Treasure Data’s user access review maturity shows why depth matters

At a glance

What this is: Treasure Data’s access review programme evolved from manual spreadsheet checks to more targeted, automated reviews that expand coverage and improve remediation speed.

Why it matters: IAM teams can use this as a model for moving beyond box-checking reviews toward risk-based governance across human, NHI, and emerging agentic access patterns.

By the numbers:

• The team reduced user access review effort from 160 hours annually to just a fraction of that time.
• 15 systems during its review process.

👉 Read ConductorOne’s case study on Treasure Data’s access review transformation

Context

User access reviews are meant to verify whether access still matches role, risk, and business need. In practice, many programmes stall at manual exports, narrow scope, and shallow decisions that satisfy audit formality without improving control quality. That is the governance gap Treasure Data was trying to close.

For identity teams, the lesson is not that reviews should happen more often. It is that review depth, entitlement scope, and remediation speed determine whether access certification reduces risk or simply documents it after the fact. That same logic increasingly applies across human access, service accounts, and broader lifecycle governance.

Key questions

Q: How should security teams make user access reviews more effective?

A: Security teams should reduce manual spreadsheet work, scope reviews by risk, and connect exceptions to remediation workflows. Effective reviews focus on privileged, external, inactive, and unused access rather than trying to certify every entitlement equally. The goal is not just completion, but faster decisions that change actual exposure.

Q: Why do user access reviews fail when they stay manual?

A: Manual reviews fail because they depend on exports, reconciliation, and subjective judgement that do not scale as systems grow. They are slow, inconsistent, and often too shallow to surface meaningful risk. The result is high administrative effort with limited security value.

Q: When does access certification become more than compliance theatre?

A: Access certification becomes meaningful when it is scoped to high-risk access, produces actionable exceptions, and drives enforced remediation. If a campaign only proves that a process ran, it is audit evidence. If it shortens the time between finding and fixing risky access, it becomes a control.

Q: What should organisations do after a user access review finds exceptions?

A: Organisations should route exceptions into a tracked workflow, assign ownership, and verify that the access change is actually completed. Without that follow-through, the review becomes a documentation exercise instead of a control. Closed-loop remediation is what turns review findings into reduced risk.

Technical breakdown

Why spreadsheet-based access reviews stall at phase 1

Spreadsheet-driven reviews usually depend on manual exports, ad hoc reconciliation, and subjective checks. That workflow can confirm whether someone appears to belong, but it does not scale across systems or surface higher-order risk such as privileged access, group membership, or inactive entitlements. The result is a review that is administratively expensive and analytically weak. Phase 1 programmes are often constrained by the mechanics of collection more than by the quality of the decision model, so every new application adds friction instead of insight.

Practical implication: replace manual export-heavy review cycles with a governed data pipeline before adding more systems to the programme.

How intelligently scoped reviews change the access review model

Intelligently scoped reviews shift the question from "review everything" to "review what matters." That means focusing on privileged access, external accounts, unused permissions, inactive users, and other entitlements with actual risk signal. Instead of treating access certification as a universal inventory exercise, the model uses context to reduce noise and increase reviewer relevance. This is where access review maturity starts to create security value, because reviewers spend time on exceptions and high-impact access rather than on low-value confirmations that never change outcomes.

Practical implication: define review tiers by risk and business relevance, then reserve deeper scrutiny for entitlements that can change exposure.

Why exception-driven remediation matters more than campaign completion

A review only changes security posture when exceptions are actually resolved. The operational bottleneck is usually not the reviewer decision but the handoff into ticketing, approval, and enforcement. Automated remediation shortens that loop by turning findings into structured workflow rather than spreadsheet follow-up. That matters because the longer an exception lives outside the workflow, the more likely it becomes accepted as normal. Mature programmes therefore measure not just completion rate, but the time from exception identification to enforced change.

Practical implication: connect review output to workflow systems so exceptions become tracked remediation items, not unresolved comments in a spreadsheet.

