Most organisations know who should have access to what — in theory. The practice is usually messier.

Access rights accumulate over time. An employee joins a project, gets the permissions they need, and moves on. The permissions stay. Another employee changes roles; the old access is rarely removed with the same care it was granted. Systems are connected, integrations are built, and service accounts are created — often with broader rights than necessary, because it is easier than scoping them precisely at the time.

The result is a gap between the access map on paper and the access map in reality. This gap is not a sign of negligence. It is a natural consequence of how work changes faster than administration follows.

Why This Matters

The risk is not purely theoretical. Excess access increases the blast radius of a compromised account. It creates audit findings that are difficult to explain. And it produces liability: if an employee can access data they have no reason to access, the organisation is responsible for that exposure — regardless of whether anything goes wrong.

For organisations in regulated sectors, this is a compliance issue with a clear paper trail. For those preparing for ISO 27001 or a client security audit, access rights are among the first things reviewers look for.

A Practical Starting Point

The most useful first step is rarely a full access review. Full reviews are slow, expensive, and produce a snapshot that is already outdated by the time it is complete.

More effective is a targeted review of the highest-risk areas: administrative accounts, access to financial or personal data, and accounts belonging to employees who have left or changed roles. These are the places where accumulated rights cause the most exposure.

From there, a sustainable process for granting, reviewing, and revoking access tends to produce more lasting improvement than a one-time audit.

The Governance Question

Behind access rights is a governance question: who is responsible for approving access, and how is that responsibility exercised in practice?

In many organisations, access is requested informally and approved informally. There is no record of who authorised what, or when. When something goes wrong — or when an auditor asks — the answer is a shrug and a manual trawl through email history.

Establishing a clear, lightweight process for access governance does not require new tooling. It requires a decision about who is responsible and a habit of recording that responsibility.

The technical implementation is usually the easy part.