Access review
A periodic audit confirming that every user retains only the access their current role requires, with documented attestations from the appropriate manager.
In more detail
Access review is the standard control to catch access creep. Users accumulate grants through role changes, project work, and one-off requests. Without a periodic review, the access set diverges from the user's current role, and the variance becomes a security finding when an auditor notices.
The control is universal in SOC 2 environments and required in many SOX implementations. The cadence is typically quarterly, sometimes monthly for higher-risk grants like admin permissions.
Where this shows up at Ceven
Ceven runs the access review continuously rather than quarterly. Monthly scans surface orphan accounts, stale admins, and over-provisioned licenses. The recovery ticket files itself in ServiceNow or Jira Service Management with the manager attestation request attached. The audit pack assembles continuously rather than waiting for the quarterly fire drill.