guides

The UAR Maturity Model

Tue Apr 29, 2025

Content

Stay in touch

The best way to keep up with identity security tips, guides, and industry best practices.

User access reviews (UARs) are foundational to identity governance and compliance—but let’s be honest, they can be painful. If you’ve ever managed a UAR cycle with spreadsheets and endless email chains, you know the drill. But it doesn’t have to be that way.

At ConductorOne, we’ve helped companies of all sizes transform their approach to UARs—from time-consuming checkbox exercises to seamless, intelligent processes.

We call it the UAR Maturity Model—a four-phase journey that takes you from mayhem to minimal reviews.

Phase 1: Manual processes

What it looks like:

Identity and access data pulled manually from multiple systems
Spreadsheets, email chains, and ticketing systems used to assign and track reviews
Reviewers overwhelmed with irrelevant access items
Screenshots used to “prove” data accuracy

Effort: Very High
Volume: For illustration, a company with 2,000 employees reviewing access to 5 apps might generate 10,000+ individual access reviews per cycle.

This is where most companies start. It’s labor-intensive, slow, and demoralizing. Reviews are often rubber-stamped because no one has the time or clarity to make informed decisions. Sound familiar? If your current process feels like a compliance fire drill every quarter, you’re not alone.

What’s broken:

Data is outdated before reviews even begin
Admins lack visibility into review progress
Endless screenshots to prove access validity
You’re wrapping one UAR just in time to start the next—stuck in a never-ending cycle

Phase 2: Basic automation

What it looks like:

Access data centralized in a governance platform like ConductorOne
Review campaigns scheduled and triggered automatically
Some filtering applied (e.g., by role, department, or risk level)

Effort: High
Volume: Our example company is still generating 10,000 reviews, just with slightly less overhead.

This is the first big unlock—replacing fragmented, manual processes with centralized visibility and automation. Even with basic filtering, the time savings are real.

Moving into maturity with ConductorOne

ConductorOne can help your organization automate the basics of Phase 2—but it goes far beyond that. Our platform is designed to take you into the more advanced stages of the UAR Maturity Curve by turning access reviews into intelligent, efficient processes.

It starts with real-time data. ConductorOne connects directly to your identity systems and continuously syncs access information, so reviews are always based on the most current data—not outdated exports. If anything gets stale, the platform alerts you and shows exactly when it was last updated, giving you confidence that your reviews reflect reality.

Instead of managing reviews in spreadsheets and chasing people down over email, ConductorOne coordinates everything for you. You can build single- or multi-step review policies, automatically assign reviewers, and monitor progress—all from a centralized dashboard. Admins get full visibility into where reviews are stuck, and reviewers are kept on track by timely notifications that link directly to their tasks in ConductorOne’s intuitive web app.

With ConductorOne Copilot, reviews get even smarter. Copilot automatically provides AI-powered recommendations that help reviewers make faster, more informed access decisions—accelerating reviews while reducing rubber-stamping. Reviewers don’t just see who has access; Copilot flags unexpected patterns, helping reviewers quickly spot issues and validate them with the right stakeholders. All the context they need is delivered directly within the interface, eliminating the need to chase down external data.

Image displaying how Copilot assists with access.

The platform also handles the logistics. Tag any application or entitlement based on risk level or compliance framework and then automatically pull tagged items into future UARs—saving time and ensuring consistency. And when reviews are done, ConductorOne closes the loop by automatically revoking access, notifying users, or triggering downstream tickets. Everything is orchestrated and reported in real time, so you’re always in control and audit-ready.

With ConductorOne, you’re not just speeding up reviews—you’re actually closing the loop on access decisions with less overhead.

Phase 3: Intelligently scoped reviews

What it looks like:

Using contextual recommendations to streamline certifications
Auto-approvals and denials based on behavioral baselines and policies
Irrelevant or low-risk access removed from the review queue

Effort: Low

Volume: At this point, our example company has only 2,000 reviews—instead of 10,000.

How it works with ConductorOne:

Smart reviewers use ConductorOne’s Copilot to elevate their entire review process. Instead of combing through every review line item, they sort review tasks to focus only on what Copilot has flagged. With bulk certification options, they can quickly approve low-risk, routine access and zero in on the exceptions that actually require attention. This is where the real transformation happens: how you use Copilot is what levels you up.

