Privilege review (or access certification) is the periodic process of validating the access rights of users to systems, data, and applications. It ensures that users have only the permissions necessary for their current role and that access is revoked when no longer needed (e.g., after a role change or termination).
Failure to conduct regular privilege reviews leads to "privilege creep," where users accumulate access rights over time. This increases the attack surface; if a user's account is compromised, the attacker inherits all accumulated permissions, maximizing the potential damage.
Identity is the new perimeter. We treat privilege review not as a quarterly compliance box-ticking exercise, but as a continuous hygiene practice. We advocate for automated, event-driven reviews (JML processes) over manual spreadsheet audits.