Console UARs: How User Access Reviews Should Be

Today, we're adding Access Reviews to Console. 

Now, IT and security teams can continuously validate who has access to what, identify unnecessary permissions, and remediate issues before they become security risks.

Ask yourself: do you know how many people in your organization have access to software they don’t use or at an entitlement level they shouldn’t have?

Most companies don't. Not because they don't care but because answering that question is surprisingly difficult. Access data is scattered across dozens of systems, and running a review often means exporting spreadsheets, reconciling records, and tracking down managers who have other priorities. The process can take weeks, and even then the results are often incomplete. In practice, manual review processes have unreasonably high approval rates, which means most reviews aren't meaningful evaluations. They're glorified rubber stamps.

This is the state of Access Reviews today. The process is broken, and the consequences are real. The vast majority of data breaches stem from excessive or outdated user permissions. The contractor whose engagement ended six months ago. The engineer who changed teams but kept their old system access. The account that hasn't logged in since last year. These aren't edge cases. They're everywhere, and they're exactly what SOC 2, SOX, HIPAA, or GDPR auditors are looking for.

Why Access Reviews make more sense in Console

Console is where access gets requested, approved, and provisioned. It also has visibility into your people, applications, policies, and systems better than any other tool in your stack.

This creates an organizational Context Graph: a live view of who has access to what, why they have it, and how that changes over time. For Access Reviews, the data is already there. You don't have to export it, clean it, or reconcile it against three other sources before an accurate review campaign can start.

Traditional IGA tools were built for a world where identity governance lived separately from IT operations. For many of our customers, the task falls to the same team. They shouldn't have to buy and integrate a second platform to run a process that depends on the context Console already has.

How it works

Campaigns start with ground truth & one-click entitlements

Console’s AI-powered context changes the Access Review status quo: reviewers make confident decisions based on current, relevant information. We surface that information to you front-and-center so you don’t have to dig around to find it.

An Access Review in Console starts with existing context: all of your access permissions for connected apps that live in Console. 

For anything outside of Console, upload CSVs, screenshots, or a use a single prompt to Assistant. We create ground truth for who has access to what: accounts and entitlements all in one place.

From there, building a campaign is simple. Select the apps, resources, and entitlements you want to review. Assign reviewers by role, by person, or by rule, so the right person is certifying access for each entitlement.

Reviews with contextual insights, not just checkboxes

When reviewers log in, they're not looking at a spreadsheet. They're looking at each grant, enriched by AI with the information they actually need to make a call: last login, whether the access is unusual compared to the user's peer group, whether it matches the Okta groups affiliated with that entitlement, whether the user has changed roles recently or if they’re still with the organization. 

However, decisions are not always straightforward even with a wealth of context. Console Assistant and Insights takes it a step further by offering suggestions, letting you delegate, and ask clarifying questions that help you make the right call:

Delegate & model outcomes with Assistant:

• Ask: who hasn't logged in in the last 90 days and get back a detailed response that can make certification or denial decisions easy.

• Delegate to Assistant: ask Assistant whether you should certify or deny a record with substantiated reasoning as to why or why not.

• Model outcomes: Ask “What happens if I revoke access?” or “Why does this user have Admin access?”

Insights that lead to confident decisions:

• User is not in the remediation group: displays when the user has the entitlement but is not present in the group designated to control access to it

• User is within active access policy: displays when the user's access is governed by an active, approved access request in Console

• User matches active Okta group rule: displays when the user matches the conditions of an active Okta group rule attached to the remediation group

Approving or revoking access is a button click. Campaign owners can see completion progress in real time, broken down by app or by reviewer, with automated and manual reminders to keep things moving before the deadline.

Remediation that actually closes the loop

Finding that access should be revoked is only half the job. The other half is actually revoking it, documenting it, and proving to auditors that you did it. 

Console handles both. 

For Okta-provisioned entitlements, remediation is automatic. For manually provisioned access, Console kicks off Slack messages and provisioning tasks to the right people asking them to remediate access and gather proof. When it's done, campaign owners upload evidence to close the campaign and get a full report that includes certifications, denials, remediation completions, and timestamps. The audit prep that used to take weeks is built into the process.

Access reviews were never an IT problem. They’ve always been a context problem.

The reason access reviews are painful isn't that they're inherently hard. It's that the information required to run them is scattered across systems that don't talk to each other, and the tools built to run them weren't connected to the systems doing the actual access provisioning. Gathering data from different systems, consolidating it, and verifying everything can take weeks. It’s time and energy that’s better spent on higher-priority work.

Console solves that by being the single pane of glass where access is both managed AND reviewed for accuracy. The same platform that provisions access is the one that audits it, remediates it, and keeps it aligned with your policies and people over time. That's a closed loop for continuous governance.

If you're preparing for a compliance review, or you're simply tired of running access campaigns in spreadsheets, we'd love to show you what this looks like in your environment.