An access review is a structured check of who has access to a system or resource and whether that access is still appropriate.
An access review is a structured check of who has access to a system or resource and whether that access is still appropriate. In plain language, it is the process of looking at existing permissions and deciding whether each person or account should still have them.
Access review matters because permissions tend to accumulate over time. People change roles, projects end, contractors leave, and temporary access often becomes permanent unless someone checks it.
It also matters because access is one of the clearest places where security, operations, and compliance meet. Reviews help enforce Least Privilege, identify stale entitlements, and make it easier to explain who can reach sensitive systems and why.
Access review appears in Identity Lifecycle programs, privileged access oversight, SaaS administration, financial-system governance, and regulated environments that require periodic evidence of control.
Teams connect it to Role-Based Access Control, Privileged Access Management, Segregation of Duties, and Identity Governance and Administration because those terms all help answer the same core question: who should have access, under what conditions, and for how long.
A company runs a quarterly access review for its finance systems. Managers receive a list of users, roles, and approvals tied to their teams. They confirm which people still need access, remove people who changed jobs, and flag any combinations of permissions that create separation-of-duties problems.
Access review is not the same as authentication. Authentication checks whether someone can prove who they are during sign-in. Access review checks whether the access they already have should continue to exist at all.
It is also different from provisioning. Provisioning grants or changes access. Access review evaluates whether existing access should remain, be reduced, or be removed.