# Quarterly Access Review

> A recurring review that removes stale and over-broad access before it becomes the path an attacker or mistake takes.

**Category:** IT & Security

**When to use:** Quarterly, and after any wave of departures or role changes.

**Trigger:** Quarterly access-review cycle

## Steps

1. Pull the current access list per system, especially admin and production access.
2. Confirm every account maps to a current employee or service that still needs it.
3. Remove access for departed people and revoke anything beyond what the role needs.
4. Verify MFA is on everywhere it should be and flag exceptions.
5. Have system owners attest that the remaining access is correct.
6. Record the review, the removals, and the attestations.

## Outputs

- A reviewed access list per system
- Stale and over-broad access removed
- Owner attestations on record

## Tools

- Identity / SSO
- Access log
- Spreadsheet

## Notes

The riskiest accounts are the ones nobody owns anymore. The review exists to find and close them before someone else does.

---

Free SOP from the OrgTP Process Library — https://orgtp.com/process-templates/quarterly-access-review
Run it live with your humans and AI agents at https://orgtp.com.