Every large organisation\’s access model is an archaeological site. Each layer made sense to someone, once. The project site shared with a supplier in 2019; the \”temporary\” all-staff link created the week before an audit; the guest account belonging to a consultant whose firm no longer exists. Nothing was malicious. Everything accumulated.
Why reviews fail
The standard remedy — the quarterly access review — fails for a predictable reason: it asks the wrong person a question they cannot answer. A site owner presented with four hundred names will approve all of them, because approving is one click and investigating is an afternoon. The review completes, the certificate files itself, and the exposure survives, now with a compliance stamp on it.
Inverting the question
Remediation at scale works when the question is inverted. Not \”who should have access to this site?\” but \”this item is regulated — who can currently reach it, and can anyone explain why?\” Sensitivity-first triage shrinks the problem from millions of permissions to hundreds of consequential ones, each of which can be withdrawn, confirmed or escalated with evidence attached. The long tail is then handled by policy — expiring links, sunset dates on guest access, containers that inherit sensible defaults — so the archaeology never re-accumulates.
Exposure, treated this way, stops being a periodic scandal and becomes a metric: a number that falls, is reported, and is noticed when it rises. Which is all a risk committee ever wanted.
The Exposure & Access Control practice produces your first exposure index in two weeks.
