Episode 21 — Review Identity Access Regularly Before Privilege Drift Becomes Dangerous
In this episode, we start by looking at a problem that often grows so slowly people barely notice it until it has already become risky. A new employee gets the access they need on day one, then they join a project, help another team, take on a temporary task, and slowly collect more permissions than anyone intended. Months later, nothing about their job looks suspicious on the surface, but the amount of data, systems, and administrative power tied to that one identity is far larger than it should be. That quiet expansion is what makes privilege drift dangerous. It does not usually arrive as a dramatic mistake. It builds through normal work, routine approvals, and small changes that feel harmless by themselves. Regular access review matters because security is not just about deciding who gets access once. It is also about checking whether that access still makes sense after real life starts changing around people, teams, and systems.
Before we continue, a quick note. This audio course is part of our companion study series. The first book is a detailed study guide that explains the exam and helps you prepare for it with confidence. The second is a Kindle-only eBook with one thousand flashcards you can use on your mobile device or Kindle for quick review. You can find both at Cyber Author dot me in the Bare Metal Study Guides series.
At a basic level, identity and access management is the discipline of deciding who or what can enter a system, what they can reach once inside, and what actions they are allowed to perform. A review is simply a deliberate check to confirm those decisions are still correct. Privilege drift happens when access slowly expands or stays in place after the original business need has changed. Sometimes the access was approved for a good reason at the time, which is part of what makes this issue so easy to miss. The danger is not only that someone could abuse excess privileges on purpose. The bigger concern in many environments is that too much access increases the damage that can happen through error, compromise, or misunderstanding. When a single account can view, change, delete, approve, or move more than it should, one bad click or one stolen password can reach much farther than the organization expected.
One reason this topic matters so much is that most organizations change faster than their access records do. People move between departments, cover for coworkers, join temporary projects, inherit tasks during emergencies, and keep old permissions because removing them takes time and coordination. Managers also change, team names change, systems merge, and new cloud services appear while old ones remain connected in the background. Every change adds an opportunity for access to become slightly misaligned with real job needs. On any single day, the difference may look small enough to ignore. Over time, though, those small mismatches stack up until a normal user account might have broad file access, elevated approval rights, old shared drive permissions, and entry into applications that no longer match the person’s current role. Regular review is what turns access from a one-time setup task into an ongoing control. Without that habit, organizations are basically trusting that yesterday’s approvals still match today’s reality.
It helps to understand that privilege drift usually does not come from one obvious bad decision. More often, it grows through perfectly ordinary requests that each made sense in isolation. A person may be granted temporary access to help close a quarter-end deadline, and then nobody circles back to remove it. Later that same person joins a cross-functional project and receives another set of permissions to a different application. Then a teammate leaves suddenly, so extra approvals are delegated for coverage. None of these moments feels reckless when viewed alone. The problem appears when nobody pauses to ask whether all the old access should remain after the temporary need ends. Security failures often take advantage of that accumulation. An attacker does not care whether extra permissions were granted for a kind and reasonable business reason. If those permissions are still active, they become part of the attack surface. That is why regular review is less about second-guessing the past and more about validating the present.
Another important point is that access is tied to changing identities, not fixed job titles on a chart. Two people with similar titles may need different levels of access because one handles customer records, another works on reporting, and a third is acting as backup for a manager on leave. At the same time, one person may keep multiple identities in different systems, such as a normal user account, a higher-privilege administrative account, a remote access account, or credentials for a specialized business application. If those identities are reviewed loosely, it becomes easy to focus only on the person and forget the full set of ways that person can interact with the environment. Good review thinking asks a wider question. It asks not only whether Jason or Maria still needs access, but also which accounts, groups, applications, approval paths, and inherited permissions are still justified for that person today. That broader view is what helps uncover hidden privilege that would otherwise stay invisible.
Regular review also matters because granting access and proving continued need are not the same thing. Initial approvals often happen when there is urgency, a new hire date, a deadline, or pressure to get someone productive quickly. In those moments, speed usually wins over reflection, and that is understandable because work has to begin. The trouble starts when organizations treat that first approval as permanent evidence that the access should remain forever. Access should be seen as something connected to a current business purpose, not as a permanent reward that follows a person indefinitely. A role change, a completed project, a closed contract, or a retired system should all trigger fresh thinking about what remains necessary. When no one asks the follow-up question, extra privileges become sticky. They survive because removing them requires effort, while leaving them in place feels easier. Security work often means resisting the easy default. The safe answer is not to preserve every past approval. The safe answer is to verify whether the need still exists right now.
The principle behind these reviews is often called least privilege, which means giving identities only the minimum access needed to perform legitimate duties. That idea sounds simple, but in real life it is not a one-time destination that an organization reaches and then forgets. Least privilege is a moving target because duties change, projects end, tools evolve, and business processes shift. A person who needed broad access during a migration may need much less once the migration is complete. Someone promoted into leadership may need additional reporting visibility but no longer need direct editing rights in several operational tools. Regular review is how least privilege stays alive instead of becoming a slogan. It helps an organization shrink access back to the level that fits current responsibilities. Without review, least privilege quietly erodes into something closer to accumulated privilege, where users keep everything they ever needed plus several things they only needed for a short period. That gap between principle and reality is exactly where risk grows.
