IT Infrastructure

Access Review Automation: Build vs. Buy vs. Manual

Access Review Automation Build vs. Buy vs. Manual

Every CTO reaches the same fork eventually: the quarterly access review has stopped being a formality and started eating a full week of someone’s time, and the question is no longer “should we automate this” but “how.” That’s the real decision behind access review automation — not whether to keep using a spreadsheet forever, but whether to build the automation in-house with scripts against your identity provider’s API, buy one of the dozens of commercial platforms now competing for this budget line, or stay manual a little longer because your entitlement graph genuinely doesn’t justify either yet. Gart’s compliance audit team gets asked to referee this exact decision more often than almost any other access-governance question, usually right after a failed or painfully expensive SOC 2 or ISO 27001 cycle.

This guide is that referee call in writing: what each path — manual, build, and buy — actually costs in time, headcount, and risk; the commercial tool categories worth knowing before a vendor call; and a decision framework you can apply to your own organization without sitting through six demos first. The conversation usually starts after a failed or painfully expensive audit exposed how much of the IAM configuration nobody had actually reviewed in years.

What Access Review Automation Actually Means

Access review automation is the use of software — whether custom-built or purchased — to collect entitlement data, route certify-or-revoke decisions to the right owner, and log the resulting evidence, without a human manually exporting, emailing, and re-importing a spreadsheet each cycle. It’s the mechanism; the underlying goal is unchanged from every identity framework’s core idea, NIST’s principle of least privilege — that every account should hold only the access it currently needs, no more.

The “automation” part isn’t all-or-nothing. Most mature programs automate data collection and evidence capture fully, automate routing and reminders almost completely, and keep the actual certify-or-revoke judgment call with a human reviewer — the tooling narrows what a person has to look at, rather than replacing the decision itself. We covered that workflow distinction in detail in how to run a user access review without spreadsheets; this article picks up from there to answer the question that guide doesn’t: which delivery model gets you to that workflow fastest for your specific situation.

The Three Paths: Manual, Build, or Buy

Every organization automating access reviews chooses, deliberately or by default, between three approaches. None of them is universally correct, and the right one depends far more on entitlement complexity and available engineering capacity than on company size alone:

  • Manual — spreadsheets, shared docs, or email threads, run by a person who owns the process end to end. Cheapest to start, most expensive to sustain past a certain scale.
  • Build — scripts and internal tooling written against your identity provider’s API (Okta, Entra ID, Google Workspace, AWS IAM) that automate collection, routing, and evidence capture without buying a dedicated product.
  • Buy — a commercial platform, ranging from a lightweight access-certification tool to a full enterprise identity governance and administration (IGA) suite, that provides the workflow, evidence trail, and integrations out of the box.

The rest of this guide breaks down what each path actually requires and where it tends to fail, so the decision isn’t made on a vendor’s pitch deck alone.

Staying Manual: When It Still Works (and When It Doesn’t)

Manual reviews aren’t automatically wrong. For a genuinely small entitlement footprint — a handful of systems, a headcount under roughly 150, and a first-time compliance audit — a well-structured spreadsheet process, run with discipline, can pass a SOC 2 or ISO 27001 review without a platform purchase. The mistake isn’t staying manual early; it’s staying manual past the point where the process can no longer keep up, which research from Secureframe’s access review benchmarking puts at a full review cycle averaging 149 days manually versus 55 days once automated — nearly a hundred extra days per cycle spent chasing sign-offs instead of running the business.

⚠️ The break point is roughly 500 employees or 100 applications

Past that rough threshold, the number of entitlements to cross-reference exceeds what any one person can track reliably inside a review window, and the same failure modes show up in nearly every organization we audit: stale snapshots, no single source of truth once the file is emailed around, and reviewers defaulting to “approve all” because a raw permission list carries no usage context to judge by.

If that describes your organization today, the deeper mechanics of what breaks and the exact process fix are in our companion guide on running a user access review without spreadsheets. What this article adds is the next decision: once you’ve decided manual is no longer sustainable, do you build the automation yourselves or buy it?

Building Your Own Access Review Automation

Building in-house is genuinely the right call for some organizations — typically ones with a narrow, stable set of systems, an identity provider with a solid API, and spare platform engineering capacity that isn’t fighting fires elsewhere. A first version is often just a scheduled script that pulls group memberships from your SSO provider, drops them into a lightweight workflow tool for manager sign-off, and logs the decision to a database instead of a spreadsheet tab. That can realistically ship in a few weeks.

What rarely gets budgeted honestly is what happens after v1 ships. A sustained in-house access review system needs ongoing coverage across roughly five distinct functions: the software engineering to build and extend it, operations to keep the integrations running as each connected system changes its API, security expertise to get the risk logic right, user support for the managers stuck on the workflow, and someone who actually understands the entitlement domain well enough to keep the automation meaningful rather than mechanical. None of that shows up as a single line item — it’s absorbed into the engineering backlog, which is exactly why “build” often looks free in the planning meeting and expensive eighteen months later.

