If you have ever run a quarterly access campaign, you already know the script. The emails go out. The data pull turns into a scramble. Connectors break. Spreadsheets land on managers’ desks with thousands of entitlements no one really understands. A few weeks later, the campaign hits “100% complete,” the report goes to audit, and everyone moves on hoping nothing important slipped through.
igatheater.com, a playbill for how access reviews really run inside most enterprises, captures this theatric reality. It details the rehearsals to assemble review data, the one-time performance for auditors, and the finale where risk looks almost exactly the same as it did at the opening curtain.
What often gets missed is the backdrop behind that stage. Most organizations are only reviewing a curated slice of their environment, just the handful of “big” applications they had the time and budget to onboard to their IGA solution. Most campaigns never touch the long tail of on-prem, custom, database, and legacy systems or the non-human identities that connect AI agents and other services. The result is theatrical certainty over a narrow set of systems, while real risk lives in everything that never appears in the campaign.
So yes, the reviews get done. Yes, the evidence goes to the auditor. But the combination of partial visibility and manual, periodic reviews is why access governance feels like corporate theatre.
The Real Problem: Partial and Periodic Governance
The core problem is not the concept of access reviews. It is what gets reviewed, and how rarely it happens.
Most IGA programs focus on the “top tier” systems. That is all the budget and services can handle when onboarding a complex application to traditional IGA takes 6–8 weeks and roughly $180,000 in services.
The result is a large “ungoverned universe” that rarely makes it into scope: on-prem and legacy systems, AI and agent integrations, network and edge devices, databases and file shares, custom apps and niche SaaS tools.
It is tempting to blame the auditors, but they are not the problem. Regulators and auditors are there to enforce control discipline. They are supposed to ask for evidence, and they will continue to expand requirements because they see the same trends you do:
- Identity is the primary attack vector.
- Breaches increasingly hinge on compromised credentials and mismanaged access.
- Non-human identities (service accounts, bots, workloads, machine identities) are exploding.
The failure is how we respond. Most organizations still treat identity and access as a periodic project, not an operational function:
- Access reviews run quarterly or annually.
- Joiner/Mover/Leaver events depend on brittle connectors and stale data.
- Approvers make decisions on snapshots that are weeks or months out of date.
If identity is the primary attack surface, you cannot treat it as a once-a-quarter compliance ritual. You need something closer to how network or endpoint operations teams work every day.
In other words, identity must be continuous, operational, and data driven. The objective is not to get rid of access reviews. It is to stop meeting every new requirement with more manual work. You need an operating model where audit gets what it needs, the business measurably reduces risk, and you are not burning thousands of hours a year on the same broken process.
From Corporate Theater to Continuous Control
So what does continuous control look like? First, it starts with data. You cannot automate what you cannot see so you need a mechanism to integrate with every system and discover every identity. Once you have that foundation, you can begin to move from theatrical campaigns to continuous control:
- Automate the obvious decisions
- Known low-risk, repetitive decisions should be automated based on policy and behavior.
- Managers should only be asked to review high-risk or anomalous access, not a thousand line items that never change.
- Event-driven lifecycle, not periodic cleanup
- Joiner, mover, and leaver events should be processed in near real time using reliable data, triggered by an HR event, not cleaned up months after the fact.
- Access should be granted, adjusted, and removed based on actual events and posture changes, not waiting for the next campaign.
- Make identity an operational function
- Treat identity like a first-class operational domain, similar to a SOC or NOC.
- Track metrics like “time to detect risky change,” “orphaned accounts eliminated,” and “high-risk access removed,” not just “campaign completion.”
- Use audits as validation, not the only control
- When auditors arrive, you should be able to demonstrate continuous evidence: what changed, why it changed, and how it was approved or automatically enforced.
- The quarterly or annual review becomes a confirmation step, not the one moment when attention is paid.
I get it, this shift is simple to describe and hard to execute manually. Which is exactly why automation and platforms purpose-built for continuous identity governance exist.
What To Do Next
If your access reviews already feel like theater, you do not need more drama. You need a plan. Here is a practical starting framework:
- Quantify the problem
- How many hours per year do access campaigns consume?
- What percentage of your total applications are actually in scope?
- How much of the environment is effectively “never reviewed”?
- Expand visibility before you expand reviews
- Build a unified identity data layer that can see across directories, SaaS, legacy, and nonstandard systems.
- Categorize and map every account to a human owner for attribution, tracking and prioritization.
- Automate low-risk and repetitive decisions
- Use policies, peer groups, and behavior to auto-approve the obvious.
- Reserve human attention for the top-risk 10% of access.
- Move from periodic to continuous
- Understand your identity posture before your review starts.
- Trigger reviews on specific risk events, not just the calendar.
- Make “risk reduced” a core KPI
- Track how many risky entitlements were removed, not just how many lines were reviewed.
- Give executives and auditors metrics that prove you are shrinking the attack surface, not just doing more work.
User access reviews will continue to be mandatory. Auditors will continue to ask for more. You can either keep investing in bigger productions with more spreadsheets, more fire drills, more people in the same inefficient process. Or you can treat identity as an operational function, powered by real-time data and automation, where audit demands are still met but risk is measurably and continuously reduced.
If you are ready to see the numbers and the “theatre” broken down in detail, take a look at the playbill at igatheater.com. It’s starting point for the conversation every identity leader needs to have: How do we end the theater and make access governance real?
Make the next access review season the last one that feels like theater. Request a Hydden demo.
