User Access Review

certify access
continuously

Who has access to what. Should they still. And can you prove you checked. A unified, automated platform that runs the full lifecycle of access certification across every identity provider, cloud, SaaS app, and on-prem system.

23+ Source Connectors

15 signals Risk Types

8/8 Frameworks Mapped

The Problem

access reviews
are broken

Most organizations still certify access with spreadsheets and point-in-time campaigns. The result is stale evidence, blind spots, and revocations that are recommended but never actually carried out. The UAR module closes the loop.

The Module

full certification
lifecycle

The UAR module replaces spreadsheet-driven reviews with continuous, intelligence-assisted certification. It answers a single question end to end: who has access, should they keep it, and can you prove you checked.

Continuous & Risk-Aware

Periodic, event-driven, and continuous campaigns. Risk signals auto-open micro-reviews as access changes, so certification never goes stale between cycles.

Effective-Access Resolution

Goes beyond what is assigned to compute what a user can truly do across AWS, Azure, and GCP. The full grant chain is shown to reviewers alongside the resolved outcome.

Closed-Loop Remediation

Revocations are written back to source systems, then re-read and verified. Campaigns cannot close until every action is proven complete or exception-marked.

Audit-Ready Evidence

Every campaign produces an 11-section report mapped to eight compliance frameworks, plus cross-campaign executive dashboards and a watermarked auditor portal.

Lifecycle

discovery to
audit-ready evidence

Seven stages turn raw identity data into certified, remediated, provable access. Each stage feeds the next, continuously.

01 Discovery Ingest identities, accounts, and entitlements from 23 source connectors across identity providers, cloud platforms, HRIS, SaaS, engineering tools, and data platforms. Ingest

02 Correlation Link accounts across every system to a single identity using confidence-scored matching -- email exact match, external IDs, fuzzy name + manager, and more. Identity

03 Effective Access Resolve what users can actually do across AWS IAM, Azure RBAC, and GCP IAM. Store results as (principal, action, resource, effect) tuples with the full policy grant chain. Resolve

04 Risk Analysis Continuously evaluate 15 risk signal types -- orphan accounts, terminated-but-active, SoD violations, privilege creep, dormant admins, and more -- configurable per tenant. Signals

05 Review Campaigns Reviewers approve, revoke, or escalate with inline risk signals, AI recommendations, peer comparisons, business-friendly names, and mandatory rationale for critical decisions. Certify

06 Remediation Write revocations back to source systems and verify removal. Configurable rollback windows, exception registers, and a verification gate that blocks campaign close until proven. Enforce

07 Reporting Produce framework-mapped evidence with 11-section campaign reports, executive dashboards, identity risk rankings, trend analysis, and time-bounded auditor portal access. Evidence

Discovery

connect everything
one warehouse

Twenty-three connectors pull users, groups, roles, and assignments into a single canonical model. Identity providers push webhook events for near-real-time updates.

Identity Providers

Okta, Microsoft Entra ID, Google Workspace

Cloud Platforms

AWS IAM, Azure RBAC, GCP IAM

HRIS

Workday, BambooHR, ADP, Rippling, HiBob, PeopleSoft

SaaS & Business

Salesforce, ServiceNow, Slack, Microsoft 365

Engineering

GitHub, GitLab, Jira, Confluence

Data Platforms

Snowflake

JIT / Ephemeral

Opal, ConductorOne, Apono

Standards & Custom

SCIM 2.0 (any compliant provider), CSV upload

Risk Analysis

fifteen signals
continuously evaluated

The engine continuously scores the identity warehouse and surfaces risk inline to reviewers. Every signal is configurable per tenant by threshold, severity, and enable/disable.

Critical

Orphan account

Terminated but active

ITDR-correlated risk

High

Dormant (privileged)

Excessive admin

External + sensitive access

SoD violation

Shared / ambiguous account

Sensitive data exposure

Medium

Privilege creep

Out-of-band grant

Peer-group outlier

Anomalous grant

Stale service account

Low

License waste

Intelligence

policy-coded rules
per-tenant AI

Governance logic is explicit and versioned, machine learning adapts to each customer's own decisions, and a catalog turns cryptic entitlement names into business context.

Engine

Policy Engine

SoD rules and access policies in OPA/Rego with version control, dry-run mode, impact analysis, and 8+ pre-built SOX SoD starter rules.

AI Recommendations

Per-tenant gradient boosting from real decisions, peer-group outlier detection, confidence-scored approve/revoke advice, and rule-based cold-start fallback.

Catalog

Entitlement Catalog

Curated seed data for top entitlements, Claude-powered enrichment for unknowns, risk classification with reasoning, and tenant overrides with auto-matching.

100% Access Visibility Every account correlated to a single identity across all connected sources.

Closed-loop Remediation Revocations written back, re-read, and verified before campaign close.

8/8 Frameworks Ready Evidence mapped from SOC 2 and ISO 27001 to CMMC and HIPAA.

0 sheets Spreadsheets Continuous, risk-aware reviews replace manual certification campaigns.

Evidence & Assurance

mapped to
every standard

Each campaign produces an eleven-section compliance report. Cross-campaign dashboards give executives and auditors a program-level view, with watermarked, time-bounded auditor access.

Security & IT Controls SOC 2 (CC6.1-6.3, CC1.4) ISO 27001:2022 (A.5.15/16/18, A.8.2/8.3) NIST 800-53 (AC-2, AC-5, AC-6)

Industry Regulations PCI DSS v4.0 (7.2.4, 8.2) SOX ITGC (Logical access, SoD) HIPAA (164.308(a)(3)/(4))

Specialized Frameworks HITRUST CSF (01.b, 01.c, 01.e, 01.q) CMMC 2.0 (AC.L1-3.1.1, AC.L2-3.1.5)

certify accesscontinuously

access reviewsare broken

full certificationlifecycle