  • API coverage for every connected system — not just your primary IdP. Shadow SaaS and systems outside SSO are usually where the build scope quietly triples.
  • A workflow and notification layer — routing, reminders, and escalations that someone has to design, not just the data pull.
  • An evidence store an auditor will accept — timestamped, queryable records of reviewer, decision, and action, not a log file nobody’s tested against a real audit request.
  • A maintenance owner named today — the person who updates the integration when Okta or Entra ID changes an API, not “whoever’s free.”
  • A plan for scope creep — new compliance frameworks, new subsidiaries, new systems all expand what the in-house tool needs to cover, indefinitely.

None of this rules out building — plenty of engineering-heavy organizations run this well. It rules out building without naming, up front, who owns it in twelve months.

Buying a Commercial Platform: The Three Tool Categories

“Buy” isn’t one category of product — it’s at least three, and conflating them is the single most common mistake we see in vendor selection. Compliance evidence platforms, lightweight access-certification tools, and full enterprise IGA suites solve overlapping but distinct problems, and picking the wrong one for your actual entitlement complexity means either overpaying for capability you don’t need or under-buying and hitting the same wall in eighteen months.

CategoryWhat it actually doesTypical time to valueWatch out for
Compliance evidence platforms (e.g., Vanta, Drata, Secureframe)Document that reviews happened and collect audit evidence; often layered on top of another system that does the actual review workflowWeeksProves reviews occurred — doesn’t necessarily automate the certify/revoke decision itself
Lightweight access-certification tools (e.g., Zluri, AccessOwl, Cakewalk, SecurEnds, Clarity Security)Run the actual review workflow — collect entitlements from connected SaaS apps, route certifications, execute revocations1-2 weeksDiscovery usually runs through your IdP, so apps outside SSO can stay invisible — ask vendors directly how they cover non-SSO and non-employee identities
Enterprise IGA suites (e.g., SailPoint, Okta Identity Governance, Saviynt)Full lifecycle governance — birthright provisioning, role modeling, separation-of-duties enforcement, deep on-prem and cloud coverage6-12 months, often longer with legacy platformsProfessional services costs can match or exceed the license fee; confirm before signing whether implementation is vendor-led or self-serve
Buying a Commercial Platform: The Three Tool Categories

A useful shortcut when evaluating any of the three: ask what percentage of your actual entitlement landscape the tool discovers on day one without custom integration work. Platforms that lean entirely on IdP-based discovery routinely cover only 30-40% of a real SaaS footprint, leaving contractors, vendors, and service accounts as an unreviewed blind spot that shows up as an audit finding later.

One “buy” scenario deserves a special note: if you’re already a Microsoft 365 E5 customer, the build-vs-buy math often changes entirely, because a meaningful share of enterprises already own Entra ID Governance access reviews as part of their existing license and simply haven’t turned them on. Our Entra ID Governance vs. manual access reviews cost breakdown walks through the exact licensing math before you evaluate a third-party purchase.

Which Approach Fits Your Organization

There’s no formula that replaces a proper assessment of your own entitlement graph, but the pattern below reflects what actually tends to work across the engagements we run, and it lines up with ISACA’s guidance on structuring access review verification around risk-based triggers rather than a one-size cadence:

Your situationRecommended path
Under ~150 employees, a handful of systems, first SOC 2 or ISO 27001 cycleStay manual, but structured — or layer a compliance evidence platform on top to shorten audit prep without a full workflow buy yet
150-1,000 employees, cloud/SaaS-heavy stack, entitlement volume still trackableBuy a lightweight access-certification tool — fastest path to real automation without enterprise IGA cost or timeline
Deep in-house platform engineering capacity, narrow and stable system listBuild — with a named long-term owner and budget for the five functions above, reviewed annually against whether buying now makes more sense
1,000+ employees, hybrid on-prem/cloud, multiple overlapping frameworks (SOX, SOC 2, ISO 27001), M&A-driven entitlement sprawlBuy an enterprise IGA suite — the role modeling and separation-of-duties enforcement earn their cost at this complexity
Need audit-ready evidence now while still deciding on a long-term platformLayer a compliance evidence platform in immediately; run the build-vs-buy evaluation for the workflow layer in parallel, not sequentially
Which Approach Fits Your Organization

Hidden Costs Nobody Puts in the Pitch Deck

Whichever path you’re leaning toward, a handful of costs consistently get left out of the initial comparison, and they’re usually what turns a confident decision into a regretted one a year later:

💸 SOC 2’s own criteria don’t specify a tool — only evidence
The AICPA’s Trust Services Criteria (CC6.1-CC6.3) require documented, periodic review of logical access with evidence of the decision and any resulting removal — they don’t mandate a specific product. That means a manual process, a build, or any of the three buy categories above can all satisfy the letter of the requirement; the real differentiator is whether the evidence is trustworthy and reproducible under audit pressure, not which logo is on the invoice. The same logic holds for more prescriptive frameworks like PCI DSS, whose own access-review requirements care about the control, not the vendor enforcing it.

