The Permission Cleanup Discipline

Permissions accumulate. The quarterly cleanup that prevents privilege sprawl with one-line removals.

Quarterly audit

The quarterly audit is the foundation. Per-identity (user and service) inventory of what is granted vs what was actually used over a 90-day window. Used permissions stay; unused permissions become removal candidates; emergency permissions are tagged so they do not get swept up. Named audit owner per quarter prevents the everyone-and-no-one trap.

• Per-identity inventory. Granted-vs-used view per user and per service. 90-day usage window.
• Used keep, unused remove candidate. Simple rule per permission. Used in window: keep. Not used: removal candidate.
• Emergency permissions tagged. Explicit "kept for emergency" tag per such permission. Removal sweeps skip them.
• Named audit owner per quarter. Responsible engineer per audit. Catches "everyone-and-no-one" cleanup.

Removal flow

The removal flow has friction by design. Owner confirms or overrides per candidate; overrides require written justification and get logged; re-grant is possible but takes more steps than the original removal. The asymmetry makes "remove now and re-grant if needed" cheaper than "keep just in case."

• Owner confirms or overrides. Owner-driven decision per candidate. Removal cannot proceed without acknowledgement.
• Override requires justification. Written reason per override, logged for audit. Catches reflexive "keep it" overrides.
• Re-grant possible but slower. Friction is the point; right level of asymmetry makes "wisdom cheaper than convenience."
• Documented removal timeline. Named removal date per approved removal. Catches "we approved removal but never did it."

Why this compounds

Each quarter shrinks the privilege surface 5 to 15 percent. Year over year, the surface gets smaller, audits get easier, and any single compromised identity has less leverage. Defense-in-depth becomes a real property of the system rather than an aspiration on a slide.

• 5-15 percent removed per quarter. Typical reduction per quarter. Surface shrinks year over year.
• Audits easier with smaller surface. Smaller-scope benefit per audit. Issues surface earlier.
• Compromised identity has less leverage. Bounded blast radius per incident. Defense-in-depth is real, not theoretical.
• Quarterly trend chart. Surface-reduction view per quarter. Supports the business case for keeping the discipline.