IT Infrastructure

Why Quarterly Access Reviews Fail (and How to Fix It)

Why Quarterly Access Reviews Fail

Ask most CISOs how confident they are in their access controls and the answer is usually “very.” Ask when someone last actually looked at what a specific engineer or contractor can touch, and the confidence drops fast. That gap is the real story behind the quarterly access review: a control almost every compliance framework requires, that almost every audited company runs, and that — in its most common form — catches remarkably little of the access risk sitting inside the organization. If your last review cycle ended with a manager clicking “approve all” on a spreadsheet of 200 entitlements, you already know the process is broken; a compliance audit is usually where that gets confirmed in writing.

This isn’t an argument against reviewing access. It’s an argument against treating a fixed, once-a-quarter checklist as if it were the control itself, rather than one input into a much better system. Below is what actually breaks a quarterly access review, what it costs when it breaks quietly, and a concrete framework for rebuilding the process around real risk instead of a calendar reminder.

What a Quarterly Access Review Actually Is

A quarterly access review — sometimes called a user access certification or access attestation — is the process of periodically confirming that every user, service account, and contractor still needs the permissions they currently hold. A manager or system owner is handed a list of entitlements tied to their team or application and asked to certify each one as still appropriate, or to flag it for revocation.

The cadence itself comes from compliance, not from any principled view of how fast access risk actually accumulates. Frameworks like SOC 2, PCI DSS, and ISO 27001’s Annex A.5.18 all require organizations to periodically review who has access to what — PCI DSS specifically caps the interval at six months for human accounts, and most compliance teams round that down to a quarter for a safety margin. Once a control has to exist somewhere on an audit calendar, “quarterly” becomes the default answer almost regardless of the actual risk profile of the systems in scope.

🗓️ Quarterly is a compliance artifact, not a risk model

Nothing about how fast roles change, contractors rotate, or privileged access spreads actually happens on a 90-day clock. The cadence exists because auditors need a demonstrable, repeatable control — not because it matches how access risk actually accumulates.

Why Quarterly Access Reviews Fail in Practice

Each certification briefly resets known risk to a baseline, but role changes, new grants, and forgotten service accounts accumulate continuously between checkpoints — and the peak keeps climbing if drift isn't addressed between cycles.

The quarterly access review isn’t failing because teams are lazy about compliance. It’s failing structurally, in ways that show up the same way at almost every company that relies on it as the primary control:

  • Access drifts between cycles, not during them. The highest-risk moment for any account is right after a role change, transfer, or offboarding — not at the review checkpoint. An engineer who moves teams the week after a review can carry stale, overprivileged access for close to three months before anyone looks again.
  • Reviewer volume outpaces reviewer context. A manager handed 150-300 line items with generic entitlement names (“prod-db-readwrite,” “billing-admin”) has neither the time nor the technical context to evaluate each one individually, so certification fatigue sets in fast.
  • Incomplete inventories can only certify what’s already known. If shadow IT, forgotten service accounts, or unmanaged SaaS integrations aren’t in the source system feeding the review, the review can look complete while missing exactly the access nobody’s tracking.
  • The process assumes access is stable — machine identities aren’t. Service accounts, CI/CD tokens, and automation credentials get created, cloned, and over-scoped between review cycles far faster than the quarterly model was designed to catch, and they typically outnumber human accounts several times over.
  • Legacy IAM tooling makes frequent review painful, so teams under-review. Where certification means exporting a spreadsheet and chasing managers by email, the operational cost of reviewing more often than required pushes every team toward the legal minimum, not the practical optimum.

None of this means the control is worthless — it means a fixed calendar cadence, run manually, was never built to catch the failure modes that actually cause breaches.

The Hidden Cost of a Rubber-Stamped Review

Rubber-stamping — bulk-approving an entire list without evaluating individual entries — is the predictable outcome of handing an overloaded reviewer a long, low-context list on a deadline. It’s also close to universal: well over 75% of organizations acknowledge it’s a meaningful problem in their own certification process, and in some documented cases the overwhelming majority of line items in a review cycle were approved without any real scrutiny at all.

The cost isn’t abstract. Credential abuse — using access that was never revoked, never scoped down, or never should have existed — shows up somewhere in the attack chain of 39% of breaches, according to Verizon’s 2026 Data Breach Investigations Report, making it the single most pervasive technique in the entire dataset. A separate 2026 industry study found 71% of organizations suffered an identity-related breach in the prior twelve months — despite most of those same organizations running a quarterly (or more frequent) certification process the whole time.

Gart has seen this pattern firsthand. During an infrastructure audit for an AI art marketplace, the assessment turned up outdated credentials with no rotation policy and security groups that hadn’t been scoped to least privilege in months — the exact kind of drift a functioning access review is supposed to catch, sitting undetected through multiple review cycles because the certifications that did happen weren’t evaluating the entitlements closely enough to notice.

