Access Reviews as Cheap Talk

Access Reviews as Cheap Talk
When Approval Carries No Cost
The Scenerio

The certification campaign closed on schedule. Managers had completed their access reviews, approvals were recorded, and the system reflected near-total compliance. Reports showed high completion rates, minimal overdue items, and a clean audit trail. From a governance perspective, the process appeared effective. Access had been reviewed, decisions had been captured, and evidence was ready.

But the substance of those decisions was less clear. Review screens listed dozens or hundreds of entitlements without context, role descriptions were generic, and system names were unfamiliar to many reviewers. Faced with limited time and incomplete information, most approvals were issued quickly. In a few cases, obvious errors were corrected, but the majority of access remained unchanged. The process completed. Its impact on exposure was uncertain.

Frameworks aligned to NIST identity guidance and ISO access control standards expect periodic review of user access to ensure it remains appropriate. Identity governance programs translate this expectation into certification cycles where access is attested, revoked, or modified based on business need.

In practical terms, the control establishes the following expectations:

  • Access must be reviewed by an accountable owner on a defined cadence
  • Approvals must reflect current business need and least privilege
  • Excess or inappropriate access must be revoked or adjusted
  • Decisions must be documented and auditable
  • The process must demonstrate active governance of identity and access

These requirements operate within a system of interacting players.

The Players (Canonical Five)

Access reviews operate across five players, and the reliability of outcomes depends on how their incentives align within the process.

  • Governor — defines certification cadence, scope, and approval requirements
  • Operator — identity governance teams administering campaigns and tooling
  • User — managers or owners responsible for reviewing and approving access
  • Adversary — exploits excessive or stale access for lateral movement and privilege escalation
  • Arbiter — audit and compliance functions evaluating completion and evidence

The adversary does not need approval to gain access. It benefits when unnecessary access is retained and rarely challenged.

Strategy & Incentive Mapping

The Governor defines access reviews to reduce the risk of inappropriate or excessive access. The intended benefit is straightforward: regular validation ensures that access reflects current roles, limits privilege creep, and reduces the likelihood of misuse. However, the Governor experiences the process primarily through completion metrics and audit evidence, which can make the signal of completion appear equivalent to the reality of validation.

The Operator builds and runs the process. Their incentives center on campaign completion, system scalability, and operational efficiency. Simplifying review workflows, standardizing role bundles, and enabling bulk approvals reduce administrative burden. But these same optimizations can reduce the precision of individual decisions, especially when context is thin or access is aggregated.

The User is asked to review access that is often outside their immediate expertise. Each review requires time, attention, and a level of system understanding that may not be realistic at scale. Approving access is fast and low-risk in the short term. Rejecting or revoking access is slower and introduces uncertainty, including the possibility of disrupting legitimate work or triggering follow-up questions. The cost of careful review is immediate. The cost of incorrect approval is deferred and uncertain.

The Arbiter evaluates whether reviews were completed, documented, and attributable. Completion rates, timestamps, and approval logs provide a clear signal. Meanwhile, the Adversary benefits from any retained access that is unnecessary or excessive. Compromised accounts, stale entitlements, and over-broad roles create pathways for escalation that do not require defeating authentication or controls elsewhere.

At its core, this reduces to a strategic interaction between the User and the Arbiter.

The Game (Current State Matrix)

Framing

The User decides whether to review access carefully or approve quickly. The Arbiter evaluates whether the review process meets control expectations based on observable signals such as completion and documentation. This creates a signaling environment where approval behavior and evaluation criteria interact.

Matrix (Current State)

User:
Careful Review

User:
Fast Approval

Arbiter:
Evaluates Effectiveness
Higher effort,
better access quality
Flags issues,
requires follow-up
Arbiter:
Evaluates Completion (common)
Higher effort,
limited recognition
Low effort,
high completion signal (dominant)

Interpretation

Careful review improves access quality but carries real cost. It requires time, context gathering, and potential coordination to revoke or adjust access. When the Arbiter primarily evaluates completion, this additional effort is not strongly rewarded. The signal captured by the system does not differentiate meaningfully between careful and superficial approvals.

Fast approval minimizes immediate cost for the User. It allows campaigns to complete quickly and satisfies the observable criteria used by the Arbiter. From a signaling perspective, this outcome produces a strong appearance of compliance at low effort. It is therefore stable, even though it may preserve unnecessary access.

This is a cheap talk game. The User’s approval is a signal of validation, but when there is no cost to sending an inaccurate signal, the content of that signal becomes unreliable.

