The Permission Cleanup Discipline

Permissions accumulate. The quarterly cleanup that prevents privilege sprawl with one-line removals.

Quarterly audit

Per identity (user or service): what permissions does it currently have, what has it actually used in the last 90 days?

Permissions used: keep. Not used: candidate for removal.

Some permissions are kept for emergency use. Tag those; do not remove blindly.

Removal flow

Owner gets a list of removal candidates. They confirm or override.

Override requires written justification. The override is logged.

Removed permissions can be re-granted. Friction is the point; the right level of friction makes wisdom cheaper than convenience.

Why this compounds

Each quarter removes 5-15% of unused permissions. Year over year, the privilege surface shrinks.

Audits find issues earlier when the surface is smaller.

Compromised identity has less leverage. Defense in depth is real.