Many regulations, laws, directives, and frameworks include requirements for User Access Reviews (UARs)—comprehensive assessments of access privileges (e.g., to applications, resources, etc.) within an organization’s IT environment.

Compliance isn’t optional, and the consequences of non-compliance can be steep.
For a few reasons (which we touch on below), today’s UARs present significant challenges. Further complicating matters, many organizations still largely rely upon time-consuming and error-prone manual processes.

But there’s a better way.

The UAR stakes are higher than ever

UAR requirements are especially common in highly regulated environments, in which organizations must comply with industry-specific legislation such as the Health Insurance Portability and Accountability Act (HIPAA), and Good Practice (GxP) guidelines.

However, UAR requirements are also captured in wider-reaching pieces of legislation. One prominent example is the Sarbanes-Oxley (SOX) Act, which applies to all U.S. public companies.

Failure to comply with UAR obligations can be extraordinarily costly for the offending organization.

The primary concern for many orgs is likely regulator-imposed financial penalties—a risk made all the more real as U.S. regulators have issued billions of dollars in fines against financial services firms, hundreds of millions of which relate to the use of applications like WhatsApp without appropriate controls and tracking in place.

Nevertheless, reputational damage and the disruption caused by cyber attacks (e.g., that exploit poor controls) are also common consequences, and shouldn’t be overlooked. 

Cyber insurers are paying close attention

As IT environments have grown ever-more complex, identity controls and associated processes (including UARs) have become a foundational component within cybersecurity frameworks and related legislation.

Perhaps unsurprisingly, expectations for similar controls are now frequently captured within cyber insurance contracts. Failure to demonstrate an effective identity and access management may constitute negligence on the part of the insured organization, providing sufficient grounds for the cyber insurer to refuse payouts or impose higher costs for coverage.

For example, in a recent attack against the city of Baltimore, a fraudster accessed the Workday account of a vendor that does business with the city and changed the payment details. As a result, the city unknowingly transferred $1.5 million to an account controlled by the fraudster.

Although the city was able to retrieve a portion of the funds, insurers have refused to pay the rest—taking a hard line regarding the insufficient security policies that enabled the fraud to occur.

Why today’s UARs are so challenging (and costly)

Broadly, user access reviews come down to two things:

1. Having controls in place to ensure access to systems, data, resources, etc. is limited only to those entities that need it, as precisely/narrowly as possible
2. Being able to prove that those controls are in place (some UARs even require attestation from a third party, such as a financial auditor)

As IT environments have expanded in scope and exploded in complexity, implementing and reviewing controls has become significantly more challenging.

While yesterday’s organizations could focus largely on perimeter controls to protect on-premises resources, and could implement access control lists involving a relatively small number of human users and small number of applications, today’s organizations must grapple with a highly dynamic environment that includes:

• SaaS applications and hybrid clouds, in addition to legacy apps and on-premises resources
• Managed and unmanaged devices
• A staggering number of human and non-human identities (NHIs), including an extended workforce made up of employees, contractors, partners, and other third parties

Establishing effective controls across all of these user and resource combinations is an enormous undertaking. And things become all the more difficult when apps lack the standards and APIs upon which IAM and IGA systems rely.

Plus, in an environment in which the app library is ever changing and people are constantly changing roles (joining and exiting the organization, gaining or losing responsibilities), there must be processes and workflows in place to ensure user access keeps pace with change.

Crucially, doing all of that work isn’t enough—organizations have to be able to prove that they’ve done the work. Usually, proving it involves:

• Reports showing not just records of access, but evidence of timely access reviews and revocations—the kind of thing that requires being able to collect, make sense of, and succinctly present the meaning of huge numbers of logs
• Documentation explaining the lifecycle management (LCM), workflows, and processes that are in place to keep access controls up to date

IGA solutions are typically only integrated with a small number of critical apps, limiting automation

User access reviews often involve:

• Exporting data from multiple systems (if exporting is even possible … when it’s not, get ready to copy and paste!)
• Creating spreadsheets of users and their access levels, for review by app owners and other stakeholders
• Countless exchanges over email, Slack, and other tools to chase down approvals, receive sign-off, and so on
• Constructing detailed audit trails and access timelines

And, for one reason (“Only a few of our apps are integrated into our IGA solution”) or another (“Many of our apps don’t expose APIs, limiting our ability to automate”), automation only covers a small set of critical apps.

As a result, whenever a UAR is needed, the process can disrupt normal activities and consume countless hours of team member time for weeks—and due to the importance of UARs to meeting compliance obligations and the sensitivity of the resources involved, these aren’t tasks that can be outsourced to a low-cost provider or delegated down the organization’s hierarchy.

Perhaps most dangerously, this manual approach introduces considerable risk. As revealed in Cerby’s 2025 Identity Automation Gap Report, 46% of security and IT leaders say their organization has already experienced a security, compliance, or operational issue directly caused by manual identity workflows.

The Cerby advantage: Connecting apps to your existing IGA solutions

The 2025 Identity Automation Gap Report showed that 49% of respondents said the single most important step they would take to reduce identity risk is extending automation across more applications and workflows.

However, many disconnected apps, including legacy financial systems and government portals, remain “disconnected” because they lack support for modern standards like SAML, SCIM, or OAuth. Without SCIM or usable APIs, IGA solutions cannot automate workflows across the entire application ecosystem.

Fortunately, there’s an alternative to building and maintaining custom integrations in an effort to connect your IAM and IGA infrastructure to your full app ecosystem.

The Cerby Application Network is a collection of pre-built and fully validated Cerby integrations for thousands of apps.

In addition to enabling enterprise Single Sign-On (SSO), Multi-factor Authentication (MFA), and automated LCM, the Cerby Application Network extends the reach of your existing IAM and IGA platforms, providing:

• Vastly expanded potential for automating workflows, including UARs
• Continuous monitoring of Cerby-connected apps
• Continuous updates (e.g., app data like entitlements) from Cerby to IGA solutions to power UARs
• Streamlined remediation from IAM and IGA solutions to Cerby-protected apps

In short, Cerby connects your existing IAM and IGA solutions to apps that would otherwise be beyond their reach.

Expanded coverage and increased automation provide many meaningful benefits

This greater reach across your apps—and the higher degree of automation that this reach enables—unlocks a number of meaningful benefits, including:

1. Saving time: Integration and automation combine to slash the time spent on UARs from days or weeks to mere hours.
2. Reduced risk: Automation eliminates the human error inherent to manual processes, lowering the likelihood of compliance failures and of incurring associated fines.
3. Even more saved time: To ‘backstop’ the manual processes, many Governance, Risk, and Compliance (GRC) teams have implemented compensating controls—automation renders many of these verification (“double-checking”) activities unnecessary.
4. A stronger audit posture: Simple, ongoing UARs help an organization to always be ready for an audit—no more reactive scrambling!
5. A stronger security posture: Let’s not forget that the reason why UARs are included in so many regulations, laws, directives, and frameworks isn’t to drive everyone to madness—it’s to safeguard the organization and its customers, partners, etc. When identity controls are in place and continuously updated, and UARs are quick and painless, the organization—and everyone who depends on it—is better able to withstand attacks.

Conclusion

Meeting UAR compliance obligations shouldn’t require a protracted, ponderous, and painful process.

Whether you're preparing for a SOX audit or maintaining year-round compliance hygiene, Cerby automates and simplifies the UAR process—even for disconnected applications—eliminating weeks of manual effort and audit prep while ensuring verifiable compliance.

To learn more about how we can help simplify your tomorrow, contact Cerby today.