Quarterly access reviews were designed to keep privilege in check. They do — at the moment the snapshot is taken. What happens to the access graph between reviews is a different question, and nobody's asking it.
What Certification Can't See
Every quarter, security teams run an access review. Owners certify who holds which role, exceptions get flagged, and the report goes to the auditors. The box gets checked.
Then the org keeps moving, and the access graph moves with it.
The assumption behind the ritual is that privilege is a state you can inspect. Pull the current list of who holds which role, confirm each is appropriate, sign off. Most certification tooling is built around exactly that: a point-in-time snapshot, reviewed and attested.
The problem is timing. A new hire's onboarding group gets nested into an admin group during a routine reorg. No role was assigned to her directly. She now holds Exchange Administrator access no one decided to give her, and it appeared weeks after the last review and before the next. The certification that would have caught it already happened.
Privilege Is a Change, Not a State
Attackers don't exploit the privilege that's been reviewed twice already. They exploit the path that opened up in between. The highest-risk window in identity is the time right after a new set of privileges is granted and before anyone notices it. A quarterly snapshot is structurally blind to it.
The more useful question isn't who has privilege now. It's whose effective access is broader than it was 30 days ago, and how it got that way. Answering that means resolving the full access graph — every group nesting, every inherited role — and comparing it against its own earlier state, not against a policy and not on a calendar.
Point-in-time review will always trail the thing it's meant to catch. Abnormal tracks privilege as a continuous change signal, not a periodic state check — so the window between reviews stops being a blind spot.
See the latest from Abnormal's product and engineering teams.