Breaches seen in the wild

• New York Times breach — New York Times source code and credentials exposed via GitHub.
• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access review maturity is a control design problem, not a tooling problem. Treasure Data’s journey shows that the real constraint was not whether a review existed, but whether the review model could scale beyond spreadsheet administration. Manual UARs create activity, but they do not create depth, and depth is what exposes high-risk access. The practitioner conclusion is clear: review governance must be designed as a decision system, not a quarterly clerical task.

Intelligently scoped reviews are the point where access certification stops being theatre. Once programmes move beyond terminated-employee checks and into privileged access, external accounts, inactive users, and unused permissions, they begin to surface the entitlements that matter most. That is the difference between proving process and reducing exposure. Practitioners should treat scope design as the core governance choice, because scope determines whether a review can actually change risk.

Exception-driven review is the next logical control state for identity governance. When exceptions generate tickets and real-time signals rather than delayed spreadsheet work, the programme moves from periodic compliance to continuous assurance. That does not remove the need for human judgement, but it changes where that judgement is spent. The practitioner conclusion is to design for exception handling, because that is where review programmes either deliver security value or fade into audit routine.

Identity review governance now has to stretch across human, machine, and eventually agentic access. A review model built only for people will miss the lifecycle pressure created by service accounts, shared credentials, and automated access paths that do not fit employee-centric assumptions. The broader implication is that recertification and exception handling are becoming cross-actor governance disciplines. Practitioners should plan for review scope to expand beyond humans, because identity risk is already doing so.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why review scope and identity inventory quality matter before automation.
• The NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding controls reduce the same persistence problem at source.

What this signals

Access review maturity is now a visibility problem as much as a governance problem. If an organisation cannot see all of its entitlements clearly, it cannot scope reviews intelligently, and the programme defaults to shallow verification. With only 5.7% of organisations reporting full visibility into service accounts according to Ultimate Guide to NHIs, the governance gap is structural rather than procedural.

Closed-loop remediation is the real benchmark for modern review programmes. The next maturity step is not another campaign, but faster movement from exception identification to enforced change. That same closed-loop logic now matters across NHI lifecycle management, because access that lingers after review is just another form of unmanaged privilege.

For practitioners

• Map review scope to risk tiers Separate low-value certification items from privileged, external, inactive, and unused access so reviewers spend time on the entitlements most likely to create exposure.
• Automate exception-to-ticket workflows Route review exceptions directly into Jira or an equivalent system so remediation is tracked, assigned, and measured instead of left in spreadsheets.
• Track review depth, not just completion Measure how many privileged accounts, group memberships, and sensitive entitlements are actually examined in each cycle, not just whether the campaign closed on time.
• Use continuous signals for high-risk access Add real-time monitoring for conflict conditions so unusual access changes are flagged as they happen rather than waiting for the next quarterly review.
• Extend governance beyond employee accounts Include service accounts and other non-human access paths in the same governance model so access review maturity does not stop at human users.

Key takeaways

• Manual access reviews can satisfy process requirements while still leaving material risk untouched.
• Programme value increases when review scope targets privileged, inactive, external, and unused access rather than broad, low-signal inventories.
• The decisive control is closed-loop remediation, because finding exceptions without enforcing change does not reduce exposure.

Key terms

• User Access Review: A user access review is a formal check of whether an identity still needs the permissions it has. In mature programmes, it is a risk decision process, not a spreadsheet exercise, and it should end in removal or justification of access that no longer fits the role or business need.
• Review Scope: Review scope is the set of identities, entitlements, and systems included in an access certification cycle. Narrow scope makes the process easier but can hide the highest-risk access, while risk-based scope focuses reviewer attention on privileged, external, inactive, and unused entitlements.
• Exception-driven Review: An exception-driven review is a model where the system highlights only unusual or risky access for human judgement. This reduces noise, shortens review cycles, and makes remediation the centre of the control, rather than the production of a completed campaign report.
• Closed-loop Remediation: Closed-loop remediation means every review finding is routed into an accountable workflow and verified to completion. Without that loop, access reviews become evidence generation instead of control enforcement, and risky access can survive unchanged after the campaign ends.

Deepen your knowledge

Access review maturity and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a review programme that needs to cover more than spreadsheet checks, it is worth exploring.

This post draws on content published by ConductorOne: How Treasure Data Transformed User Access Reviews with C1. Read the original.