Most companies implement a user access review (UAR) solution because they have to. Frameworks like SOX and PCI require quarterly UARs. Internal audit and GRC teams own the process. And the goal is usually the same: get through the audit, check the box, move on.
The bar to “pass” is often pretty low. But that doesn’t mean your UARs should be.
If all you’re doing is running access reviews for compliance, you’re leaving a ton of security value on the table. UARs can and should be a lever for reducing risk, limiting standing privileges, and strengthening your identity security posture. At ConductorOne, we see the best security teams use UARs not just to stay compliant, but to stay secure.
In this post, we’re sharing a few simple but high-impact ways to use UARs beyond compliance requirements based on real conversations we’ve had with security teams and customers.
Target unused access with monthly reviews
One of the most effective ways to improve security posture is also one of the simplest: look for users who aren’t using their access. Access that isn’t being used is access that shouldn’t exist. It creates risk, especially if it’s to sensitive systems like AWS or production environments.
Security teams can run monthly UAR campaigns targeting unused access. For example, you might look at all AWS users who haven’t logged in during the past 30 days and revoke any access that’s no longer needed. It’s a fast, repeatable check that cuts down standing privileges and keeps your environment clean between compliance-driven reviews.
With ConductorOne, it takes minutes to set up. Select the app, filter on last login, assign reviewers, and you’re ready to launch.
Review orphaned accounts with no known owner
Another key UAR security use case: finding and cleaning up orphaned accounts.
Orphaned accounts are application accounts that don’t map to an identity in your directory (IdP). They often belong to former employees or contractors (or worse, no one knows where they came from). The longer they linger, the more vulnerable they become.
Running a campaign that specifically targets accounts with no owner gives your team a chance to validate or remove access before it turns into an incident. These types of accounts are rarely caught during standard quarterly reviews but are easy to spot with the right filters in place.
And since they’re not bound to compliance requirements, these campaigns can run as frequently as you want.
Build regular reviews for service accounts
Service accounts often slip through the cracks. They’re persistent, usually over-permissioned, and frequently lack clear ownership. But they don’t have to be a black box.
With UARs, you can isolate service accounts and build recurring campaigns to validate their access. A good practice is to assign service account ownership, then let those owners self-certify the accounts monthly: Do we still need this? Is it configured correctly? That decision gets logged into a report, providing a record for future audits while tightening controls in the present.
The goal is simple: know what your service accounts are doing, who owns them, and whether they still belong in your environment.
Review access to production environments—especially for contractors
Contractors often have elevated access to critical systems. But they’re also more likely to have variable schedules, leave the company unexpectedly, or have access needs that change frequently.
Setting up automated UARs that specifically target contractors with access to production data ensures that those entitlements are reviewed more often than the default quarterly cycle. It also reduces the window of risk for accounts that are more prone to slipping through offboarding workflows.
Some companies we work with take this further by time-boxing access entirely, limiting production access to 12-hour windows. What they’ve found is that most people don’t actually need daily access. Frequent reviews give you the insight and control needed to implement those kinds of changes confidently.
Enforce access policies with filters like “direct vs. inherited”
UARs aren’t just about cleaning up what’s unused. They can also help enforce your access control policies more proactively.
Take GitHub, for example. If your policy is that no one should be directly assigned to a repo—that access should only come through teams or groups—you can run a campaign filtered to show only direct grants. From there, it’s easy to revoke anything that violates policy.
These kinds of campaigns are lightweight and narrowly scoped, but they help enforce governance without manual detective work.
Use CEL to drive policy-based automation
One of the most powerful features in ConductorOne is Common Expression Language (CEL). CEL lets you define custom approval and revocation logic using “if-this-then-that” expressions.
That means you can automate decisions based on request metadata like:
- Request source (e.g., “if from Slack, assign to manager”)
- IP address (e.g., “if from office IP, auto-approve”)
- Request duration (e.g., “if <12h, auto-approve; if >12h, assign to app owner”)
- User location (e.g., “if not US-based, auto-decline”)
These expressions let you scale access decisions without writing code. CEL can be used to configure ConductorOne groups and policies, which power access reviews and enforcement. That makes it especially valuable for building flexible, nuanced UAR logic like automating assignments, defining auto-approvals, or applying policy-based revocation.
Even simple CEL rules can eliminate hours of manual work while enforcing better policy alignment.
Security-led UARs don’t have to be complicated
Compliance-driven UARs can be more complex than they need to because they’re tied to frameworks, review cycles, and formal auditor requirements.
But if your goal is better security, not just better audit outcomes, you don’t have to wait for those cycles. You can run campaigns anytime, scope them to whatever you want, and build them in five minutes with ConductorOne.
None of these take a major lift to stand up. But they give you ongoing visibility, tighter control over access, and fewer surprises.
Ready to move beyond checkbox compliance? Book a demo to see how easy security-driven access reviews can be with ConductorOne.