Beyond that, watch for: integration costs that don’t show up in the license quote (custom connectors for internal or legacy systems usually cost extra, on either the build or buy path); the “shelf-ware” risk of buying enterprise IGA capability you don’t yet have the process maturity to use, which is common when the tool purchase happens before the workflow is actually defined; and the reverse risk on the build side engineering time that was supposed to be temporary becoming a permanent, unbudgeted maintenance line as soon as the first integration breaks during a platform migration elsewhere in the company.

Access Governance & Compliance Audit

Not sure whether to build, buy, or wait?

Gart Solutions runs a vendor-neutral assessment of your entitlement landscape — every system, every identity type, every framework you’re accountable to — and gives you a straight recommendation on whether to automate in-house, adopt a lightweight access-review tool, or invest in enterprise IGA, before you sit through a single vendor demo.

IT Audit Services Compliance Audit Security Audit Infrastructure Audit DevSecOps Consulting IT Infrastructure Consulting

You might also like

Roman Burdiuzha

Roman Burdiuzha

Co-founder & CTO, Gart Solutions · Cloud Architecture Expert

Roman has 15+ years of experience in DevOps and cloud architecture, with prior leadership roles at SoftServe and lifecell Ukraine. He co-founded Gart Solutions, where he leads cloud transformation and infrastructure modernization engagements across Europe and North America. In one recent client engagement, Gart reduced infrastructure waste by 38% through consolidating idle resources and introducing usage-aware automation. Read more on Startup Weekly.

FAQ

What is access review automation?

Access review automation is the use of software — either custom-built or purchased — to collect entitlement data from connected systems, route certify-or-revoke decisions to the right reviewer, and capture the resulting evidence automatically, replacing a manual export-email-chase cycle run through spreadsheets.

Should we build or buy access review automation?

Build tends to make sense for organizations with a narrow, stable system list, a capable identity provider API, and spare platform engineering capacity to maintain it long-term. Buy tends to make sense for most other organizations, especially past roughly 150-500 employees or 100 applications, where the ongoing engineering cost of building and maintaining the integration exceeds the license cost of a commercial tool.

How much does access review automation cost to build in-house?

The initial build is often just weeks of engineering time, but the sustained cost is rarely budgeted honestly: ongoing coverage typically spans five functions — software engineering, integration operations, security logic, reviewer support, and entitlement domain expertise — usually absorbed into the engineering backlog rather than tracked as a discrete cost, which is why in-house builds tend to look cheaper up front and more expensive over an eighteen-month horizon.

Why do enterprise IGA platforms take so long to implement?

Legacy enterprise IGA suites are built around deep role modeling, birthright provisioning, and separation-of-duties enforcement across both on-premises and cloud systems, which typically requires vendor-led or partner-led professional services and a 6-12 month rollout — sometimes longer where implementation costs can match or exceed the software license itself. Lightweight access-certification tools, by contrast, are usually built for self-serve setup and can go live in one to two weeks.

Who should own access review automation inside an organization?

IT or security typically owns the platform and the data pipeline, whether built or bought, but a named individual should own the tool's long-term maintenance specifically — updating integrations as connected systems change their APIs and expanding coverage as new systems are added. Without a named owner, both in-house builds and purchased platforms tend to drift out of date at the same rate a spreadsheet process does.

When is it still fine to run access reviews manually?

Manual reviews can still satisfy SOC 2, ISO 27001, and similar frameworks for smaller organizations — roughly under 150 employees with a handful of connected systems and a first compliance cycle — provided the process is structured, documented, and consistently run. The point to move off manual is when review cycles start stretching well past a few weeks or reviewers begin defaulting to blanket approvals rather than genuine per-entitlement decisions.

How does Gart Solutions help companies choose between building and buying access review automation?

Gart's compliance and infrastructure audit teams map your full entitlement landscape — every system, identity type, and compliance framework in scope — and deliver a vendor-neutral recommendation on whether to stay manual a while longer, build in-house tooling, or buy a specific category of commercial platform, based on your actual complexity rather than a vendor's sales narrative.
arrow arrow

Thank you
for contacting us!

Please, check your email

arrow arrow

Thank you

You've been subscribed

We use cookies to enhance your browsing experience. By clicking "Accept," you consent to the use of cookies. To learn more, read our Privacy Policy