategies and more.