The Access Drift Problem, Visualized

The diagram below is the core issue in one picture: a quarterly review only takes a snapshot every 90 days, while actual access risk — role changes, new grants, forgotten service accounts — accumulates continuously in between. By the time the next certification happens, weeks or months of undetected drift have already passed.Access risk between quarterly review checkpointsUnreviewed access riskTime (one review cycle = one quarter)Q1 reviewQ2 reviewQ3 reviewRisk keeps climbing higher each cycleEach certification briefly resets known risk to a baseline, but role changes, new grants, and forgotten service accounts accumulate continuously between checkpoints — and the peak keeps climbing if drift isn’t addressed between cycles.

Quarterly Certification vs. Continuous Access Governance

The fix isn’t necessarily to review more often on the same manual model — it’s to change what the review is actually doing. The table below lays out the practical difference between the two approaches:

DimensionQuarterly certification (manual)Continuous access governance
Detection speedUp to 90 days after access becomes inappropriateNear real-time, triggered by role change, inactivity, or anomaly
Reviewer workloadLarge batch, low context, once per quarterSmall, targeted decisions surfaced as they matter
Coverage of machine identitiesOften excluded or reviewed as an afterthoughtSame lifecycle controls applied to service accounts and tokens
Audit evidenceA signed spreadsheet, difficult to prove was substantiveContinuous logs of grants, revocations, and owner attestations
Most common failure modeRubber-stamping under deadline pressureAlert fatigue if thresholds aren’t tuned to actual risk
Quarterly Certification vs. Continuous Access Governance

In practice, most mature programs don’t abandon periodic certification entirely — they keep it as a point-in-time accountability checkpoint, but stop relying on it as the only control, layering continuous enforcement underneath it instead.

How to Fix the Process: A 7-Step Framework

None of this requires ripping out your existing compliance calendar. It requires changing what happens on it and what runs between the dates on it:

  1. Build a complete, owned inventory first. A review is only as good as the list it’s certifying — reconcile identity, application, and cloud-provider sources so shadow accounts and orphaned service accounts actually show up.
  2. Assign a real owner to every entitlement, not just every account. Reviewers approve faster and more accurately when the item in front of them has business context attached — “why does this exist” — not just a permission name.
  3. Cap what any single reviewer sees in one sitting. Long lists are what produce rubber-stamping; segmenting reviews by risk tier or team size keeps each decision genuinely evaluable.
  4. Automate revocation of access tied to role changes and offboarding. This is the single highest-leverage fix, since it closes the exact drift window that quarterly cycles miss between checkpoints.
  5. Extend the same lifecycle rules to service accounts and API tokens. Expiry dates, ownership, and rotation policies for machine identities close a gap that purely human-focused reviews leave wide open.
  6. Instrument usage, not just entitlement. Flagging access that hasn’t actually been used in 60-90 days turns the review into a data-driven exercise instead of a memory test for the reviewer.
  7. Keep quarterly certification as evidence, not enforcement. Once continuous controls are in place, the periodic review becomes a lighter-weight sign-off confirming the automated controls are working — which is exactly what auditors want to see documented.

🔧 Policy-as-code closes the gap between reviews
Encoding access rules so they’re enforced automatically — rather than relying on a human to catch a violation once a quarter — is the same shift Gart’s guide to policy as code for security and compliance walks through in more technical depth, including how it maps controls directly to SOC 2, HIPAA, and PCI DSS requirements.

Building a Review Cadence Around Risk, Not the Calendar

Uniform quarterly review frequency treats a marketing intern’s read-only dashboard access the same way it treats a database admin’s production credentials. Mature access governance programs stop doing that and tier the cadence instead:

  • Tier 1 — privileged and regulated-data access: production admin rights, financial systems, PHI/PII stores. Reviewed monthly or continuously, with owner attestation required for every grant.
  • Tier 2 — standard business application access: CRM, ticketing, internal tools tied to a specific role. Reviewed quarterly, largely automated against HR role data.
  • Tier 3 — low-risk, ephemeral, or read-only access: shared dashboards, sandbox environments, time-boxed contractor access. Governed by expiry and automated policy rather than manual certification at all.

This tiering is also what makes the workload sustainable. Concentrating manual review effort on the smallest, highest-risk slice of entitlements — rather than spreading it evenly across every account in the company — is what lets reviewers actually evaluate what’s in front of them instead of defaulting to “approve all.”

Where This Fits Your Compliance Program

Every major framework treats access review as a named, testable control, which is exactly why it tends to calcify into a checkbox exercise rather than a living process. NIST SP 800-53’s account management control family calls for periodic review of accounts against least-privilege principles; ISO 27001’s Annex A.5.18 requires access rights to be provisioned, reviewed, and removed in line with a documented policy; and PCI DSS sets an explicit maximum interval for human accounts. None of these frameworks mandate the manual, spreadsheet-driven version of the control — they mandate evidence that access stays appropriate, which continuous governance actually produces more convincingly than a signed quarterly form.

