Every IT leader knows the pain: new hires waiting days for access, former employees still in production systems, and a spreadsheet that everyone knows is wrong but nobody can replace. This Academy breaks down why traditional approaches fail—and how policy-based access management changes everything.Documentation Index
Fetch the complete documentation index at: https://docs.provisionr.io/llms.txt
Use this file to discover all available pages before exploring further.
Problem Definition
The spreadsheet worked at 50 employees. At 500, it became a liability. At 5,000, it became an audit finding. These articles examine the structural failures baked into traditional access management—and the hidden costs organizations pay every day.Why Quarterly Access Reviews Don't Work
95% approval rates signal rubber-stamping, not governance. Periodic reviews create security theater while actual risk goes undetected between cycles.
The HRIS Is Your Source of Truth
HR systems know when someone joins, changes roles, or leaves—but that data never flows to access systems. This gap is the root cause of access management failure.
Identity Sprawl
15-30 systems × 800 employees = 12,000 user records to keep synchronized. Without a single source of truth, chaos becomes inevitable.
The Permission Model Mismatch
AWS roles, GitHub teams, and Slack channels each speak different permission languages. Every system enforces its own model with no common abstraction layer.
The Three-Day Provisioning Problem
New hires wait 2-3 days for access while IT manually provisions accounts. That translates to $1,150 in lost productivity per hire—before they write a single line of code.
The Offboarding Gap
5-15% of terminations leave orphaned accounts active. The employee who left Friday still has production access Monday—and auditors notice.
Why Spreadsheets and Tickets Don't Scale
Access-Management-Master-v23-FINAL-USE-THIS-ONE.xlsx is 40% accurate but 100% critical to operations. A better way exists.Solution Framework
Request-based access accumulates forever. Policy-based access derives from attributes and stays current automatically. These articles present the mental models and mechanisms that replace reactive ticketing with proactive automation.Access Reviews Are Audit Theater
Review drift (5%), not all access (100%). Shift from quarterly reviews of everything to continuous monitoring of exceptions—and reduce review fatigue by 90%.
The Drift Problem
Expected access minus actual access equals drift. Detect when reality diverges from policy and remediate automatically—in minutes, not quarters.
Policy-Based Access: The Mental Model
Request-based access accumulates like sediment. Policy-based access flows from attributes and remains current. One model scales; the other collapses.
The Policy-First Approach
HRIS → Policy Engine → Calculated Access → Systems. Define Rulesets once; let the system maintain state automatically as organizations evolve.
Building an Access Policy Language
YAML policies that read like intent, test like code, and version-control like infrastructure. From conditions to baseline entitlements in a declarative format.
Exception Management
Rulesets cover 95% of access needs—exceptions handle the rest. Make them explicit, justified, time-bound, and auto-expiring.
Graceful Deprecation
Role changes break things when access disappears instantly. Grace periods, notifications, and extension workflows enable smooth transitions.
Continuous Compliance vs. Quarterly Reviews
Detect drift in minutes, not months. Reduce manager review time from 40 hours to 4 hours per quarter while improving audit outcomes.
Start the Journey
Begin with the Three-Day Provisioning Problem
The most relatable pain point for any IT team. Understanding this problem provides the foundation for everything that follows.