A useful way to think about privilege drift is to picture a house where every contractor who ever needed a key was allowed to keep one. The plumber needed access last spring, the painter needed access in summer, the dog walker covered for a weekend, and a neighbor helped during a vacation. Each key was issued for a reason, but over time the owner loses track of who still has entry. The problem is not that every person with a key is untrustworthy. The problem is that the owner no longer has clear control. Digital environments work the same way. An organization may have users in old access groups, dormant shared accounts, forgotten vendor accounts, broad folder permissions, and approval rights that remain active long after the work ended. Reviews restore visibility and control. They force the organization to answer simple but powerful questions about who has access, why they have it, whether it is still needed, and what would happen if that account were misused tomorrow.
When people perform these reviews well, they do more than scan a name and click approve. They look for context. They ask whether the person still works in that role, whether the system still contains the same kind of sensitive information, whether the access level matches the person’s current duties, and whether any elevated rights were supposed to be temporary. They also consider combinations of access, because risk often appears when separate permissions overlap in harmful ways. Someone who can create a vendor, approve a payment, and hide the transaction from normal oversight presents more concern than someone who only has one of those abilities. Even read-only access can matter if it reaches salary records, health information, legal files, or security configurations. That is why good review practice is not just administrative cleanup. It is risk analysis in a very practical form. The reviewer is translating business reality into access decisions and reducing the chance that convenience silently outruns control.
Consider a simple example involving a help desk worker who originally needed access to reset passwords and unlock accounts. During a busy period, that worker is temporarily granted broader permissions to create accounts for a hiring surge. Months later, the hiring project ends, but the added rights remain. Then the worker transfers to a training role and no longer needs direct access to live production accounts at all. If nobody reviews the accumulated permissions, the person may still hold powerful capabilities that exceed the current job by a wide margin. That becomes dangerous whether the account is used properly or not. A mistake could affect many users at once, and a compromised account could be leveraged to move deeper into the environment. The same pattern happens in finance systems, human resource platforms, cloud consoles, and collaboration tools. Access tends to expand quickly because adding rights solves an immediate problem. It tends to shrink slowly because removal feels less urgent. Review is what corrects that natural imbalance.
The need for regular review becomes even clearer when you think beyond individual employees. Contractors, interns, vendors, service providers, and automated processes can all accumulate privileges over time. A contractor account created for a six-month project may still exist two years later because the system owner assumes someone else removed it. A vendor may keep remote diagnostic access after support work is complete. An automated task may continue running with elevated permissions that were only needed during deployment or troubleshooting. These identities can be especially dangerous because they often receive less day-to-day attention than employee accounts. People may remember coworkers, but they forget background accounts and third-party access more easily. That makes reviews essential for keeping the full environment visible. Security is weakened whenever an organization only reviews the identities it sees every day while ignoring the quieter ones in the corners. Attackers do not limit themselves to the obvious accounts, and defenders should not either.
A common misconception is that regular review means distrusting employees or creating unnecessary friction. In reality, the goal is not to assume bad intent. The goal is to recognize that organizations are complicated and that outdated access is a normal byproduct of change. Review protects good employees as much as it protects systems because it reduces the chance they are blamed for actions tied to privileges they never should have kept. Another misconception is that access is safe as long as it was approved by a manager once. Managers are important, but they may not know every application, inherited group membership, or technical effect attached to an approval. A third misconception is that only highly privileged administrator accounts need attention. Broad business access can be just as sensitive if it reaches financial records, customer information, legal material, or core operational workflows. Regular review works best when people stop thinking only in terms of technical power and start thinking in terms of business impact, data exposure, and the range of damage an account could enable.
Good organizations usually connect reviews to both time and events. Time-based review means access is checked on a recurring basis so drift does not stay hidden for years. Event-based review means access is reexamined when something meaningful changes, such as a transfer, promotion, termination, extended leave, completed project, contract end, merger, or major system change. That combination matters because waiting only for a scheduled review can leave risky access in place for too long, while relying only on event triggers can fail when the organization misses a change. Neither approach is perfect by itself. Together they create a more realistic safety net. What matters most is not choosing a magic interval. What matters is building the expectation that access should be revisited whenever reality changes enough to call the old decision into question. When that expectation becomes part of culture, ownership improves as well. Someone actively cares who has access, why it exists, and when it should end, which makes privilege drift much harder to ignore.
By the time you step back and look at the full picture, the main lesson is straightforward even if the day-to-day details are messy. Access decisions cannot be treated as permanent just because they were reasonable when first approved. People change roles, systems change purpose, temporary needs expire, and permissions that once helped the business can later expose it to unnecessary risk. Regular review is the practical discipline that keeps those changes from turning into silent overexposure. It supports least privilege, strengthens accountability, improves visibility, and limits the blast radius of mistakes or compromise. Most of all, it reminds us that good security is not only about building barriers at the front door. It is also about checking the keys, passes, approvals, and inherited permissions that accumulate after the door has been opened many times. When organizations review identity access consistently, privilege drift stays manageable. When they do not, danger often grows quietly until it becomes impossible to ignore.