This is also where access review connects to the broader audit conversation most engineering leaders are already having. Gart’s infrastructure audit process treats IAM policy evaluation as a core checkpoint alongside network and backup controls, and the infrastructure audit checklist is a useful gut-check before your next certification cycle if you’re not confident your source-of-truth inventory is actually complete. For regulated workloads specifically, the same lifecycle discipline shows up in Gart’s breakdown of HIPAA-grade access controls for PostgreSQL, and for teams enforcing access at the pipeline level, RBAC in CI/CD pipelines is the companion piece on gating deploys and secrets by role rather than raw repository access.

If access review keeps surfacing as a recurring audit finding rather than a resolved control, that’s usually a sign the underlying inventory and ownership data need work before another review cycle will help — which is exactly what a broader infrastructure assessment is built to diagnose.

Access Governance & Compliance Audits

Not sure your access reviews would survive a real audit?

Gart Solutions runs infrastructure and compliance audits that go past the spreadsheet — reconciling your actual identity and access inventory, testing least-privilege enforcement, and closing the drift that happens between certification cycles. We help engineering and security teams turn quarterly access review from a checkbox into evidence that holds up.

Compliance Audit Infrastructure Audit IAM & Access Policy Review Policy as Code DevSecOps Consulting IT Infrastructure Assessment
Talk to an audit specialist
Roman Burdiuzha

Roman Burdiuzha

Co-founder & CTO, Gart Solutions · Cloud Architecture Expert

Roman has 15+ years of experience in DevOps and cloud architecture, with prior leadership roles at SoftServe and lifecell Ukraine. He co-founded Gart Solutions, where he leads cloud transformation and infrastructure modernization engagements across Europe and North America. In one recent client engagement, Gart reduced infrastructure waste by 38% through consolidating idle resources and introducing usage-aware automation. Read more on Startup Weekly.

FAQ

What is a quarterly access review?

A quarterly access review is a periodic process, usually run every 90 days, where managers or system owners certify that each user, contractor, or service account under their responsibility still needs the access it currently holds. It's a common way organizations satisfy access-review requirements in frameworks like SOC 2, PCI DSS, and ISO 27001.

Why do quarterly access reviews fail to catch real access risk?

Quarterly access reviews fail because most access risk accumulates between review cycles, not during them — role changes, offboarding, and new grants create stale permissions that can sit undetected for weeks or months. Reviewers also face large, low-context lists on a deadline, which leads to rubber-stamping, and manual reviews frequently exclude fast-changing service accounts and machine identities entirely.

How often should access reviews actually be performed?

The best-performing programs tier review frequency by risk instead of applying one interval to everything: privileged and regulated-data access reviewed monthly or continuously, standard business application access reviewed quarterly, and low-risk or time-boxed access governed by automated expiry rather than manual review at all. PCI DSS sets six months as a maximum interval for human accounts; most compliance teams treat that as a ceiling, not a target.

Who should be responsible for approving access reviews?

Entitlement owners — the manager, application owner, or system owner with direct context on why a specific person or service needs access — should approve reviews, not a centralized compliance team working from a generic list. Giving reviewers business context on each entitlement, and limiting how many items any one person certifies at once, is what reduces rubber-stamping.

What is rubber-stamping in access reviews, and how common is it?

Rubber-stamping is bulk-approving a list of entitlements without individually evaluating each one, typically because a reviewer is overwhelmed by volume and lacks context to make a real decision. It's widespread: well over 75% of organizations acknowledge it's a meaningful problem in their own access review process, and it directly undermines the value of the control for audit purposes.

How do you automate a user access review?

Automating access review starts with a reconciled, owned inventory of every account and entitlement, then layers continuous controls on top: automatic revocation tied to HR role changes and offboarding, expiry and rotation policies for service accounts and tokens, and usage-based flags for access that hasn't been touched in 60-90 days. The periodic certification then becomes a lightweight sign-off confirming those automated controls are working, rather than the sole line of defense.

Why do compliance frameworks like PCI DSS and SOC 2 require periodic access reviews?

Frameworks require periodic access review because unrevoked or excessive access is a leading factor in breaches — credential abuse shows up somewhere in the attack chain of 39% of breaches globally. PCI DSS caps the review interval for human accounts at six months, SOC 2 requires documented evidence that access stays appropriate to job function, and ISO 27001's Annex A.5.18 requires access rights to be provisioned, reviewed, and removed against a documented policy.
arrow arrow

Thank you
for contacting us!

Please, check your email

arrow arrow

Thank you

You've been subscribed

We use cookies to enhance your browsing experience. By clicking "Accept," you consent to the use of cookies. To learn more, read our Privacy Policy