Notifications
Clear all
Topic starter
08/06/2026 4:23 pm
TL;DR: Treasure Data says its user access review programme moved from sporadic spreadsheet checks and 160 annual hours to scoped, automated reviews with real-time conflict detection, broader entitlement coverage, and faster remediation through C1. The case shows that access review maturity now depends on risk-based depth, not just campaign frequency.
NHIMG editorial — based on content published by ConductorOne: How Treasure Data Transformed User Access Reviews with C1
By the numbers:
- The team reduced user access review effort from 160 hours annually to just a fraction of that time.
- Treasure Data now pulls data from about 15 systems during its review process.
Questions worth separating out
Q: How should security teams make user access reviews more effective?
A: Security teams should reduce manual spreadsheet work, scope reviews by risk, and connect exceptions to remediation workflows.
Q: Why do user access reviews fail when they stay manual?
A: Manual reviews fail because they depend on exports, reconciliation, and subjective judgement that do not scale as systems grow.
Q: When does access certification become more than compliance theatre?
A: Access certification becomes meaningful when it is scoped to high-risk access, produces actionable exceptions, and drives enforced remediation.
Practitioner guidance
- Map review scope to risk tiers Separate low-value certification items from privileged, external, inactive, and unused access so reviewers spend time on the entitlements most likely to create exposure.
- Automate exception-to-ticket workflows Route review exceptions directly into Jira or an equivalent system so remediation is tracked, assigned, and measured instead of left in spreadsheets.
- Track review depth, not just completion Measure how many privileged accounts, group memberships, and sensitive entitlements are actually examined in each cycle, not just whether the campaign closed on time.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- The step-by-step progression from phase 1 manual reviews to phase 3 intelligently scoped review design.
- Treasure Data's exact process changes for conflict detection, remediation routing, and review expansion.
- The practical role of RBAC matrices and exception-driven alerts in the phase 4 roadmap.
- Direct practitioner commentary on how the team moved from compliance theatre to continuous assurance.
👉 Read ConductorOne’s case study on Treasure Data’s access review transformation →
User access reviews at phase 3: what changed for Treasure Data?
Explore further
08/06/2026 6:00 pm
Access review maturity is a control design problem, not a tooling problem. Treasure Data’s journey shows that the real constraint was not whether a review existed, but whether the review model could scale beyond spreadsheet administration. Manual UARs create activity, but they do not create depth, and depth is what exposes high-risk access. The practitioner conclusion is clear: review governance must be designed as a decision system, not a quarterly clerical task.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why review scope and identity inventory quality matter before automation.
A question worth separating out:
Q: What should organisations do after a user access review finds exceptions?
A: Organisations should route exceptions into a tracked workflow, assign ownership, and verify that the access change is actually completed. Without that follow-through, the review becomes a documentation exercise instead of a control. Closed-loop remediation is what turns review findings into reduced risk.
👉 Read our full editorial: Treasure Data’s user access review maturity shows why depth matters
