Privileged accounts with admin rights get created all the time. Someone needs elevated access for a project, it gets granted, the project wraps up… and nobody remembers to revoke that access. Six months later, that “temporary” admin account is still active, and you’ve got a bad case of privilege creep.
The fix seems obvious: review who has admin access regularly. But how often is “regularly”? Every month? Every quarter? Once a year?
The answer isn’t universal. It depends on your organization’s size, industry regulations, and how quickly your environment changes.
The Cost of Skipping Reviews
Admin accounts are different from regular user accounts. They can install software, access confidential data, modify system configurations, and bypass security controls. When these fall into the wrong hands, the damage spreads fast.
The 2025 Verizon Data Breach Investigations Report found that 22% of breaches began with credential abuse. Privileged credentials are obviously more valuable than standard user accounts, which is why attackers specifically hunt for them.
Most organizations discover privilege creep during their first real audit. That consultant who helped with the ERP migration two years ago? Still has admin access. The developer who moved to a different team six months ago? Still has production database admin rights. The intern from last summer? Somehow still in the local administrators group.
This happens to just about every organization after enough time, and the only question is whether you catch it through regular reviews or after an incident.
What Determines Your Review Schedule
Different industries face different pressures. PCI DSS v4.0 mandates user account reviews at least every six months for anyone handling credit card data. Financial institutions under SOX, healthcare organizations under HIPAA, and New York financial services companies under 23 NYCRR Part 500 all have their own timelines.
But compliance requirements are just the floor, not the ceiling.
A 30-person startup where everyone knows everyone can probably manage quarterly reviews without much overhead. A global enterprise with thousands of endpoints, multiple acquisitions, and contractors across dozens of vendors? That needs a different approach entirely.
Think about your own organization. How often do people join, leave, or switch roles? How many contractors do you work with? How complex is your infrastructure? The answers to these questions matter more than any generic best practice.
Organizations experiencing rapid growth or high turnover can’t wait six months between reviews. Outdated privileges pile up faster than you can document them. If your IT environment is relatively stable with minimal changes, you’ve got more flexibility.
High-value targets (finance, healthcare, critical infrastructure) should review more frequently regardless of size. If you’ve been hit before, you already know why this matters.
Finding Your Review Cadence
Based on industry standards and what actually works in practice, here’s how different organizations approach review frequency:
Quarterly for most organizations
Most mid-sized organizations land on quarterly reviews. Three months is short enough to catch problems before they become serious, but long enough to avoid turning reviews into a full-time job. This works well for companies without extreme regulatory pressures or rapidly changing environments.
Monthly or continuous for high-risk environments
Financial services, healthcare, and other heavily regulated industries often review monthly. Some are moving toward continuous access certification where automated tools flag suspicious privileges in real-time instead of waiting for scheduled reviews. This makes sense when you’re dealing with thousands of privileged accounts across complex environments.
Semi-annual for smaller, stable teams
Smaller teams (under 100 employees) with low turnover and simple infrastructure might get away with semi-annual reviews. Just make sure you’re monitoring for unusual privilege usage between formal reviews, because six months is a long time to go without checking anything.
Annual is the bare minimum
Annual reviews are the absolute minimum for most compliance frameworks, but once a year really isn’t enough. Too much changes in 12 months. If you’re only reviewing annually, you’re basically guaranteeing privilege creep.
Making Reviews Less Painful
Nobody enjoys access reviews. They’re tedious, time-consuming, and usually reveal problems that require cleanup work. But they don’t have to be terrible.
1. Document justification and expiration dates upfront – When someone gets privileged access, document the business justification and set an expiration date. Sounds simple, but most organizations skip this step. Then 18 months later, nobody remembers why that account exists or whether it’s still needed.
2. Treat privileged accounts differently – Treating privileged access the same as standard user access won’t satisfy auditors. Compliance frameworks explicitly call out admin accounts for special treatment because they deserve more scrutiny. Separate these reviews, use stricter approval workflows, and check them more frequently.
3. Handle contractors separately – Contractor access creates its own problems. Projects end, contracts expire, consultants move to different companies, but digital access persists forever unless someone actively revokes it. Tie contractor accounts to contract end dates and set up automatic flags when those dates pass.
4. Check usage, not just existence – Usage monitoring helps too. An account that hasn’t logged in for 90 days probably doesn’t need to exist anymore. But you won’t know unless you’re checking.
5. Automate the gap coverage – Automation catches problems between formal reviews. Set up alerts for:
- Privileged accounts that haven’t been used recently
- New admin accounts created outside normal processes
- Unusual activity patterns
- Accounts belonging to people who’ve left the company
These alerts won’t replace reviews, but they’ll reduce what you need to clean up during them.
Just-in-Time Changes the Game
Traditional privilege management creates a tradeoff: either grant permanent admin rights (which creates security risks and audit overhead) or make users wait for IT approval every time they need to do something (which kills productivity).
Just-in-Time (JIT) privilege elevation solves this by granting elevated permissions only when needed and only for a limited time. Users can elevate specific applications temporarily instead of having always-on admin rights.
This dramatically reduces what you need to review. Instead of auditing hundreds of standing privileged accounts, you’re verifying that policies and configurations work correctly. The privileged access exists, gets used, and automatically expires without requiring manual cleanup.
Admin By Request’s EPM solution works this way. Users request elevation for specific tasks, get temporary admin rights, complete their work, and those privileges disappear. Everything gets logged, you maintain visibility, but you’re not drowning in permanent admin accounts that need constant review.
Between Reviews
Even quarterly reviews have gaps. Things change, new accounts get created, people leave unexpectedly. Logging helps fill these gaps.
Recording all privileged access activity creates an audit trail and helps spot anomalies. Track who’s using admin rights, what they’re doing, and when. This won’t prevent all problems, but it makes them visible.
Approval workflows add friction (the good kind). When people can’t just grant themselves admin rights and need authorization from managers or IT admins, you get natural checkpoints. Someone has to justify why they need those privileges, which surfaces issues before they become incidents.
Multi-factor authentication blocks most credential theft attempts. Every admin account should require MFA, no exceptions. This isn’t directly related to reviews, but it reduces the damage when reviews miss something.
Surprise audits keep everyone honest. Scheduled reviews are predictable, which means people can prepare for them. Unannounced checks verify that policies are being followed all the time, not just when audits are coming.
Getting Started
If you’re not reviewing privileged access regularly, start with quarterly reviews and adjust based on what you find. Your first review will take longer than future ones because you’re discovering all the accumulated privilege creep from however many years you’ve gone without formal reviews.
Many organizations are shocked by what they find. Admin accounts nobody knew existed, contractors who haven’t worked there in years, test accounts from that project in 2019 that somehow got domain admin rights. Once you clean this up and establish processes, each subsequent review gets easier. Especially if you implement automation to maintain accurate records between reviews.
Admin By Request’s EPM solution includes built-in auditing and reporting that tracks every privilege elevation. You can see exactly who has admin rights, why they have them, when they got them, and revoke access instantly when it’s no longer needed. Book a free demo or sign up for our lifetime free plan (up to 25 endpoints with all features).
