Analyst Chat #289: From 100 to Zero - Fixing Access Recertification the Right Way
Analyst Chat
KuppingerCole Analysts · Martin Kuppinger, Matthias Reinwarth
Audio is streamed directly from the publisher (media.kuppingercole.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.
Show Notes
Access recertification is one of the most disliked processes in Identity & Access Management, and for good reason.
In this episode, Matthias Reinwarth and Martin Kuppinger challenge the way organizations approach access reviews. Instead of endlessly optimizing broken campaigns, they ask a more fundamental question: What if we eliminated most of recertification altogether?
Key topics:
✅ Why traditional access certification campaigns fail
✅ How overengineered role models create complexity and “rubber stamping”
✅ Why 80–90% of entitlements can be automated via policy
✅ How time-limited access dramatically reduces review effort
✅ Where AI and usage analytics can safely remove unused permissions
✅ Why static entitlements and standing privileges are the real root cause
✅ How modern authorization (e.g., externalized policy models) changes the game
The discussion also touches on the 50-year legacy of IBM RACF and why we still haven’t fully embraced externalized authorization — despite knowing better since 1976.
If you struggle with 70-page access review PDFs, role explosion, or endless recertification campaigns, this episode offers practical, implementable guidance — much of it possible with capabilities you already have in place.