The Natural Equilibrium

Most organizations settle into a pattern where access reviews are completed with high approval rates and minimal change. Campaigns close on time, evidence is produced, and the system signals that governance is functioning. The process is repeatable, measurable, and visible.

This equilibrium persists because it aligns with short-term incentives. The User minimizes effort and avoids the risk of disrupting business processes. The Operator maintains efficient campaign execution. The Arbiter receives a consistent and auditable signal of completion. The Governor can point to the process as evidence of control.

The Adversary benefits from this stability. Excess access accumulates over time as roles change, projects end, and systems evolve. When compromised accounts are used, retained access expands the attacker’s reach. The expected payoff for exploitation increases as unused or unnecessary permissions remain in place.

The system tolerates this equilibrium because the immediate cost of careful review exceeds the perceived probability and impact of misuse for any single decision. Over time, however, the cumulative effect of retained access increases exposure.

Tension Points

The first tension exists between the Governor and the User. The Governor expects meaningful validation, but the User experiences the process as a time-bound task with limited context. This gap encourages approvals that satisfy the process without fully interrogating access.

The second tension exists between the User and the Operator. Efficient workflows favor speed and scalability, while effective reviews require context and granularity. Optimizing for one often degrades the other.

The third tension exists between the Arbiter and actual access quality. Evaluation focuses on completion and documentation, while the true objective is correctness of access. The system optimizes for what is measured.

Strategic Redesign

To change the outcome, the signaling structure must be altered so that approvals carry consequence and context. The objective is to make inaccurate approval more costly and accurate review more feasible.

First, reviews must be contextualized. Presenting access in terms of business roles, recent usage, and risk indicators reduces the cognitive burden on the User and improves decision quality. When reviewers understand what access enables, careful review becomes more tractable.

Second, cost must be introduced for incorrect approval. This can take the form of secondary checks for high-risk access, sampling that validates decisions, or accountability mechanisms that surface patterns of blanket approval. When inaccurate signals are detectable and have consequence, the incentive to review carefully increases.

Third, high-risk access should require stronger validation. Step-up certification for privileged roles, sensitive systems, or anomalous patterns introduces differentiation into the process. This shifts effort toward areas where incorrect approval has higher impact.

Finally, evaluation must evolve beyond completion. Measuring revocation rates, changes over time, and alignment with role definitions introduces a stronger link between process and outcome. This reduces the signaling advantage of superficial compliance.

The New Equilibrium (Conceptual)

With incentives realigned, access reviews begin to reflect actual validation rather than symbolic approval. Users focus effort where risk is highest, and low-risk access is streamlined. Approval becomes a more meaningful signal because it is supported by context and subject to verification.

The Adversary’s position weakens as excess access is reduced and high-risk entitlements are more closely scrutinized. Opportunities for lateral movement and privilege escalation become less predictable and more constrained.

The system shifts from high completion with low change to targeted review with measurable impact.

The Game (Post-Redesign Matrix)

Matrix (New State)

User:
Contextual Review

User:
Fast Approval

Arbiter:
Evaluates Outcomes
Higher effort,
high access quality (dominant)
Detectable errors,
increased scrutiny
Arbiter:
Evaluates Completion Only
Partial improvement Persistent weak signal,
adversary advantage

Interpretation

When the Arbiter evaluates outcomes rather than completion alone, the payoff structure changes. Contextual review becomes more valuable because it leads to correct decisions that are recognized and reinforced. Fast approval becomes less stable because errors are more likely to be detected and require remediation.

The dominant strategy shifts toward producing signals that are both accurate and verifiable. The cost of effort remains, but it is now aligned with the value of the outcome.

The Dominant Strategy

In this system, the dominant strategy is contextual, risk-based access review where approvals are informed by business context, differentiated by risk, and subject to validation mechanisms that detect inaccurate certification behavior.

This works because the system begins rewarding accurate validation and credible signaling rather than administrative completion and approval speed alone.

Closing Insight

Access reviews are often treated as procedural exercises that prove governance activity occurred. In practice, they function as signaling mechanisms between the organization and its oversight functions. Every approval communicates that access was evaluated and determined to be appropriate. But when reviewers lack context, face minimal accountability, or are rewarded primarily for completion speed, the informational quality of that signal begins to degrade.

A review process can remain operationally complete while becoming informationally weak. High completion rates, timestamps, and audit evidence may continue to suggest control maturity even as excessive access quietly accumulates underneath the process. The system optimizes for what it measures. If completion is enough, approval quality gradually becomes secondary to administrative efficiency.

The control does not fail because reviews stop happening. It fails when approval no longer means what it is supposed to mean.