You can also configure review policies to auto-certify or auto-deny routine access decisions, streamlining the entire review process and reducing manual effort. This is where the power of policies really kicks in: you start using ConductorOne not just to review access, but to enforce access review decisions intelligently.

For example, if an engineer has access to a sensitive repo due to a role, attribute, or birthright grant, that entitlement can be auto-certified, no manual review required. These policy-based decisions remove a significant percentage of the review workload while helping teams continuously refine and improve their governance model. As UARs get faster and smarter, teams finally have time to ask: What decisions were easy, and how can we codify them?

What it looks like in practice: Ramp’s approach

ConductorOne customer Ramp offers a clear example of what it looks like to mature user access reviews in practice—moving from manual, high-volume reviews to a policy-driven, automated approach that prioritizes risk and efficiency.

Rather than relying on blanket reviews or conditional case-by-case logic, Ramp invested in building clear policies to automate as much of the access review process as possible, starting with identifying low-risk access that doesn’t require human intervention.

For instance, some roles are considered low risk, such as a “Hiring Team Manager” with access to basic HR applications. These roles are covered by policies that allow for safe auto-certification. A few core rules include: if a user is disabled, their access is always marked for removal; if a user has both a specific app and a matching entitlement that aligns with their team or role, the system certifies that access automatically. Even for high-privilege access, such as AWS infrastructure roles, Ramp applies logic-based policies to determine what should be auto-approved based on team membership and entitlement scope.

This approach has enabled Ramp to significantly reduce their UAR volume. Instead of manually reviewing every line item, their reviewers focus only on what matters: discrepancies or unexpected access. This highlights where things don’t look right and routes only those items for manual review.

This initial setup effort, including defining policies and mapping entitlements to app and user data, is a one-time lift that pays off significantly over time. Reviewers aren’t forced to examine every user-app pair again and again; instead, they’re validating edge cases and trusting the system to handle the routine.

Ramp’s approach is a blueprint for maturing access reviews: simplify where you can, automate where it’s safe, and focus your team’s time on resolving the exceptions. Read their full story.

Phase 4: Exception driven UARs

What it looks like:

High-risk or privileged access governed by just-in-time (JIT) access, allowing for de-scoping a majority of entitlements from UARs
Zero standing privileges becomes the default
Reviews are reserved for exceptions or policy violations—requiring periodic re-requesting of needed access allows you to de-scope access from periodic access reviews

Effort: Minimal
Volume: Our example company is now only generating a handful of reviews per cycle.

This is the holy grail. Access is granted only when needed, and automatically expires when it’s not. JIT significantly reduces review scope and strengthens your security posture.

How it works with ConductorOne:

Sensitive access is short-lived, reducing the risk of users lingering in critical roles
Access is granted quickly through policy-based approvals, eliminating friction
Approval paths are automatically routed, removing the guesswork and outdated wikis

ConductorOne automates not just JIT provisioning and deprovisioning, but smart approval routing based on a user’s attributes, like department or role.

If users are only in sensitive systems briefly, they won’t appear in every UAR, further reducing volume. And without standing access, your team has an opportunity to verify requests in real-time—like when someone on leave suddenly asks for admin access.

You end up with fewer reviews, better access controls, and a stronger security posture without blocking productivity.

Want to see how it works in action? With the help of ConductorOne, Instacart moved 100% of privileged access to automated, policy-based JIT access. Read their story.

From checkbox to continuous control

Quarterly UARs are fine—but risks don’t operate on a calendar. With ConductorOne’s granular scoping and continuous data sync, you can run focused reviews anytime. That means:

Spot-checking high-risk areas after an incident
Verifying accounts with no owner
Maintaining IAM hygiene by keeping data current and removing outdated access
Running a quick, targeted review when needed—not just once per quarter

You’re no longer bound to point-in-time compliance. You’re building a system of continuous monitoring, where access is always accurate, always intentional, and always up to date.

The journey from Phase 1 to Phase 4 doesn’t happen overnight—but the impact is undeniable. With ConductorOne, our customers have seen: